Digital Personal Data Protection (DPDP) Bill 2023 | Representative image | Photo courtesy: The Probe
The government recently listed the Digital Personal Data Protection (DPDP) Bill 2023 for passage, which will be presented before the Lok Sabha. Previously, the Union Cabinet had approved the draft data protection Bill. This marks the government's second attempt at passing a privacy Bill in Parliament, following the Supreme Court's declaration of privacy as a fundamental right six years ago. The DPDP Bill will serve as India's primary data protection framework if passed.
Dr Pawan Duggal, Supreme Court advocate and cybersecurity expert speaks to The Probe’s Rageshree Sengupta
The Watered-Down Data Protection Bill
“India has a chequered history as far as data protection is concerned. India doesn’t have a dedicated law on data protection. We do not have a dedicated law on privacy, nor do we have a dedicated law on cybersecurity. So, given this unique policy vacuum, India becomes a fertile ground for targeting data, individuals and their digital activities in the digital ecosystem. This is why the government decided to bring about a dedicated framework on data protection,” narrates Dr Pawan Duggal, Supreme Court advocate and cybersecurity expert.
Also Read | CoWIN Data Breach Reveals Security Gaps In India’s Critical Information Infrastructure
Dr Duggal explains, “The government set up a committee under the chairmanship of a retired judge of the Supreme Court. The committee gave its report in 2018, but along with that report, they also gave a proposed template for the personal data protection Bill. The government examined both the report and the draft Bill and said that many things must be added. The government made a lot of changes and then tabled the personal data protection Bill 2019 in Parliament in December 2019. That’s when there was a chorus in the Parliament that this is a very complicated Bill and, therefore, must go to the Joint Parliamentary Committee (JPC). The JPC examined the Bill for almost two years and came up with a report in December 2021. It actually suggested about 90-plus amendments. The government accepted some recommendations and came out with the Digital Personal Data Protection Bill 2022 for public comments. The draft Digital Personal Data Protection Bill of 2022 was a much narrower and more restricted version of the 2018 Bill and a far more narrower version of the 2019 Bill. The cabinet has approved the Bill now, and it will be presented before the Parliament. Since the government has the numbers, they can get this Bill passed in the upcoming session”.
Data Protection vs Data Processing
The Digital Personal Data Protection Bill (DPDPB) of 2022 faced criticism for failing to address data protection concerns effectively. Instead, it was perceived to establish a framework that primarily facilitated data processing activities for both state and private actors. Critics argue that the Bill did not offer sufficient safeguards to protect individuals' personal data from misuse, unauthorised access, or exploitation. Some argued that the Bill granted excessive powers to state and private entities, potentially compromising individuals' privacy rights and allowing for the potential misuse of data for surveillance or commercial purposes.
Data Protection Board Not Independent
The Data Protection Board outlined in the DPDP Bill 2022 has faced significant criticisms, primarily focusing on its perceived lack of independence and transparency. Stakeholders and experts have raised concerns about the level of control exerted by the government over the board, potentially compromising its autonomy and efficacy.
Concerns have also been raised about the effectiveness of oversight and accountability measures to ensure the board acts in the best interest of data protection and privacy. Critics argue that the current provisions do not establish robust mechanisms to hold the board accountable for its actions, potentially undermining public trust in its operations.
Also Read | The WhatsApp Privacy Policy Saga: India’s Data Protection Regime And You
“The Data Protection Board, as envisaged under the Bill is not as independent because the union government has been empowered to appoint the Chairperson and decide on how the board will be appointed. This defeats the entire purpose of a board,” asserts Jain.
The Problem of Deemed Consent
According to the proposed Data Protection Bill, sharing an individual’s personal data for a specific government program may be interpreted as implied consent for the use of that data in assessing eligibility for other schemes. This provision implies that by agreeing to share personal data for a particular government benefit program, individuals are considered to have given deemed consent for the utilisation of their data in determining eligibility for various other schemes.
Like Anand, Jain notes that the deemed consent clause, which allows for non-consensual data processing in certain situations, can be hugely problematic for the user and breach the citizens’ privacy. “We need to see in the final Bill what is the status of the deemed consent clause. That apart, the notice requirements under the Bill are not as comprehensive as they should be. The Bill allows for a lot of wide exemptions to be put in place both for the government and private sector, which basically allows them to be exempt from the provisions of the Bill. The Bill does not talk about surveillance, nor does it put in place any safeguards against the surveillance being carried out by the government in India. There are many issues with the Bill’s last draft”.
Provisions on Paper vs Implementation
Dr Duggal emphasises the need for the new Bill to align with India’s existing IT laws. Although the government has introduced significantly higher penalties, there remains a question regarding their effective implementation.
The data protection Bill has also been blamed for not addressing the issue of compensation while it extensively talks about penalties. Ritesh Bhatia, a cybercrime investigator and data privacy consultant, says, “As users are the primary stakeholders, in the event of a data breach, it is crucial to ascertain the compensation affected users will receive”.
Also Read | “India at the centre of a major global data breach” | The Probe Exclusive
Under Section 43 of the Information Technology (IT) Act, 2000, entities that fail to protect sensitive personal data and information from unauthorised access or disclosure may be held liable for compensation. Dr Karnika Seth, a lawyer and cyber law expert, raises concerns about certain areas of the DPDP Bill 2023 that require careful examination. Specifically, she points out that while Section 43 of the IT Act provides remedies for individuals in case of a data breach, this appears to be lacking in the data protection Bill.
To ACCESS and SUPPORT our exclusive stories and impactful public interest journalism, subscribe to our YouTube channel. Click on THE PROBE'S LOGO below to subscribe.