Proposed legislation will be meaningless unless blanket immunity for government agencies is removed
Release date – Saturday, July 23 at 12:30
Even though the Supreme Court declared privacy a fundamental right more than six years ago, India still lacks robust data protection mechanisms. The center has tried to craft a piece of legislation in the past but was forced to withdraw an earlier version of the Digital Personal Data Protection Bill from parliament last year amid strong opposition from privacy activists and tech companies. Now, the revised draft bill has been approved by the union cabinet. Concerns about the overall power of government agencies remain unresolved, however. The earlier draft caused a stir because it exempted entities notified by the Center from the obligation to explain to citizens the purpose of collecting and processing their data. Unless blanket immunity for government agencies is removed, the new legislation will serve no meaningful purpose. The proposed legislation has had many twists and turns. The Center presented the proposal in the Lok Sabha in December 2019 and it was immediately referred to the Parliamentary Joint Committee. It took two years for the panel to deliver its report, which recommended that provisions empowering the center “to exempt government agencies from processing personal data from any or all provisions of the Act” should provide for adequate safeguards against misuse. The bill was eventually withdrawn last August. Data protection legislation has been in the works since 2017, when the Supreme Court unanimously upheld the right to privacy as a fundamental right under the Constitution.
Striking a balance between recognizing the right of individuals to protect their personal data and the need to process the data for legitimate purposes will be a litmus test for the proposed legislation. Once it becomes law, the bill will play a crucial role in India’s trade negotiations with other countries, especially regions such as the European Union, whose General Data Protection Regulation (GDPR) is one of the most detailed privacy laws in the world. The design flaws inherent in the previous bill have led to the creation of two parallel universes: one for the private sector, where the law will be strictly applied, and one for the government, full of exemptions and exceptions. Industry bodies have understandably raised concerns about several provisions of the bill, such as the inclusion of non-personal data and the treatment of certain social media networks as publishers. The structure and function of the proposed Data Protection Commission, which would act as an arbiter of complaints, also raises doubts about the government’s intentions. There are also concerns that the law could weaken the Right to Information Act, as personal data of government officials could be protected under the law, making it difficult to share with right to information applicants.
