Digital Personal Data Protection Bill 2023 passed in Rajya Sabha

Ad: India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!

The Digital Personal Data Protection Bill 2023 was passed in the Rajya Sabha on August 9, 2023. Despite MP John Brittas having brought up two amendments for discussion, these were not moved since Brittas was not present at the House. During clause-by-clause consideration of the Bill, around 46 amendments were put forward by MPs Vinay Vishwam, A D Singh and Brittas. Since none of the MPs were present, none of these amendments were moved.

The Bill was tabled by Union Minister Ashwini Vaishnaw and discussed by MPs Kanakamedala Ravindra Kumar of TDP, Dr Amar Patnaik of BJD, V Vijayasai Reddy and Niranjan Reddy of YSRCP, Dr. M Thambidurai of AIADMK and G K Vasan of TMC(M). Here are the concerns put forward by MPs in the House:

Legitimate use promotes state surveillance: MP Kanakamedala Ravindra Kumar said there is ambiguity on the definition and implementation of “legitimate use” under the Bill. He argued that the Bill only gives nine situations of use wherein except the first situation the government has “complete power” to process personal data.

“Harms” definition required for reputational injury: While supporting the Bill, MP Dr Amar Patnaik said that there needs to a separate definition for “harms” in case of injury to reputation or physical harm.

“[The Bill has] definitions [that] outline gain means loss. It basically interprets the entire data breach in financial terms. What happens if there is a reputational loss because of a data breach? What happens if there is a bodily injury? Now, you might say that you can use the criminal procedure code CrPC and sorry, IPC and CrPC to try that person. But it has to be read with this particular Act to make the provision stronger and stringent for such kind of breaches. Because a reputational breach for a woman is much stronger than a man. And a reputational breach might even lead to suicides,” said Patnaik.

Data minimisation missing in the grounds for processing data: Patnaik said that Section 4(2) of the Bill that looks at grounds for processing personal data only considers purpose limitation when “data minimization is at the core of as a preventive measure against data future data breaches.”

Vaishnaw’s response: The Minister said the Bill does include the principal of data minimisation under the consent provisions.

Bill needs federal distinction of powers: Under legitimate uses, processing of personal data requires notification by the central government even in case of providing subsidy, benefit, service, certificate, licence or permit.

“Now, I fail to understand why it is to be notified by the central government. There are state laws, states give benefits, states give the same thing, states give subsidy, benefit service certificate, license, a lot of these things. Everything is given by the state and they are governed by the state laws, state schemes. Why should it be notified by the central government?” he said.

Creation of State Data Protection Boards: Similarly, he asked for State Data Protection Boards rather than a single Data Protection Board of India. He pointed out that one of the criteria for Chairperson of this Board is proficiency in consumer protection whose authorities are available at a district level.

“[Rather than] digital by design, I think privacy by design is more important because even 25 percent of people in rural areas do not have access to a device or internet,” said Patnaik.

Article continues below ⬇, you might also want to read:

• Digital Personal Data Protection Bill Passed In Lok Sabha
• Remove RTI Amendment From The Data Protection Bill: Ex-Central Information Commissioner Shailesh Gandhi
• India’s Data Protection Bill Tabled In The Lok Sabha: MPs Voice Concern
• A Complete Guide To India’s Digital Personal Data Protection Bill, 2023

Need to narrow down exemptions: Patnaik said that the principles of reasonability, fairness, necessity and proportionality, one of the foundations of the Puttaswamy judgment, need to be incorporated into the exemptions.

“We may have the least number of exemptions, but we need to, while imposing these particular exemptions, it should not be blanket, but as narrow as possible,” he said.

Government exemption must be kept within reasonable restrictions: Patnaik cited Article 19(2) of the Constitution which talks of reasonable restrictions in terms of decency and morality when exempting the government under Section 17(2)(a).

“Decency or morality cannot be done in terms of gain or loss. So this should actually feature somewhere in terms of the breach of data leading to indecency, leading to or immoral activities, leading to reputational loss, leading to bodily injury or anything more,” he said.

Concerns around national security as a legitimate use: “When it comes to the question of national security and maintaining law and order, what is the accountability and responsibility?” asked MP G K Vasan.

Start-ups should ensure completeness and confidentiality of data: Patnaik said start-ups should not be exempt from maintaining the confidentiality integrity and completeness of data. He reasoned that even if data is incomplete, using generative AI, it can give you “completely different relations and discrimination may continue.”

Vaishnaw’s response: The carve-outs are applicable only in case of compliance. He also argued that the Bill does not specify start-ups but “certain classes of data fiduciaries.”

No definition of personal information: Patnaik said that while the amendment to the Right to Information Act refers to “personal information,” the Bill defines “personal data” and not “personal information.” He asked for clarity on the same.

Similarly, MP Niranjan Reddy said the exemption for startups could lead to data mining. This means that start-up entity will mine data and use it for other purposes.

Sector-specific laws for processing children’s data: Rather than a blanket age-limit of 18 years for processing of children’s data without parental consent, Niranjan Reddy suggested a sector-specific approach. He gave the example that educational institutions may enjoy a lower age cut-off since children’s data is used for education but a gaming sector entity may not require lower age cut-offs.

“The central government sets out the areas where the age can be reduced and the Data Protection Board will grant permission to the data fiduciaries which maintain that safety threshold,” he said.

Consent manager operations need to be fleshed out: Reddy called for more details about the functioning and operations of a consent manager under the Bill.

How will data of other countries be processed? Patnaik asked for clarification on the applicability of the law. Specifically, he asked what happens to the data of people from other countries since in India fundamental rights are enjoyed by “any person” not just citizens in India. He also asked for clarification in case of breach of such data.

Stricter penalties for children’s data breach: Patnaik asked for stricter penalties in case of breach of personal data of children.