Protecting data, a national agenda
Stakeholders hoped the finalised bill contains these two provisions as non-inclusion would compel petitioners to argue for their inclusion.
In April this year, the Centre had informed the Supreme Court that the Digital Personal Data Protection (DPDP) Bill that was finalised after a wide-ranging public consultation process will be tabled in Parliament during the monsoon session this month. Recently, the Union Cabinet had cleared the Bill, which outlines practices for entities regarding how personal data should be stored and processed to ensure that there are no breaches. The right to data portability and the right to be forgotten, which were part of the 2019 data protection bill and were recommended for inclusion in the new bill, were not there in the draft Digital Personal Data Protection Bill, 2022. Stakeholders hoped the finalised bill contains these two provisions as non-inclusion would compel petitioners to argue for their inclusion.
The draft bill has also introduced a Data Protection Board to adjudicate non-compliance of provisions of the proposed legislation, which will apply to processing of digital personal data collected online and offline within India. As per the draft legislation, personal data (such as mobile numbers or Aadhaar details) can be processed with an individual’s consent only for lawful purposes. In case, complaints are lodged regarding the violation of provisions relating to personal data, the board can impose a maximum of Rs 150 cr as penalty for non-fulfilment of obligations for children, and Rs 250 cr for failure to take security measures to prevent data breaches.
The Bill is inspired by the EU law — the General Data Protection Regulation, and highlights 23 instances when acquiring consent for recording date is not possible. These include the golden hour during an accident, or natural disasters. It is critical to understand if the DPDP Bill acknowledges the need to safeguard an individual’s personal data even as it tackles the requirement for processing personal data for legitimate objectives. As per constitutional scholars, the new Bill provides individuals with the option of revoking their consent if they do not desire that their data be processed. They are also entitled to rectify, correct or delete their data.
Minister of State for Electronics and IT, Rajeev Chandrasekhar, had remarked that the government’s access to personal data under the proposed data protection law will be limited to exceptional circumstances including national security, pandemic, and natural disasters, which will ensure that the privacy of citizens is not infringed upon. Think tanks have questioned aspects of state surveillance touched upon by the Bill, which confers authority upon the Centre to grant exemptions to government agencies from certain or all provisions, with the objective of safeguarding state security and upholding public order.
This means a government agency is authorised to gather data about an individual on the basis of national security, with the aim to build a well-rounded profile aimed at surveillance. India’s mass surveillance initiatives include the Crime and Criminal Tracking Network and Systems (CCTNS), the Central Monitoring System (CMS), or the National Intelligence Grid (NatGrid). According to those in the know, these systems have not been covered under the ambit of the Bill, which raises doubts on the law’s efficacy.
RTI activists have also highlighted a certain amendment to the RTI Act, 2005 in the DPDP Bill. This prohibits government departments from sharing “personal information”, which means these departments could refuse to divulge data that could hold public officeholders accountable. Most developed nations took upwards of a decade to legislate data privacy and protection. One hopes that the Bill keeps in mind the notion of ‘citizen first’, before anything else.