Published: Published Date – 12:15 AM, Mon – 21 November 22
The long-awaited draft bill on the protection of digital personal data has left many unanswered questions and many unresolved concerns. The Ministry of Electronics and Information Technology has released a public consultation draft ahead of its submission to Parliament. The key area of concern is that it gives governments broad powers to access personal data for loosely defined public interests. The section on immunity, which gives the government the power to exempt any sector from legal protections in the future, is also problematic. The structure and function of the proposed Data Protection Commission, which would act as an arbiter of complaints, has also raised doubts about the government’s intentions. The draft bill includes “deemed consent” as a ground for processing personal data in addition to express consent. Privacy activists have criticized this because the criteria for what constitutes consent are broad and vague, allowing personal data to be processed without consent for a variety of reasons. The proposed legislation is a successor to the Personal Data Protection Bill 2019, which faced inclement weather when introduced to parliament and was sent to a joint parliamentary committee before being scrapped earlier this year. Data protection legislation has been in the works since 2017, when the Supreme Court unanimously recognized the right to privacy as a fundamental right under the Constitution. Under the terms of the new bill, the rules the Data Protection Commission and its members must abide by will be largely determined by central government, raising questions about its independence and effectiveness.
The Act removes restrictions on companies transferring sensitive and critical personal data. Instead, all personal data may be transferred outside of government-approved countries. But which countries will be approved and based on what factors remain unclear. The earlier act included sensitive and critical personal data as a subset of personal data with greater protection. The Act eliminated such classifications. If a company does not have reasonable standards to prevent data breaches, it can be fined up to Rs 250 crore. But to the industry’s relief, there are fewer restrictions on the flow of information outside India, an approach that will make things easier for Indian technology service exporters and those using cloud services. Inherent design flaws in previous bills have led to the creation of two parallel universes: one for the private sector, where the law will be strictly applied, and one for the government, which is riddled with exemptions and exceptions. Industry bodies have understandably raised concerns about several provisions of the bill, such as the inclusion of non-personal data and the treatment of certain social media networks as publishers.
