Ad: India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!
The Digital Personal Data Protection (DPDP) Bill, 2023, introduced in the parliament on August 3, 2023, gives the government broad powers to exempt any of its agencies from all provisions of the Bill.
In other words, any exempted agency of the government can collect and process the personal data of citizens without following any of the safeguards prescribed in the DPDP Bill, such as getting consent, securing data from breaches, maintaining accurate and complete data, etc., and for any purpose they want. Previously, experts speaking at MediaNama events have pointed out how such broad exemptions can be misused for surveillance and put the interests of the State ahead of the right to privacy of individuals.
“If you completely exempt certain agencies, then you’re allowing them to do whatever they want. So there is no review. There’s no safeguard in place to stop them from doing it [Pegasus-like surveillance]. And it is also allowing for essentially the creation of 360-degree profiles,” Anushka Jain, Policy Counsel at Internet Freedom Foundation (IFF), remarked last year on the 2022 version of the Bill.
Unsurprisingly, the Bill was introduced amidst a barrage of criticism from opposition Members of the Parliament, who opposed the Bill for the excessive powers and exemptions it grants the government.
Powers of the government in DPDP Bill, 2023
1. Power to exempt notified agencies from all provisions: According to Section 17(2)(a) of the Bill, the Central Government can issue a notification exempting any “instrumentality of the State” from the provisions of this Bill in the interests of the sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order; or preventing incitement to any cognizable offence relating to any of the above.
Since what constitutes “an instrumentality of state” is not defined in the law, based on court precedence, it could mean anybody that performs state or government functions or falls under the control of the government, including public sector companies, law enforcement agencies, etc., experts explained to MediaNama last year.
“These are just broad words. What is the sovereignty of the nation? Now, every babu will say I need to access your data in the interest of sovereignty of the nation.” — Justice BN Srikrishna, who drafted the 2018 version of the Bill, told The Economic Times last November, in reaction to the 2022 version of the Bill.
2. Exemption from processing data shared by exempted agencies: The Central Government is also exempted from processing any personal data that an exempted instrumentality may furnish to it. For instance, if the Ministry of Defence is an exempted agency and shares some data collected by it with the Central Government, the processing of this data does not have to adhere to the provisions of the Bill. This exemption can be far-reaching because the “Central Government” officially consists of anyone in the (executive, the legislature, and the judiciary.
3. Exemption to certain provisions for law enforcement purposes: As per Section 17(1)(c), personal data that is processed (by any entity, not just the government), “in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India” are exempt from the following provisions of the Bill:
- All Chapter 2 provisions (obligations of Data Fiduciaries) except sub-section 1 and 5 (provision related to securing data) of section 8
- All Chapter 3 provisions (rights and duties of Data Principals)
- Section 16 (transfer of personal data outside India)
Read the Bill Summary here.
4. Power to retain data for an unlimited period of time: Additionally, according to Section 17(4), the government and its instrumentalities can retain personal data for an unlimited period of time regardless of whether the purpose for which data was collected has been served or not and users don’t have the right to request erasure of their personal data collected by the government or its instrumentalities.
“Every time I drive my car, go through FastTag, now I’ve completed my journey, why should my data be retained? I walk through an airport, now GMR is a private entity, they would be recording and keeping my video recordings for ages,” an attendee at a MediaNama event remarked last year.
5. The government does not have to allow for correction or updating of data: The government also doesn’t have to allow for correction, completion or updating of personal data by a Data Principal if the processing is for a purpose that does not include making a decision that affects the Data Principal.
6. Power to demand information from companies: Under Section 36, the Central Government can, for the purposes of this Act, require the Board and any Data Fiduciary to furnish such information as the government may call for. It’s not clear what information the government can gather under this section and if there’s any purpose limitation.
“Are we now in a situation where private parties are collecting data, which the government can call upon whenever they want without any restrictions, through their agencies? There is no limitation to what they can ask a private party to give to them. Also goes back to what’s happening with NATGRID. NATGRID has been in the works for about 12 years now. The idea was initially to connect 21 public and private databases to a real-time dashboard. Phase II was about 900 plus public and private databases with real-time information on a dashboard. Phase III was about 1600 public and private databases, which included everything from airlines to banks to OTAs to credit card companies. So is there any limitation, any restriction on the government asking a FinTech company or an email service provider saying, hey, I want all the data.” — MediaNama’s Nikhil Pahwa asked last November.
