On August 24th, 2017, the Supreme Court unanimously recognised privacy as a fundamental right guaranteed by the Constitution.Considering that crucial verdict, a lot has been expected from India’s data protection law. The current Digital Personal Data Protection Bill, 2023, set to be introduced in Parliament during the monsoon session, concerns processing of digital personal data within India where such data is collected online, or collected offline and is digitised.
This Bill is crucial to the regulatory architecture being established by the Narendra Modi government to govern the phenomenally expanding digital economy. So, the ultimate piece of data protection legislation must have teeth. Apart from having teeth, it must strike a balance between confidentiality, integrity, availability of data, and sharing of information for legitimate purposes.
Any data protection law that is shorn of these essential aspects, whatever be the reason, would remain only a paper tiger. For, in today’s interconnected world, predators come not just openly in the form of cybercriminals, be it as state actors or non-state actors, but also as deceptively clean marketers of online products and services adept in sharp practices. Both are out to make a fast buck, regardless of the reputation of people and institutions. Hence, the proposed data protection law must effectively strike at the heart of these cyber operations.
As per the working draft of the Bill, data has been categorised into three: critical, sensitive, and general. Sensitive data – financial, health, sexual orientation, biometrics, transgender status, religious and political beliefs, and affiliation – can only be stored in India. It can be processed outside the country only with explicit consent. Critical data will be defined by the Union government from time to time. This too must be stored and processed in India. There will be no restrictions on storing and processing general data.
The original Personal Data Protection Bill was introduced in 2018 and tabled in 2019. Later, it was referred to a Joint Parliamentary Committee. The Committee studied the Bill for two years and presented its report and a modified PDP Bill in December 2021. However, in 2022, the government withdrew the PDP Bill, citing compliance-related reasons.
Subsequently, the Centre released the Digital Personal Data Protection Bill, 2023.
Although some modifications have since been made to the initial draft that was put forth in November 2022, several disturbing aspects of the initially proposed piece of legislation have reportedly been retained. The sweeping exemptions given to the central government and its agencies is a glaring example. As things stand, the government will have the right to exempt “any instrumentality of the state” from adverse consequences citing national security, relations with foreign governments, and maintenance of public order.
Although some modifications have since been made to the initial draft that was put forth in November 2022, several disturbing aspects of the initially proposed piece of legislation have reportedly been retained. The sweeping exemptions given to the central government and its agencies is a glaring example. As things stand, the government will have the right to exempt “any instrumentality of the state” from adverse consequences citing national security, relations with foreign governments, and maintenance of public order.
Now, it is well-known that the Indian state often plays nanny and gathers vast amounts of personal data. This gives room for misuse of data by those who can play around with the blanket exemptions. The discretion that the Union government is likely to exercise in the appointment of members constituting the data protection board is another area of legitimate concern. For, the chief executive of the board (tasked with ensuring compliance as well as dealing with grievances and disputes) will be appointed by the government.
The current brazen use of the Enforcement Directorate, the Central Bureau of Investigation, and the Income Tax Department by the Modi government for political one-upmanship, scoring brownie points, and unvarnished harassment has left a question mark over the independence and autonomy of the board.
Another crucial aspect of the Bill is the age of consent for data protection. The Bill could empower the Union government to lower the age of consent from 18, for accessing internet products and services without parental oversight. Additionally, certain firms could be exempted from adhering to additional obligations for protecting kids’ privacy if they can process their data in a ‘verifiably safe’ manner.
This change, though in line with data protection regulations in the Western world, marks a significant departure from the 2022 version of the Bill in which the threshold of children’s age was 18 years. The Centre has apparently yielded to the demands of the industry,especially social media companies, averse to setting up new systems for obtaining parental consent for users under 18 years of age.
Big Tech — including Google, Meta, Twitter, Apple, and Microsoft — has sought revision in the definition of a child to mean an individual under the age of 13, instead of 18. From a global standpoint, when it comes to data protection legislation, the definition of children varies from 13 to 16 years of age.
The Bill also seeks amendments to the Right to Information Act. This is rightly being opposed by stakeholders as the proposed modifications could severely restrict the scope of RTI Act. The National Campaign for Peoples’ Right to Information, in a letter to Members of Parliament, has stated that the Bill seeks to amend the RTI Act by “severely restricting its scope”, and seeks to give “wide discretionary powers” to the Union government both in rulemaking and vis-à-vis the oversight body. The proposed amendment to Section 8(1)(j) of the RTI Act seeks to exempt all personal information.
That is, it does away with the exceptions carved out within the section based on which even personal information could have been disclosed. Currently, to deny personal information, at least one of the following grounds must be proved: information sought has no relationship to any public activity, or information sought has no relationship to any public interest, or information sought would cause an unwarranted invasion of privacy and PIO/appellate authority is satisfied that there is no larger public interest that justifies disclosure.
“The proposed blanket exemption is especially problematic since it does not limit the exemption from disclosure to only sensitive personal information,” the letter adds.In sum, the Centre must keep in mind all aspects of the evolving global scenario in data protection laws before giving final shape to the Bill, notwithstanding the ruling dispensation’s brute majority in Parliament.
