Digital Personal Data Protection Bill passed in Lok Sabha

Ad: India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!

The Digital Personal Data Protection Bill, 2023 was passed in the Lok Sabha by a voice vote on August 7, 2023. Union Minister Ashwini Vaishnaw addressed previous concerns raised by Opposition MPs on August 3 regarding various government exemptions mentioned in the Bill.

Read the summary of the bill here.

On government exemptions: Vaishnaw said in Hindi, “If there is a natural disaster somewhere, should attention be given to data consent form or the protection of citizens? Or, if the police are trying to catch a criminal, do we look at a form or carry out the procedure? Europe’s GDPR [General Data Protection Regulation] has 16 exemptions whereas India’s data protection Bill only has four exemptions.”

He also claimed that the Bill satisfies the three principles mentioned in the Puttuswamy judgment, as well as the seven principles of data protection, namely: legality, purpose limitation, data minimization, data accuracy, storage limitation, reasonable safeguards, and accountability.

MPs in the Lok Sabha raised around 14 concerns regarding the Bill, of which the Minister addressed around six concerns. The worries and suggestions raised were as follows:

1. Clarifications on harms required in the Bill: While supporting the Bill, YSRCP MP Sri Krishna Devrayalu Lavu asked for clarification on certain “ambiguities in the Bill.” He was asked to conclude in two minutes.

He talked about the need for the definition of “harms,” “storage” and “disabled persons” under Chapter 1 Clause 2. “Unless we define harm, we cannot define the consequences. Unless we can define the consequences, we can’t do the compensation. So I request the minister to clarify on that,” he said.

Vaishnaw’s response: Referring to the definition of “loss” in the Bill, the Minister said that compensations can be figured out.

2. Concerns about voter profiling: The Bill allows the State to process personal data of individuals without their consent for purposes like providing benefits. Lavu said this will allow governments to profile data of voters as per their needs.
3. No clarity on methodology: Speaking on the methodology for collection and processing of data, Lavu made the following observations:

• “[The Bill] doesn’t define methodology compliance of data that has been erased.
• It doesn’t require data fiduciaries to maintain record of data breaches.
• It doesn’t specify a transition period for the bills enactment.
• It doesn’t talk about data breach through hardware.”

4. Blocking of information: The RTI amendment in the Bill prohibits the disclosure of personal information.

“As a result, cases like that of Pratiba Patil, former President, and her utilization of resources which were previously revealed through RTA would no longer be possible,” he said.

5. Lower age of consent for children: Lavu continued, “A child is defined as an individual who has not completed the age of 18 but we are giving permission for a person who is above 14 to actually work. When we give that, why can’t we do this? We are actually allowing person[s] to go and watch a movie with the certificates of UG/PG. So, I need a clarification on this.”

Vaishnaw’s response: Regarding children’s age, he said the Bill says the graded manner in which apps can be accessed by children at what age will be specified.

Article continues below ⬇, you might also want to read:

• Data Protection Bill Fails To Provide Exemptions For Journalistic Activities: Editors Guild Of India
• Fifteen Major Concerns With India’s Digital Personal Data Protection Bill, 2023
• A Complete Guide To India’s Digital Personal Data Protection Bill, 2023
• India’s Data Protection Bill Tabled In The Lok Sabha: MPs Voice Concern

6. How to get parental consent? Lavu asked how entities like government departments and private companies are expected to get the required parental consent for children considering the digital divide in India.

“With respect to… consent for data fiduciaries for children below 18, they must be verifiable parental consent. Everyone in the house knows 40 percent of the population in this country doesn’t know how to move a file from one folder to another. That is the situation. How do you expect this [parents giving permission to various entities for their children] to be happening?”

Vaishnaw’s response: The Minister suggested the relevant entities use existing digital public infrastructure like Digi Locker for parental consent.

7. Right to data portability and right to be forgotten not in the Bill: Lavu pointed out that the Bill does not outline rights like data portability or the right to be forgotten under individual rights.

“If someone has participated in some political rally 20 years back, his photos have been in the media. If he goes for an interview after 20 years, the photos are still in the media. It hampers his growth,” said Lavu.

Shiv Sena MP Shrikant Shinde also asked the Minister to clarify the reason for removing the right to be forgotten in the 2023 version of the Bill.

8. Bill allows for surveillance of citizens: Opposing the Bill, AIMIM MP Syed Jaleel said the data protection Bill does not bring about the surveillance reform that is urgently needed but allows a “good framework for surveillance of citizens.”
9. Bill to adversely impact freedom of press: BJD MP Sarmistha Sethi said “certain provisions of the Bill associates [sic] the balance in favor of nondisclosure of information, including the information sought by the journalists in public interest, thereby reducing accountability. The proposed amendment to the RTI [Right to Information] Act therefore seeks to exempt all personal information. It does away with the exceptions observed within the section based on which personal information could have been disclosed. The proposed blanket exemption is problematic since it doesn’t limit the exemption from disclosure to any sensitive personal information.”

Stating that the government is the biggest data repository, she said that the law should not give wide statutory power. TDP MP Jayadev Galla too asked the government to revisit the RTI amendment.

Vaishnaw’s repsonse: The Minister said the amendment will “harmonise” the RTI Act and the DPDP law.

10. Bill allows for censorship: Jaleel also said that the Bill allows the Union government to censor content.

“[This] means, if somebody is writing good about you, you will not censor. If somebody is writing or showing against you, then that [entity] will be censored… I strongly oppose this bill. And I hope the government reconsiders bringing this data protection Bill,” he said.

Vaishnaw’s response: The Minister said the right to erasure is included in the Bill which is “nearly the same” as the right to be forgotten.

11. No provisions on data localisation: Shinde asked whether and how the removal of provisions on data localisation can affect data centres in India. “Data localization was a good avenue for job creation and investment. I request the Minister to explain why this provision was removed.”

Vaishnaw’s response: The Minister said a sector is free to make regulations based on sectoral requirements.

12. Wide-ranging powers for government: “The bill 2023 empowers the government to draft rules and notification on a vast range of issues. The union government can exempt any government or even private sector entity from the application of provisions of the law by merely issuing a notification potentially resulting to an immense violation of the citizens privacy,” said Sethi.
13. Bill violates the spirit of federalism: Sethi said that the provisions with respect to the constitution and operation of the Data Protection Board disempower state governments in controlling their own data. She suggested that State Data Protection Boards be created because a single data protection board cannot have the jurisdiction and control over data belonging to state governments.
14. No judicial person in the Data Protection Board: BSP MP Ritesh Pandey said that as per the Puttaswamy judgment, the Data Protection Board should have a judicial member in its composition. However, as per the Bill, the members are to be appointed by the government.

Similarly, Galla on the topic of the Board said, “[The Bill] mentions the Chairman and members can be reappointed, but not for how long. And also the government will prescribe how the Board has no function and follow procedures including how to conduct meetings. You are appointing the Board for just two years and allowing for renewal. Is it not too short a term? With the scope of reappointment, will it not affect the independent functioning of the Board? Additionally, the Supreme Court observed in 2019 that short-term appointments along with provision for reappointment increase the affluence and control of the Executive,” he said.

Vaishnaw’s response: Section 28 of the Bill clearly states the Board will be an independent body, said the Minister. Regarding judicial members, Vaishnaw said the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) will be involved in the Data Protection Board.

Note: This copy was updated with YSRCP MP Sri Krishna Devrayalu Lavu’s full name for accuracy at 6:47 PM on August 7, 2023.

STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!