Legal protection

Data Bill concern must be addressed

The Digital Personal Data Protection Bill, 2023, was introduced in the Lok Sabha on Thursday. This is the fourth iteration of the proposed Bill — the first draft was composed way back in 2018. The Bill provides a legislative framework to protect the personal data of “Data Principals” (meaning owners of data) and outlines their rights and duties. The Bill also outlines the rights and duties of “Data Fiduciaries”, which collect personal data; of “Data Processors”, which process data; and of “Consent Managers”, which may act as intermediaries between data principals and fiduciaries. Such legislation was long overdue, given that the privacy of personal data is a fundamental right and also that the policy thrust to digitisation involves using personal data for many purposes. The draft, however, was not released for public perusal, which would have enabled an informed public debate at an earlier stage.

The Bill, nonetheless, simplifies the language of prior drafts, clarifying some ambiguities. It eases an insistence on local data storage while not explicitly mentioning large social-media platforms as data fiduciaries. The Bill asks for data to be collected for specific purposes with informed consent. It allows for correction, updating, or erasure of personal data if the specific purpose for which it was collected has been served, or if the principal withdraws consent. This aims to prevent corporations indiscriminately collecting and storing data, and using those data for undefined purposes. Breaches of personal data must also be notified immediately, or else the fiduciary responsible could be liable to fine. “Significant Data Fiduciaries”, meaning entities which collect volumes of sensitive data beyond a certain threshold, will have to appoint data protection officers based in India to be points of contact. They must also appoint independent auditors to carry out data audits. In theory, these provisions should give comfort to individuals that their personal data will not be misused

The Bill continues to give the central government and its “instrumentalities” the right to collect data for broad, vaguely defined purposes. This can enable surveillance without checks, balances, and oversight, and could erode civil liberty. This remains a cause for concern. According to activists, the Bill as it is framed could also lead to the dilution of the provisions of the Right to Information Act, leading to a lack of transparency in many functions of the government, including, for example, blocking the release of electoral rolls, lists of pension holders, or recipients of rations. Another issue lies in the proposed Data Protection Board (DPB), which would be the main regulatory body. The Bill proposes the Centre appoint all the members and the chairperson. There is concern that it would not be able to fulfil the intended purpose. Ideally such a board should be independent, with statutory powers and with a transparent and even-handed process of member selection. There will also be an appellate tribunal to take up cases where a person is aggrieved by an order or decision of the DPB. This too needs to be independent.

Now that the Bill has been tabled after much delay, it is important that it is properly debated in Parliament and all the issues of civil society are suitably addressed. Given its relevance, the Bill should not be passed without proper debate as has been the case of late.