The Rajya Sabha on Wednesday passed the Digital Personal Data Protection (DPDP) Bill unanimously after some opposition leaders staged a walkout. Even though few opposition leaders present in the house supported the Bill during the debate, they have also made key suggestions such as the government should introduce directions or guidelines that the privacy rights of users as specified by the Supreme Court will remain intact with the implementation of new Bill, need for state-level Data Protection Board, clarity on breaches other than involving financial losses, clarity on personal information exempted under the right to information (RTI) Act, among other things.
On Monday, the Lok Sabha passed the Bill by a voice vote amidst uproar as the debate on the matter lasted just for 20 minutes. The Bill will now be taken up for approval with the President post which it will become a law.
Introducing the Bill in the Rajya Sabha, Union communications and IT minister, Ashwini Vaishnaw said, “The Bill has come into shape after discussions were going on around it for six years. We have given four rights to the citizens’ – Right to access information, Right to correction and erasure, Right to grievance redressal, Right to nominate in case of death.”
Vaishnaw further said that the provisions of the Bill are in no violation to the Supreme Court’s Puttaswamy judgment on Right to Privacy. “All the three principles of Puttaswamy judgment – legality, legitimacy, and proportionality have been well taken care of in the Bill,” Vaishnaw added.
In response to Vaishnaw’s comments on privacy of users, S Niranjan Reddy, member of Rajya representing YSR Congress Party said, “powers granted to the government are sweeping and are prone to be misused in the long term.”
“If the government is saying that Puttaswamy’s judgment will not be violated, we can trust that. But to address some misconceptions around the limitation on privacy rights, the government must issue some directions or guidelines to address those concerns,” Reddy added.
The government has exempted certain agencies, dealing with security matters, law and order from the provisions of the Bill. Similarly, exemptions will be provided if processing of certain data is required in cases of merger and acquisition of companies. Exemptions will also apply in cases of default in payment of loans etc where financial information needs to be processed.
Amar Patnaik, member of Rajya Sabha representing BJD party said, “the Bill does not talk about any kind of non-financial damages to Data Principals. There can be reputation damages, etc, those should also have been addressed.”
According to Patnaik, there are certain clauses that talk about notification from the central government. However, most of the things are handled by States, so why not empower states for dealing with data fiduciaries for certain work suitable for states.
One of the suggestions which Patnaik gave was on the creation of state-level Data Protection Boards.
Some of the other suggestions from the Rajya Sabha members were to increase the penalty to Rs 250 crore for violations related to children’s data, and exemptions to startups and data fiduciaries should be based on the sectors involved, not on individuality.
In reply Vaishnaw said, the bill has been drafted primarily on principles and is not descriptive in nature and since many things are evolving, the government has included all the necessary concepts.
On exemptions related to some data fiduciaries including startups, Vaishnaw said the Bill gives the flexibility to the government to notify a regulatory sandbox based on which the companies will be exempted after analyses.
Rajeev Chandrasekhar, minister of state for IT, said:” DPDP Bill is a Big milestone in our Digital Ecosystem and the 1st Building block of the Global Standard Cyber law framework that PM Narendra Modi ji is building for $1Trillion Digital economy and India Techade. It will lead to a deep behavioural change among platforms and Digital Nagriks on how data is taken, asked for and processed.
He further said the message is loud and clear that there is a new Data Protection regime in town with Indian citizens at the heart of it. Every platform will realise that it is in their interest that they adapt readily to this new expectation of respecting Digital Personal Data of Indian Citizens. “There is an imminent need for Industry to transition from the current framework to this new one. We will give some transition period to Industry. We will work with Industry to ensure that transition is not disruptive but orderly.”