On Monday, the Lok Sabha passed the Digital Personal Data Protection Bill 2023 which aims to protect the privacy of Indian citizens. A year after withdrawing a previous bill on data protection, Union Minister of Electronics and Information Technology, Ashwini Vaishnaw, had introduced the bill in the Lok Sabha on August 3. But despite multiple iterations, the recently introduced bill is also facing similar pushback from the Opposition and other stakeholders. The objective of the bill is to protect the right to privacy of citizens, but in doing so, the Opposition alleged a distinction in how the bill's provisions are applied to non-government entities compared to government organizations. However, this is not the only concern over the bill.
What is India’s Digital Personal Data Protection (DPDP) Bill, 2023?
The DPDP Bill, 2023, will be applicable to the processing of digital personal data within India where such data is collected online, or offline and is digitised. It will further be applied to data processing outside the country, related to offering goods or services within India. The bill’s aim is to ensure that personal data is processed only for a lawful purpose with the consent of an individual. However, consent may not be needed for specific data processed by the state and any of its instrumentalities for subsidy, benefit, service, certificate, license or permit as may be prescribed. Individuals to whom the personal data relates will also have the right to correction, completion, updating and erasure of their personal data for the processing of which she has previously given consent.
While these provisions are present in the bill to restrict private entities in how they use data, the exemptions of the state i.e. the central government, state government, local authorities, and authorities and companies set up by the government from these provisions has raised worries about violation of the fundamental right to privacy of individuals. The clause saying “as may be prescribed” in the bill, further gives the government the power to amend certain rules later on to elaborate on the existing provisions.
Nikhil Pahwa, founder and editor of Medianama, a technology policy analysis website based out of New Delhi in a conversation with The Core said, “Many of these changes have been controversial and there doesn't seem to be agreement on what the final construct of the bill should be even now because opposition party members are pushing back against this bill and to be honest, so is a civil society because the objectives of the bill it seems haven't been met and it's more of a dilution So it's difficult for me to call it a data protection bill. It seems more like a data access bill.”
Rajeev Chandrasekhar, Minister of State for Electronics and IT, cited reasons such as terrorism, law and order, and public health emergencies for exemptions but it leaves a wide window for the government to bypass norms without the need to provide explanations.
Raising apprehensions regarding Section 36 and clause 17 of the DPDP Bill, the Editors Guild Of India stated, “This will lead to a chilling effect on journalistic activity in the country.” Section 36 of the data protection bill states that the Central Government has the power to call for information from private and public entities and clause 17 exempts the government from data protection restrictions.
Not only is the government exempted from many provisions of the bill but they can also ask private companies for data on an individual. “If you look at it, every company then becomes a data collector for the government. So it's a privatization of surveillance in a very different way. The Puttaswamy judgment which gave us the fundamental right to privacy actually puts in restrictions regarding necessary proportionate so that any violation of privacy is ring fenced even from a government perspective. But to my mind, this is violative of that fundamental,” Pahwa reiterated.
Children And Consent: Providing Privacy But Not Agency
The bill states that before processing personal data of a child i.e. anyone who is below 18 years of age, verifiable consent of the parent or the lawful guardian will need to be obtained. Pointing out the impracticality of this provision in the bill, Pahwa pointed out, “In making an attempt to protect children, what's happened here with this bill is that every single website, every single app will have to verify the age of every individual using that service and it has to be verifiable consent. So children who are growing up between 13 and 18, they're robbed of agency, they need parental permission to do anything on the internet, to access any website, even a news website.” Given that these are formative years for children, such restrictions could take away their agency to form unbiased and independent opinions and ideologies that are not a reflection of their parents or guardians.
Does The Bill Benefit AI Companies?
According to Pahwa, the bill does not really provide data protection for citizens, but does help some segments like artificial intelligence(AI). “It's great in the sense that AI companies can scrape all publicly available data and use it to build their large language models to build their databases. But from a privacy perspective, it means that any information being made public can be scraped and copied and used by anyone anywhere. And in fact, there have been lawsuits against a facial recognition company, Clearview AI in the United States and it lost those lawsuits because they were scraping social media photographs of people to train their AI and identify people.” He added that while it's good for AI, it's bad for privacy which basically defeats the purpose of the bill.
Opposition Remarks and Other Highlights Of The Bill
The lack of clarity in the bill is reflected in these points made by Pahwa, wherein even the positives of the bill are being marred by several adjoining concerns. Nevertheless, on data localisation, Pahwa believes that the bill has taken the right approach.
He said, “Cross-border data flows, which is that data of Indian citizens can be stored outside of India unless there is a local regulator which mandates data localization. Many Indian companies rely on an open internet, taking one service from a company in Japan, another from Mexico, another from Guatemala wherever, right? So we don't even know where these services originate from, but we use all of these services to build our businesses. Every business uses hundreds of these small services from across the globe. Data localization would have destroyed that and would have actually hurt smaller startups, an opening up mechanism which means that status quo remains, but the government may block data from being stored in certain jurisdictions. For example, China can be one such jurisdiction and that's from a national security perspective and that makes sense.”
Apart from excluding offline personal data and non-automated processing, a notable change regarding the DPDP Bill 2023 includes the omission of section 43A of The Information Technology Act, 2000 which stated, “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.” The bill however, proposes a maximum penalty of Rs 250 crore and minimum of Rs 50 crore on entities violating the specified norms.
Amid strong opposition and demand for scrutiny by a parliamentary committee, the DPDP Bill was passed in Lok Sabha on August 7.
Opposing the DPDP Bill before it was passed in the Lok Sabha, All India Majlis-E-Ittehadul Muslimeen(AIMIM) President Asaduddin Owaisi said that it violates the rights to privacy and right to information, which is a part of freedom of expression & is likely to create a surveillance state. Communist Party of India (Marxist)'s AM Arif further asked to revise the definition of children from those below the age of 18 to those below 15.
Previously, Congress MP Manish Tewari had also raised concerns about the data protection bill being introduced as a money bill, to which, information and technology minister Ashwini Vaishnaw clarified that it would be presented as a general bill, and not money bill.
Other Opposition MPs, including Shashi Tharoor, Supriya Sule, NK Premachandran, Saugata Roy had also voiced their objections to the bill's introduction.