Centre tables Digital Personal Data Protection Bill, 2023: What it says and why it’s being criticised
On August 3, 2023, the Centre tabled the Digital Personal Data Protection Bill, 2023, in the Lok Sabha. The Bill aims to provide a framework for the protection of personal data and the privacy of individuals in the digital space. The Bill has been in the making for nearly five years, and has undergone several changes and consultations. However, it has also faced criticism from various stakeholders, including civil society groups, technology companies, and legal experts. In this article, we will look at the key features of the Bill, and the main issues and concerns raised by its critics.
What are the main provisions of the Bill?
The Bill applies to the processing of digital personal data within India, as well as outside India if it is for offering goods or services in India. Personal data is defined as any data about an individual who is identifiable by or in relation to such data. Processing includes collection, storage, use, and sharing of personal data.
The Bill lays down certain principles and obligations for the processing of personal data. These include:
- Consent: Personal data may be processed only for a lawful purpose after obtaining the consent of the individual. A notice must be given before seeking consent, containing details about the personal data to be collected and the purpose of processing. Consent may be withdrawn at any point in time. Consent will not be required for ‘legitimate uses’, such as specified purpose for which data has been provided voluntarily, provision of benefit or service by the government, medical emergency, and employment. For individuals below 18 years of age, consent will be provided by the parent or the legal guardian.
- Rights and duties of data principal: An individual whose data is being processed (data principal) will have the right to obtain information about processing, seek correction and erasure of personal data, nominate another person to exercise rights in the event of death or incapacity, and grievance redressal. Data principals will also have certain duties, such as not registering a false or frivolous complaint, and not furnishing any false particulars or impersonating another person in specified cases. Violation of duties will be punishable with a penalty of up to Rs 10,000.
- Obligations of data fiduciary: The entity that determines the purpose and means of processing (data fiduciary) must make reasonable efforts to ensure the accuracy and completeness of data, build reasonable security safeguards to prevent a data breach, inform the Data Protection Board of India and affected persons in the event of a breach, and erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation). In case of government entities, storage limitation and the right of the data principal to erasure will not apply.
- Significant data fiduciaries: Certain data fiduciaries may be designated as significant data fiduciaries based on factors such as volume and sensitivity of personal data processed, risks to the rights of data principals, security of the state, and public order. Significant data fiduciaries will have additional obligations, such as conducting a data protection impact assessment before undertaking any processing involving significant risk, maintaining records of processing activities, appointing a data protection officer, conducting periodic audits by an independent auditor approved by the Board, and implementing a data trust score mechanism to rate their compliance with the provisions of the Bill.
- Data Protection Board : The Bill provides for the establishment of a Data Protection Board consisting of a chairperson and six members appointed by the central government on the recommendation of a selection committee. The Board will have powers and functions such as issuing regulations and codes of practice on various aspects of data protection, specifying categories of significant data fiduciaries and exempting certain categories from consent requirements,
monitoring and enforcing compliance with the provisions of the Bill,
adjudicating disputes between data principals and data fiduciaries,
imposing penalties for violations,
and cooperating with other authorities in India or abroad on matters relating to data protection.
- Data Protection Authority: The Bill provides for the establishment of a Data Protection Authority consisting of a director-general and other officers appointed by the central government. The Authority will act as an executive arm of the Board and will perform functions such as receiving and handling complaints from data principals,
investigating any contravention or potential contravention of the provisions of the Bill,
conducting inquiries and inspections,
issuing orders or directions,
and taking any other action as may be necessary for ensuring compliance with the provisions of the Bill.
What are some of the criticisms of the Bill?
The Bill has been criticised on various grounds by different stakeholders. Some of these are:
- Lack of independence and accountability: The Bill has been accused of compromising the independence and accountabilityof the Data Protection Board and the Data Protection Authority by giving the central government
excessive control over their appointment, removal, and functioning. For instance, the Bill allows the government to appoint the chairperson and members of the Board, as well as the director-general and officers of the Authority, without any transparent or participatory process. The Bill also empowers the government to remove the chairperson or any member of the Board, or the director-general of the Authority, on vague grounds such as insolvency, infirmity, or misbehaviour. Moreover, the Bill does not provide for any parliamentary oversight or judicial review of the decisions or actions of the Board or the Authority.
- Wide exemptions to the government: The Bill has been criticised for granting wide exemptions to the government and its agencies from the provisions of the Bill. For example, the Bill allows the government to process personal data without consent for any function of Parliament or any state legislature, or for any function authorised by law for a public purpose. The Bill also enables the government to exempt any instrumentality of the state from any or all provisions of the Bill on grounds such as national security, relations with foreign governments, and maintenance of public order. Further, the Bill does not require the government to obtain certification from an independent auditor or implement a data trust score mechanism, unlike other data fiduciaries.
