The Union government introduced the Digital Personal Data Protection Bill (DPDP) in the Lok Sabha, sparking intense debates among Opposition leaders who raised concerns about potential violations of the fundamental right to privacy. Tabled by Union Minister Ashwini Vaishnaw, the bill aims to establish a comprehensive framework for governing and safeguarding personal data, with strict penalties for data breaches. However, the bill’s provisions have prompted opposition demands for further scrutiny and discussions in the standing committee, given the withdrawal of a previous data protection bill last year.
The DPDP bill lays out a comprehensive framework, defining the rights and duties of both citizens, referred to as ‘Digital Nagriks,’ and data fiduciaries responsible for using collected data lawfully. The legislation seeks to govern and protect personal data, outlining user rights and business obligations.
Key Principles of DPDP Bill
The bill is rooted in six key principles shaping the data economy. The first principle emphasizes the importance of lawful collection and usage of Indian citizens’ personal data, ensuring protection from breaches and maintaining transparency. The second principle emphasizes that data collection exercises should serve a legal purpose, with data safely stored until that purpose is fulfilled.
The third principle revolves around data minimization, advocating for the collection of only relevant data, serving pre-defined purposes exclusively. The fourth principle focuses on data protection and accountability, while the fifth principle stresses the accuracy of data. Finally, the sixth principle mandates fair, transparent, and equitable reporting of data breaches to the Data Protection Boards.
Scope of DPDP Bill
The DPDP bill proposes data protection legislation permitting the transfer and storage of personal data in select countries while imposing stiff penalties for violations. The legislation emphasizes obtaining consent before collecting personal data and proposes fines of up to ₹500 crore for individuals and companies failing to prevent data breaches, including unauthorized disclosures, sharing, altering, or destroying personal data.
The bill’s applicability and scope pertain to ‘Digital Personal Data,’ excluding non-personal data and non-digital formats. This includes the processing of digital personal data within India and digital personal data outside India linked to profiling or offering goods/services to Indian data principals. However, it exempts non-automated processing, personal data for domestic/personal purposes by individuals, and data about individuals present in records existing for over a century.
Consent and Penalties
Regarding consent, the bill highlights the need for lawful processing based on explicit, informed, and unambiguous consent. A clause on deemed consent allows for situations where explicit consent is not required.
The bill addresses cross-border data flow, permitting data transfers to specific countries and territories while easing data localization requirements. It also addresses data retention, establishing the Digital Protection Board to handle non-compliance and voluntary undertakings. Data fiduciaries are allowed to retain personal data for ‘Business Purposes’ even after its original collection purpose has been fulfilled.
Penalties for personal data breaches include a proposed ₹200 crore fine for failure to report breaches to the Data Protection Board and affected individuals. For inadequate security safeguards, data fiduciaries or processors may face penalties of up to ₹250 crore. In cases of significant non-compliance, the Board may impose penalties not exceeding ₹500 crores, as specified in Schedule 1 of the Bill.
Privacy Concerns
Experts’ opinions on the bill reflect mixed sentiments. Some laud the legislation, anticipating its empowerment of individuals to govern their digital data while ensuring lawful data processing by enterprises. Others suggest readiness in embracing the bill’s provisions, emphasizing data hygiene, governance, and awareness for compliance.
However, the bill has encountered opposition, with demands for further scrutiny to address potential privacy concerns and prevent content censorship. Opposition leaders have urged further scrutiny in the standing committee, citing concerns about potential privacy infringements. The bill’s advisory powers to block public access to certain computer resources or platforms have raised fears of content censorship and undermining citizens’ access to information, possibly compromising the Right to Information Act.
Experts said the draft retained problematic provisions that give the government too wide a berth in avoiding privacy obligations, allow the state to state to exempt in the future any entity from the law, and dilute the Right to Information Act. “Current provisions are a complete contradiction to the right to privacy, and it divides privacy obligations into two parts – one applicable to non-government organizations and another without such requirements for the government. The proposed draft also creates excessive centralizations and weakens the RTI law,” said an activist requesting not to be named.
There appears to be total immunity from permission obligations if data is obtained for what the bill defines as ‘legitimate use,’ such as obtaining subsidies, services, certificates, licenses, or permits from any government body. The privacy safeguards will also not apply to data currently held by a central government body.
“The purpose of the data protection law is to protect users from indiscriminate data collection.” Unfortunately, the tabled draft did not include the important ‘opt out’ provision as anticipated, which was required to assure such collection limits. The current proposal restricts data use but not collection,” said a civil liberties expert on condition of anonymity.
He further emphasized the lack of compensation for persons who would otherwise face Rs 10,000 fine for not performing obligations such as giving precise data while applying for any official document.
Regardless of the controversy and diverse viewpoints, the DPDP bill represents an important step toward data protection in India’s digital ecosystem. The law, as it moves through Parliament, tries to strike a careful balance between user rights and encouraging digital company innovation.
With the focus on data privacy, organizations are being pushed to prioritize data protection, limiting the risks of data breaches, and protecting client information. Companies may build an environment of trust, innovation, and success in India’s emerging digital era by embracing the new legal framework.
