Ashwini Vaishnaw, the IT minister of India, resubmitted an updated data privacy bill in the lower house of the Indian parliament on Thursday, months after introducing its last draft and the abrupt withdrawal of a previous proposal last year following pushback from tech giants, even as many members protested the new bill, alleging it violated the right to privacy.
Titled the Digital Personal Data Protection Bill, the legislative act seeks to provide substantial decision-making powers to the Prime Minister Narendra Modi-led government. These powers include the ability to waive certain data fiduciaries, including startups, from compliance if the need arises. They can also permit the handling of children’s data, given that the fiduciary can demonstrate adequate protective measures.
The government further holds the authority to designate countries to which the transfer of users’ personal data is prohibited. This provision modifies the earlier draft of the bill, which suggested allowing data transfers to “notified countries and territories.”
Additionally, the legislation provides legal protection for the central government, the data protection board and its members, including the chairperson, shielding them from legal actions.
The legislation dictates that the central government is responsible for establishing the data protection board. The government will also appoint the members and chairperson of the board, each serving for an initial term of two years. The bill outlines that a member of the data protection board can only resign through written notice submitted to the government. This resignation comes into effect either three months after submission, upon receiving government approval or once a new successor is appointed or the existing term expires.
The legislation allows individuals to bring their data protection issues to the board if they do not receive an adequate response from the data fiduciary within the stipulated seven-day period. It is also a requirement under the bill for the public to provide only genuine personal information and not to impersonate others. Non-compliance with the duties set out in the bill may result in penalties for individuals, with fines reaching up to $121 (10,000 Indian rupees). For a data fiduciary that breaches the law, penalties could be as severe as $30 million (250 crores Indian rupees).
Decisions of the data protection board can be appealed to the Telecom Disputes Settlement and Appellate Tribunal for review within 60 days, the bill says.
Companies that collect user data must obtain explicit consent from users, per the bill. The requests for consent should be communicated in simple language. Consumers can also withdraw their consent later. Further, the bill contains a provision for establishing a grievance redressal mechanism through consent managers that can help users give, manage, review and withdraw their consent.
However, the bill includes “certain legitimate uses” as an exemption from the requirement of taking user consent. This is an update to the “deemed consent” provision available in the last version of the bill’s draft. It allows platforms to collect personal user data when it is voluntarily provided, such as when accessing public services. The government may also access personal data from platforms in this provision to provide subsidies or to perform functions required by law.
Kamesh Shekar, a program manager at The Dialogue, a public policy think tank in New Delhi, told TechCrunch while the move away from deemed consent is positive, it’s important to establish grounds of necessity and ensure the existence of legitimate interest. A test of balance between the data controller’s interests and the fundamental rights of the data principal must be included in the rules prescribed by the central government, he added. Furthermore, the rules related to the provision of consent managers should align with the regulations for consent managers in other industries to prevent exploitation of loopholes in the system, he said.
In a public video address released after the bill was tabled in the parliament, Rajeev Chandrasekhar, an IT minister in the government, called the move a “very significant milestone in the evolution of the global standard cyber law framework.” The minister said the bill makes it mandatory for companies collecting and using personal data to comply with the law and should not ask for “extraneous information” irrelevant to the service or product the user receives. The bill also includes the principles of data minimization, data protection and accountability, accurate data storing, and mandatory reporting of breaches.
The South Asian nation began looking at data protection back in 2017. Two years later, the Indian parliament received the first personal data protection bill in 2019. However, it was withdrawn last year after drawing scrutiny and criticism from privacy advocates and tech companies, including Amazon, Google and Meta over providing exemptions to government departments and limiting the scope of protecting user data.
“For many, many years, it has been known, and it is not any secret that many platforms and many companies or many data fiduciaries have been collecting personal data of individual citizens. It’s not just in India but all around the world, and they have been exploiting that personal data for their own business models, algorithms and many other ways,” said Chandrasekhar. “Narendra Modiji government swung into action to create a framework of legislation that will protect the citizens’ rights, create an environment where the innovation ecosystem and startups can continue to operate with guardrails that move on in that type of framework.”
Although the data privacy bill needs to be approved by parliament’s upper house and the Indian president to become a law, it has seen some criticism from the opposition political parties. One of their concerns is granting “excessive” powers to the central government. Public policy experts have also criticized the government for failing to disclose the responses from the public consultation regarding the draft of the data protection bill.
Shashi Tharoor, a leader of the main opposition Congress party, argued that the bill had been changed several times and should be sent to the standing parliamentary committee for a comprehensive review.
Digital rights advocacy group Internet Freedom Foundation said the data protection bill does not live up to important principles such as the Justice KS Puttaswamy ruling, which established that informational privacy is a crucial aspect of the right to privacy. The group said the bill further widens exemptions granted to government instrumentalities that may lead to increased state surveillance and misses clear provisions on essential issues “which have been left to future executive-rule-making.” The legislative move will also significantly weaken the Right to Information Act, 2005, it added.
“The DPDPB (Digital Personal Data Protection Bill), 2023 reiterates the shortcomings of the DPDPB, 2022 and fails to inculcate several of the meaningful recommendations that had been made during the consultation process, which were subsequently made public by the relevant stakeholders. We strongly urge the Union government to address the numerous recurring problems with successive iterations that have been raised by civil society stakeholders. In its present form, the DPDPB, 2023 does not sufficiently safeguard the Right to Privacy and must not be enacted,” the group said.
Comment