After all the arguments and contradictions of the
opposition, the Digital Personal Data Protection Bill 2023 (DPDP Bill) has been
passed by both the parliamentary houses. However this bill needs the assent of
Draupadi Murmu, the President of India. The Bill aims to protect the privacy
and security of online data of individuals.
This was the second effort of the government towards enacting a data protection law. The bill gives several exemptions and powers to the central government, under which the government will not be bound to follow the rules of data security in matters like national security, international relations, maintaining order and will be able to use personal information of people.
The centre said Personal data of Indian citizens can now be used by entities recognised by law for prevention, detection, or investigation of offences and cyber incidents without the knowledge of the individual whose data is being shared and used.
By comparing it with the data law of the European Union, IT Minister Ashwini Vaishnav said- "The central government needed these exemptions. If there is a natural calamity like an earthquake, will the government seek people's consent for their data or take swift steps to ensure their safety? If the police are investigating to nab a criminal, will their consent be sought?"
However, even after being passed by both the Houses, this bill still remains a subject of criticism not only from the opposition but also among IT professionals, activists and various stakeholders, let's try to understand...
What is Data Protection Bill 2023 and what does it say,
The Digital Personal Data Protection Bill, 2023 is a bill that aims to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to have their personal data protected and the need to process such personal data for lawful purposes.
The provision of the Bill will apply to personal data
collected in digital format, and in a non-digital format, if it is digitised
later.
According to the bill, if a case of violation of data
security by an online platform comes to light, then a maximum fine of Rs 2.5
billion will have to be paid and after being sentenced twice, it can be banned
from India. This would serve to further increase the already existing online
censorship in India, however, this rule was not in the 2022 draft of the bill.
Some exemptions have also been provide in the bill, for example,
The Bill does not impose any specific restrictions
on cross-border exchange of data to facilitate companies doing business in
other countries.
Processing of personal data of people inside India and
processing or profiling of people's data by companies selling goods or services
outside India will also be easier.
According to the bill, parental permission will be
mandatory for children below 18 years of age to use the Internet. However, if
the company verifies children's data in a secure manner, then this age group
can also be reduced.
Through this bill, an attempt has been made to give
exemption to companies related to Edtech, Medicine and some other sectors.
Other than this,
enforcing legal rights
processing by court/tribunal
processing in interest of national security, public
order, friendly relations with foreign states or prevention of offences
processing for research, archiving or statistical
purposes
publication of literary or artistic works, all will be
easier with this bill.
The bill also exempts government authorities, as
notified, on five specified grounds, such as:
sovereignty and integrity of India
security of the state
strategic, scientific or economic interests of the state
prevention, detection, investigation and prosecution of
contraventions of law
cabinet proceedings relating to matters affecting the
security of the state
However, these exemptions have been criticised for
being too broad and vague, and for giving the government too much power over
personal data.
Is the Data Protection Bill, 2023 will really protect personal data or give more powers to the government?
Many experts say that this bill is only gives more powers to the central government and does not have adequate provisions for the data security of the citizens of the country.
Internet Freedom Foundation, a New Delhi-based data
rights advocacy group, said the proposed bill fails to incorporate several
practical suggestions.
At the same time, the Editors Guild of India has raised
apprehensions over the many exemptions and excessive powers given to the
central government in the bill. It is obvious that now the central government
will also have the right to appoint the head of the Data Protection Board. Will
this body be able to settle complaints of privacy and data disputes between two
parties?
The bill empowers the government to exempt any agency
from the provisions of the bill for reasons of national security, public order,
sovereignty and integrity of India. This can lead to arbitrary and excessive surveillance
and data collection by the state without any oversight or accountability.
The bill allows the government to classify any data as
vital personal data and mandate its storage and processing only in India.
This could hamper the cross-border flow of data and impact the innovation and
competitiveness of Indian businesses.
The bill does not provide adequate safeguards for the
consent and rights of the data subjects, especially in cases of processing by
the government or for non-personal purposes. This could undermine the autonomy
and dignity of the individuals and expose them to risks of data breaches,
identity theft, discrimination and manipulation.
Other serious criticisms related to DPB 2023 are:
It fails to differentiate between personal data and
sensitive personal data, which may compromise the level of protection for the
latter.
It gives wide leeway to the state authorities and
agencies, which may undermine the rights and interests of the data principals.
It weakens the Data Protection Authority of India, which is supposed to be the key regulator and enforcer of the law.
It imposes harsh penalties on data fiduciaries and
data principals for minor violations, which can have devastating effects on
innovation and expression.
It is being speculated that this bill may weaken
RTI in the coming times as the data of the government officials will be protected
under the proposed law and it will be difficult to make it available in
response to RTI.
Regarding the bill, DigiPub, which is consortium of The Wire,
Newslaundry, Scroll and other autonomous digital platforms, has also called for
public interest journalism amid the decreasing freedom of journalism in India,
will not to be exempted from the bill. On the other hand, it will allow Public
Information Officers to reject RTI applications citing private information.
While already the RTIs of journalists are being cancelled on small grounds.
To make the news authentic, most of the journalists
have to give personal information of the people. Whereas after the enactment of
DPB, the risk of legal action against journalists and journalism institutions
will increase.
As the world has become dependent on the internet due to Covid-19, more work is done through digital platforms, ranging from online office work, meetings, online sharing of personal data to money transactions.
We are spending most of our time online; due to which the
world is becoming more dependent on internet service providers than ever
before. In such a situation, this bill can promote the theft of personal data
of people.
It is important to note that Data Protection Bill 2023 is the latest version of Personal Data Protection Bill, 2019, which failed to address the concerns raised by advocates, tech companies, civil society groups; While the opposition and various stakeholders called for a strong and balanced data protection regime for India. Because to which the Bill was referred to a Joint Parliamentary Committee, which submitted its report in December 2021. In November 2022, a draft bill was released for public consultation.
0 Comments