The Digital Personal Data Protection Bill, 2023 was passed in the Lok Sabha on Monday, August 7, amid serious concerns raised by several parties, including Congress, Communist Party of India (Marxist), All India Majlis-e-Ittehadul Muslimeen (AIMIM), Bahujan Samaj Party (BSP), YSR Congress Party (YSRCP), Telugu Desam Party (TDP), Shiv Sena, and Biju Janata Dal (BJD). The Bill establishes a legal framework for processing digital personal data while protecting an individual’s right to privacy. It has gone through multiple iterations since 2018 with the Parliamentary Committee on Information Technology, data privacy advocates, and the general public, raising concerns about the amount of power it gives the government, its impact on citizens’ privacy rights, press freedom and other issues.
As it came up for discussion in the Lok Sabha on Monday, YSRCP MP Sri Krishna Devarayalu Lavu said that his party supports the Bill while seeking clarification on a few “ambiguities.” He questioned the age limit of 18 years for the requirement of parental consent for children and wondered why it couldn’t be 14 years instead. He also questioned the absence of proper safeguards of the right to data portability (a person’s right to obtain and reuse their personal data and allow its migration from one entity to another for their own purposes) and the right to be forgotten (the right of an individual to erase or limit access to content related to them online). Arguing for individuals’ right to be forgotten, Krishna Devarayalu mentioned as an example, “If someone’s images from a protest remain in the media for years, it could hamper their growth.”
He also mentioned that the Bill allows states to process data without individuals’ consent for purposes like providing benefits, services, etc. and said, “This will allow state governments to use data to profile voters as per their needs.” He also raised concern that the Bill doesn’t require data fiduciary (any person, company, or the government who stores or processes personal data) to maintain records of data breaches, doesn’t talk about data breaches through hardware applications, and doesn’t specify a transition period for the Bill’s enactment. Krishan Devarayalu also mentioned the Bill’s amendment to Section 8(1) of the Right to Information Act prohibiting the disclosure of all personal information. “As a result, cases like that of former President Pratibha Patil’s [expenditure on foreign trips], which were previously revealed through RTI will no longer be possible,” the YSRCP MP notes.
Shrikant Eknath Shinde of Shiv Sena too, questioned why provisions for the right to data portability and the right to be forgotten were removed from the previous versions of the Bill. He also questioned the relaxation of data localisation norms, saying data localisation was a good avenue for job creation and investment.
BJD MP Sarmistha Sethi spoke about the Bill’s adverse impact on freedom of the press, including the dilution of the Right to Information (RTI) Act. “Section 17(4) allows the government and its instrumentalities to retain personal data for an unlimited period of time,” she noted. She also said that certain provisions of the Bill favoured non-disclosure of information, “including information sought by journalists in public interest, thereby reducing accountability.”
“The Bill empowers the Indian government to exempt any govt or private sector entities from the application of provisions of the law by merely issuing a notification, potentially resulting in an immense violation of citizens’ privacy,” Sarmistha said. She also said that the Bill was against the spirit of federalism as the Data Protection Board would disempower state governments in controlling its own data and asked if states could have their own state data protection boards.
BSP MP Ritesh Pandey questioned the powers granted by the Bill to the Union government to block access to any content. Clause 37(1)(b) of the Bill allows the Union government to censor information without clearly specified grounds. He also noted that the phrase “as may be prescribed” is mentioned 26 times in the Bill, wondering if the relevant laws and rules would be finalised eventually behind closed doors without public scrutiny.
Jayadev Galla of TDP expressed concern that the Data Protection Board was “overly tilted towards the Union government,” as it can be appointed entirely by the Union government. He also questioned the amendment to the RTI Act, saying it “makes government functionaries and the executive remain opaque in their functioning” and raising the possibility of corruption as a result.
AIMIM MP Syed Imtiaz Jaleel said that the exemptions granted from the Bill’s provisions under Sections 17(2) and 17(3) could result in an immense violation of privacy.
Union Minister for Information Technology and Electronics Ashwini Vaishnaw briefly touched upon some of these concerns but did not provide detailed rebuttals.