Key Provisions of the Bill

Exemptions for the Centre:
One of the contentious aspects of the Bill is the provision that allows the central government to exempt “any instrumentality of the state” from the adverse consequences of data processing, citing reasons such as national security, foreign relations, and maintenance of public order. IT Minister Ashwini Vaishnaw defended these exemptions, citing scenarios like natural disasters and police investigations where swift action may be required without obtaining consent for data processing.

Comparison with GDPR:
Shri. Vaishnaw pointed out that the European Union’s General Data Protection Regulation (GDPR) contains 16 exemptions, while India’s Bill has only four. However, privacy advocates argue that the Indian legislation grants broader powers to the government.

Penalties and Platform Blocking:
The Bill introduces penalties for entities that violate data protection norms. If an entity is penalized on multiple occasions, the central government, after a hearing, can decide to block its platform in the country. This provision adds a layer of enforcement not present in the 2022 draft.

Online Censorship Concerns:
Experts have raised concerns that the Bill, particularly the exemptions and penalties, could contribute to the existing online censorship regime, particularly under Section 69(A) of the Information Technology Act, 2000.

Impact on the Right to Information Act:
Critics worry that the Bill’s provisions protecting the personal data of government functionaries could potentially undermine the RTI Act by making it difficult to share such information with RTI applicants. Shri. Vaishnaw argued that the Bill harmonises RTI and personal data protection.

Data Protection Board:
The control of the Centre in appointing members of the Data Protection Board, which deals with privacy-related grievances and disputes, has been retained. The Chief Executive of the board will be appointed by the central government, raising questions about its independence.

Leeway for Data Processing:
The Bill allows certain “legitimate uses” of personal data without explicit consent. This includes national security, offering services, and employment-related matters.

Age of Consent:
The Centre can process data of citizens below 18 years without parental consent if the platform ensures data processing in a “verifiably safe manner,” addressing concerns in sectors like ed-tech and healthcare.

Cross-Border Data Flows:
The Bill simplifies cross-border data flows, moving from a whitelist to a blacklist approach, allowing data flows by default to all regions unless prohibited by the government. This aims to ensure business continuity.

Significant Data Fiduciaries:
The government can categorise entities as “significant data fiduciaries” based on factors like data volume, electoral democracy risks, and national security impact. Social media platforms like Facebook, YouTube, and WhatsApp may fall under this category, necessitating the appointment of data protection officers.

Conclusion

The passage of the Digital Personal Data Protection Bill, 2023, in India marks a significant step toward establishing a comprehensive data protection framework. However, the Bill’s provisions have raised concerns about exemptions, online censorship, and potential impacts on the RTI Act. As the Bill awaits the President’s assent to become law, it reflects India’s ongoing efforts to strike a balance between privacy protection and innovation, all while addressing the challenges posed by the digital age.

The implications of this legislation will be closely watched by various stakeholders, including businesses, privacy advocates, and citizens, as India navigates the evolving landscape of digital data protection. Balancing individual privacy rights with national security interests is a complex task, and the effectiveness of the Bill in achieving this balance will be revealed in its implementation.

Minister of State for Electronics and IT Rajeev Chandrasekhar, who has also been a strong advocate of Digital Privacy since 2010 recently said while interacting with students of Delhi University that ‘Citizens have the right to say that I gave you consent to use my data and no I want that data and my digital footprint to be removed from this platform.’

Right to be Forgotten safeguards individuals’ privacy and empowers them to regain control over their personal data. In an era where online information can persist indefinitely, this right enables people to request the removal of outdated or irrelevant data that might no longer be accurate or necessary. This clause also vouches for family members who can opt for the removal of the social media profiles of the deceased people. 

Secondly, the Right to be Forgotten fosters a balance between privacy and freedom of expression. While it allows individuals to request the removal of certain information, it also requires careful consideration of public interest and the right to access information. This concept encourages responsible data handling practices among organizations and platforms, ultimately promoting a more transparent and respectful digital environment where individuals can exercise their rights without stifling free speech.

The DPDP Bill was passed in Parliament in early August, read more about it here.