In terms of its objective, the Digital Personal Data Protection Bill, 2022, tabled in the Lok Sabha on Thursday, is not very different from the last version in November. More details have been provided on certain aspects, especially on the creation of the Data Protection Board (DPB), but the broad thrust of the Bill remains unchanged. As earlier, the government has retained the power to exempt any instrumentality of the state from the provisions of the Bill, citing reasons such as the sovereignty and security of the nation and the maintenance of law and order. The concern is that this could enable mass surveillance.
Again, while the basic concept of a Data Protection Board to ensure compliance with the Bill is sound, the fact is that the terms of appointment and removal of the chief executive and other members are to be prescribed by the government. In an environment, when concerns are being voiced over the independence and autonomy of institutions, this raises troubling questions over the board’s degrees of freedom, specially because its responsibility will be advisory in nature. It is also somewhat discomforting that the government has given itself powers to block any intermediary or other firms in case of frequent data breaches and violations of provisions of the Bill, if the DPB recommends this. A rigorous process that gives the indicted firms the opportunity to explain their position is required.
Apart from the government, exemptions will also be given to some start-ups though these entities will be penalised for data leakages just like other data fiduciaries. The objective seems to be to ease the compliance burden on some data fiduciaries who would be relieved of the obligation relating to usage of the data collected. They may be permitted to collect more than the minimum required data and may even be allowed to use the data for purposes beyond what was initially intended. Also, experts believe, they may not be required to delete the data once the services have been provided. The rationale for these selective exemptions to some start-ups is not exactly clear. We need to have other programmes to help them scale up and innovate. If this is a blanket exemption, it would be difficult to justify.
Individuals have been empowered to withdraw consent given to companies to use data and also have it erased. Experts point out the law does not require companies to inform individuals about a transfer to the third party. This needs to be looked into. Of course, platforms must collect only the bare minimum data needed to carry out the service to users and cannot store this beyond the required duration. The new law will allow data fiduciaries to send data overseas to all countries save those that are on a negative list. While there does not seem to be any harm in this, the countries should meet certain standards of data protection. It is good that there are no criminal provisions because that would have hurt businesses. And it also removes one of the industry’s major bugbears —mandatory data localisation rules that would force them to store “critical” personal data solely in India. Overall, considering the dramatic expansion of the digital economy in the country, bringing in a robust data protection architecture is of critical importance. The Bill will hopefully go through a process of extensive discussion in Parliament so that ambiguities are removed and discretion minimised.