NEW DELHI: The government introduced the Digital Personal Data Protection (DPDP) Bill, 2023, on Thursday to 'safeguard' citizens’ data. This is the third version of the bill, the work on which has been going on since 2017. It was the year when the apex court of the country ruled that privacy is a fundamental right of the people of India, just like any other right in the country. The decision compelled the government to come up with legislation to protect this right.
The bill was first introduced in the Rajya Sabha by telecom minister Ashwini Vaishnaw amid uproar from Opposition members, who were arguing that the bill had many flaws and it gives the government a free pass in case of breaches. Therefore, it should be moved to the parliamentary standing committee.
However, the minister called it a landmark bill, on par with world standards. Meanwhile, activists criticise the bill, complaining that it gives leverage to the government and dilutes the Right to Information Act (RTI). This article will put a spotlight on additional rights citizens have gained, whether the government indeed has more power and the current status of the Right to Information Act and the punishment for data breaches.
What rights do citizens have?
According to the bill, no entities or data fiduciaries can use a person’s data without their consent. If the data fiduciary needs to process data from people, it has to inform the reason and time for holding the data. Companies including Google, Amazon and telecom providers, banks, or insurance companies can’t share data with another company without consent.
The bill mandates a person to ask these entities where they have shared their data. In case the person is not satisfied with the response, they can file a complaint through the grievance redressal facility provided by a data fiduciary or a consent manager. If the issue is not resolved, they can go to the government-appointed Data Protection Board.
However, the bill also mandates certain obligations for the citizens, including providing accurate data to the fiduciary and keeping it updated in case of any changes. Users should not impersonate others while providing their personal data for a specified purpose.
To collect data on kids under 18 years old, companies will need permission from their parents. Simultaneously, the data fiduciary categorically mentioned that the data will not likely cause any detrimental effect on the well-being of a child. They can’t use the data for tracking or behavioural monitoring of children or targeted advertising directed at children.
Duty of data fiduciaries
The bill mandates the entities to process data only after seeking consent from an individual. They will have to show the reason and how long the company wants to retain the data. The entities will have to keep a data protection officer to address the grievances of data principals.
Is government exempted?
Not in all cases, but in a few instances, the government is exempted from certain provisions. For instance, when it comes to matters related to the sovereignty and integrity of India, security of the state, or maintaining public order, the government doesn’t need consent from individuals to process their data. Additionally, the government can retain the data for as long as they want, and individuals can’t request them to erase their personal data. Similarly, private entities are also exempted in certain conditions such as in court or tribunal cases, for law enforcement purposes, or in cases of mergers, amalgamation, or debt recovery.
Establishment of Data Protection Board of India
The bill mandates the establishment of the Data Protection Board of India (DPBI). The board will have a Chairperson and other members appointed by the government. Citizens who are dissatisfied with the grievance redressal mechanism provided by data fiduciaries can appeal to this board. For setting up the board, the government estimates an expenditure of about Rs 25 crore towards initial capital expenditure and Rs 10 crore annually for recurring expenditure. This expense will be incurred out of the Consolidated Fund of India.
Will this make Right to Information Act toothless?
The bill refuses to furnish any personal details that don’t have any state interest. The activists claimed that it will lessen the power of the RTI Act of 2005. According to the Opposition, the bill will stonewall the furnishing of data like assets and liabilities, and education qualifications of corrupt government officials. However, the government denies this inference and said that as long as it is of public interest or state-related, there won’t be any problem furnishing these details.
New provision
There are many changes introduced in the bill from its draft released in November 2022. It includes in case of data breach the entities are liable to pay up to Rs 250 crore in each instance. Earlier, it was Rs 500 in each case of data breach. Also, if any fiduciary does not stop violating the rules after two instances or is penalised twice, the government can ban or block the platform. This is a new provision added to the bill this time. The bill also includes a provision that allows a person aggrieved by an order of the Board to file an appeal before the Telecom Disputes Settlement and Appellate Tribunal (established under Section 14 of the Telecom Regulatory Authority of India Act, 1997) within sixty days from the date of the order.
