Data bill must clarify Exemptions , guardrails
With the Cabinet approving the draft Digital Personal Data Protection Bill, it will likely be tabled in Parliament in the forthcoming monsoon session. The proposed bill, which aims to regulate the collection, storage, and use of personal data by digital players, is much needed amid the rising number of data breaches. Once the draft bill is enacted, it will replace the current law, i.e., the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
An overhaul of the existing law is critical to support India’s digital economy aspirations with appropriate privacy and personal data protection measures in place. Efforts began as early as 2018, and the proposed bill has undergone over four revisions. Still, even six years after the Supreme Court first held privacy as a fundamental right, the legislation is yet to pass. As the draft bill inches one step closer to becoming a law, concerns abound on various aspects, including wide-ranging exemptions to the government, autonomy and neutrality of the data protection board, the reasonability of penalties, and cross-border data flows.
The contentious issue includes the disproportionate influence of the State—comprising Central and state governments, local bodies and authorities—and the numerous exemptions accorded to it for data collection and processing. Policy wonks have reasoned beyond doubt why such exemptions may violate the right to privacy. Yet, the bill does not force the State or digital players to delete personal data after intended usage. Justice B N Srikrishna, who chaired the first committee to draft the bill in 2018, also seemed concerned about the latest draft, citing “too much margin to the government and does little to protect individuals’ fundamental right of data privacy.” While granting access to the State on the grounds of national security is elemental, it is also the lawmakers’ responsibility to put in reasonable efforts to safeguard and prevent data overuse and misuse.
Other troubling aspects include the sweeping powers vested with the data protection board to accept settlement fees from violating entities and determine the penalty amount. The contents of the latest draft bill are kept confidential, but it needs thorough scrutiny to ensure the right balance between data processing and infringement. The protection of privacy as a fundamental right is simply non-negotiable.