- Lack of data localisation: The Bill has been criticised for diluting the data localisation requirements that were present in the previous draft of the Bill. The previous draft mandated that a copy of all personal data be stored in India, and that certain categories of personal data (such as financial data, health data, and biometric data) be processed only in India. The current Bill does not require a copy of all personal data to be stored in India, and allows certain categories of personal data (such as financial data, health data, and official identifiers) to be transferred outside India subject to certain conditions. These conditions include obtaining explicit consent from the data principal, ensuring adequate level of protection in the recipient country or entity, and entering into a contract or an intra-group scheme approved by the Board. Some critics have argued that this relaxation will undermine India's digital sovereignty and security, while others have welcomed it as a boost for innovation and cross-border trade.
- Lack of clarity and coherence: The Bill has been criticised for being vague and inconsistent on several aspects of data protection. For instance, the Bill does not clearly define key terms such as ‘legitimate uses’, ‘public purpose’, ‘adequate level of protection’, and ‘data trust score’. The Bill also does not specify how consent will be obtained from individuals who are illiterate or have low digital literacy. The Bill also creates confusion by using different terms for similar concepts, such as ‘personal data’, ‘digital personal data’, ‘sensitive personal data’, and ‘critical personal data’. The Bill also leaves many details to be prescribed by regulations or codes of practice issued by the Board, which may create uncertainty and unpredictability for data principals and data fiduciaries.
What are some of the implications and challenges of implementing the Bill?
The Bill has significant implications and challenges for various stakeholders involved in the processing of personal data in India
Some of these are:
- Compliance costs and burden: The Bill imposes various obligations on data fiduciaries, such as obtaining consent, providing notice, ensuring accuracy and completeness, building security safeguards, informing about breaches,
erasing personal data, conducting impact assessments, maintaining records,
appointing officers, conducting audits,
and implementing trust scores. These obligations may entail substantial costs and burden for data fiduciaries,
especially small and medium enterprises,
start-ups, and non-profit organisations,
which may not have adequate resources or expertise to comply with them. Moreover, these obligations may vary depending on whether a data fiduciary is designated as a significant data fiduciary or not, which may create confusion and inconsistency.
- Enforcement capacity and effectiveness: The Bill entrusts
the Data Protection Board and the Data Protection Authority with the responsibility of monitoring and
enforcing the provisions of the Bill.
However, these bodies may face challenges in terms of capacity and effectiveness, given the scale and complexity of the data ecosystem in
India . For example, they may not have sufficient manpower, infrastructure, technology, or funds to perform their functions efficiently and effectively. They may also face difficulties in coordinating with other authorities in India or abroad on matters relating to data protection. Further, they may face resistance or interference from powerful actors such as the government or large corporations, which may undermine their credibility and independence.
- Awareness and empowerment: The Bill grants various rights to data principals,
such as obtaining information,
seeking correction and erasure, nominating representatives, and grievance redressal. However, these rights may not be meaningful unless data principals are aware of them and empowered to exercise them. This may require creating awareness and education campaigns among data principals,
especially those who
Source:
(1) Digital Personal Data Protection Bill 2023, a much-needed legislation, says India Inc. https://indianexpress.com/article/technology/tech-news-technology/digital-personal-data-protection-bill-2023-reactions-from-india-inc-8875181/.
(2) Centre tables Digital Personal Data Protection Bill, 2023: What it says .... https://indianexpress.com/article/explained/explained-sci-tech/digital-personal-data-protection-bill-2023-provisions-and-criticism-explained-8876018/.
(3) Explained: Digital Personal Data Protection bill tabled in Lok Sabha, here's what its all about. https://www.livemint.com/news/india/explained-digital-personal-data-protection-bill-11691063664201.html.
(4) The Digital Personal Data Protection Bill, 2023 - PRS Legislative Research. https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023.
FAQ's
What is the data protection bill of 2023?
The Lok Sabha on Monday passed the Digital Personal Data Protection Bill, 2023 which lays down the obligations of entities handling and processing data as well as the rights of individuals. The bill proposes a maximum penalty of Rs 250 crore and minimum of Rs 50 crore on entities violating the norms.
What is the data protection law in India 2023?
After nearly five years of negotiations involving the government, technology companies and civil society representatives, the Centre tabled the Digital Personal Data Protection Bill, 2023, in Parliament on Thursday (August 3), which lays out procedures on how corporations and the government itself can collect and use ...
Which among the following is one of the reasons for having a personal data protection bill in the country?
The purpose of this Act is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.
निम्नलिखित में से कौन सा देश में व्यक्तिगत डेटा संरक्षण बिल होने के कारणों में से एक है?
इस अधिनियम का उद्देश्य डिजिटल व्यक्तिगत डेटा के प्रसंस्करण को इस तरह से प्रदान करना है जो व्यक्तियों के अपने व्यक्तिगत डेटा की सुरक्षा के अधिकार और वैध उद्देश्यों के लिए व्यक्तिगत डेटा को संसाधित करने की आवश्यकता और उससे जुड़े या उसके प्रासंगिक मामलों दोनों को मान्यता देता है।
