What the draft data bill entails
Many outstanding issues, such as localisation and data breach, are addressed in the draft, but some clauses may prove problematic
The Union government, on Friday, proposed a new version of the data privacy law, which has been at least four years in the making. Uploaded for public consultations, the Digital Personal Data Protection Bill, 2022, is expected to be introduced in the winter session of Parliament. The proposed legislation is a successor to the Personal Data Protection Bill of 2019, which ran into rough weather when it was introduced in Parliament and was sent to a Joint Parliamentary Committee before being scrapped earlier this year after Members of Parliament (MPs) suggested varying changes and approaches. That version was criticised for giving large carve-outs to the State, being difficult for the industry to comply with, and being inadequate in building in some protections laid down by the Supreme Court (SC) in its right to privacy judgment in 2017. But it laid down some important fundamentals for how personal data should be handled.
The new draft also lays down some much-needed fundamentals for how personal data should be handled: Such information can only be processed after specific, informed and unambiguous consent. Individuals and entities whose data is stored will also have the right to withdraw that consent, request details of what data of theirs is in use and seek to be forgotten. A crucial guardrail is in how the data of children will be processed — their information can only be accessed after parents’ approval and in no circumstance can their data include identifiers or their behaviour. If a company does not have reasonable standards to prevent data breaches, it could attract a fine of up to ₹250 crore, the draft bill says. But in what will be a cause for relief for industry, there are fewer limits on how information can flow outside India’s borders, an approach that will make it easy for Indian technology services exporters and those that use cloud services.
Behind these provisions are core principles that govern personal data: They must be collected and processed lawfully, transparently and for the purpose for which consent was sought; only that which is needed must be collected and data cannot be stored indefinitely; and the data collector will be accountable for any breaches. These principles build in protections that do not yet exist. The draft’s provisions also address worry over data localisation, which industry saw as posing a particular threat to innovation and their ability to expand.
But the draft is still likely to be controversial, especially for how it deals with a concept called deemed consent — this gives the government the broad powers to access personal data in the interest of a loosely defined purpose that is public interest — and the section on exemptions, which hands the government the power to exempt any department in the future from the guardrails of the law. What could also be controversial is the structure and functions of the new data protection board that will act as an arbiter for complaints — by design, this board will be headed by, and comprise members appointed solely by the government. Its independence, in case the litigant is the government, will be under the scanner. How these issues stand the test of parliamentary debate and constitutional principles as interpreted by the SC, only time will tell. But, for now, any movement on a privacy law is welcome.