7. Power of Central Government to make rules: The Central Government has the power to issue notifications to make rules to carry out the purposes of this Digital Personal Data Protection Act. Rules can be issued for all parts of the Act that have a provision saying, “as may be prescribed.”
8. Power of the Central Government to block access to content on advice from the Board: In case of repeated imposition of penalties against an entity or in the “interests of the general public”, the Data Protection Board of India can advise the Central Government to block access “to any information generated, transmitted, received, stored or hosted, in any computer resource” that enables such entity to carry out its business in India. The Central Government, after giving the entity an opportunity to be heard and for reasons recorded in writing, can order any agency of the Central Government or any intermediary to block access to such information belonging to that entity under section 36 of the Act
Article continues below ⬇, you might also want to read:
- Views: IT Ministers’ defence of govt exemptions in data protection law misses the point
- Fifteen major concerns with India’s Data Protection Bill, 2023
- Deep Dive: How The Data Protection Bill Enables Govt Surveillance And Misuse Of Personal Data
- Data Protection Bill 2022 Focuses On Enabling Govt Access To Data And Surveillance, Not Citizens’ Privacy #NAMA
How have the government exemptions evolved over time?
The exemptions to the government in the 2023 iteration are largely similar to the 2022 and 2019 versions of the Data Protection Bill, both of which offered lesser protection from the government than the 2018 and 2020 versions, which had some safeguards in place at least.
What the 2018 Bill said:
- Exempted government from the Bill for security reasons only if necessary and if there is an explicit law: The 2018 Bill allowed the government and law enforcement agencies to process personal data in the interests of the security of the State only if it was “authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved.” Additionally, this was allowed only if the data belongs to a person who is “a victim, witness, or any person with information about the relevant offence or contravention” and if compliance with the Bill would “be prejudicial to the prevention, detection, investigation or prosecution of any offence or other contravention of law.”
- Can process personal data to carry out welfare and other functions of the State: The Bill allowed the government to process personal data without consent for “any function of Parliament or any State Legislature” and for any function authorised by the law such as to provide welfare services and benefits and for the “the issuance of any certification, license or permit for any action or activity of the data principal by the State.” Sensitive personal data could also be processed without consent if it’s “strictly necessary” for the same purposes mentioned above.
- Data is subject to purpose limitation: Personal data processed for reasons laid out above should “not be retained once the purpose of prevention, detection, investigation or prosecution of any offence or other contravention of law is complete except where such personal data is necessary for the maintenance of any record or database which constitutes a proportionate measure to prevent, detect or investigate or prosecute any offence or class of offences in future,” the 2018 Bill stated.
What the 2019 Bill said:
- More power to exempt government agencies than 2018 Bill: Clause 35 of the 2019 Bill diluted the 2018 provisions by giving the central government the power to issue an order, after recording reasons in writing, that grants an exemption to any agency of the government from any or all provisions of the Bill if the centre was satisfied that it is “necessary or expedient”:
- in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or
- for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order.”
- Exempted agency subject to certain rules: The order exempting any agency will specify the “procedure, safeguards and oversight mechanism to be followed by the agency.”
What the 2021 Bill said:
- Power to exempt government agencies based on a defined procedure: The 2021 version attempted to re-introduce some safeguards, stating that the central government will have the authority to exempt any agency of the government from the provisions of the act, subject to “just, fair, reasonable and proportionate” procedure. The Committee made this change reasoning that it is concerned about “the possible misuse of the provisions when a situation arises whereby the privacy rights of the individual, as provided under this Act, have to be subsumed for the protection of the larger interests of the State.” The Committee also noted that wants aims to “strike a balance between Article 19 of the Constitution, Puttaswamy judgment and individual rights with respect to privacy.”
What the 2022 Bill said: The government can exempt any instrumentality of the state on grounds similar to the 2019 version, except it doesn’t even have to be “necessary or expedient.”
Note: The section numbers were corrected on August 4 at 10:15 AM.
Note: The headline was changed on August 3 at 5:20 PM for clarity.
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!