Concerns have been raised regarding potential violations of the fundamental right to privacy due to the exemptions granted in the Digital Personal Data Protection Bill, 2023, for data processing by the state.
On Monday, the Lok Sabha approved the Digital Personal Data Protection Bill, 2023, despite opposition from leaders of the opposition.
The objective of the bill is to regulate digital personal data by balancing individuals’ right to safeguard their data with the lawful processing of such data for relevant purposes.
The bill’s text states, “A Bill to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected or incidental thereto.”
On August 3, the Union Minister for Electronics and Information Technology, Ashwini Vaishnaw, introduced the bill, amidst reports that it had been categorized as a money bill. The Minister made it clear that it was a standard bill.
This clarification came after Congress politician and former Union minister Manish Tewari expressed opposition to the bill’s introduction as a money bill.
The bill applies to the processing of digital personal data in India, both online and offline, including the processing of Indian products or services outside of India.
Consent is required for the lawful processing of personal data, with exceptions such as voluntary sharing and state-related processing.
Data stewards will be responsible for maintaining data accuracy, ensuring data security, and deleting data once its purpose is fulfilled.
The bill grants individuals certain rights, including the right to access information, request data correction and erasure, and seek redress for grievances.
Under specific conditions, the Central government may exempt government agencies from complying with the bill’s provisions, particularly for reasons related to state security, public order, and crime prevention.
To ensure compliance with the bill’s provisions, the Central government will establish the Data Protection Board of India, which will adjudicate violations.
There are concerns about potential violations of the fundamental right to privacy due to state-granted exemptions for data processing, especially concerning national security. These exemptions might lead to the collection, processing, and storage of more data than necessary.
Additionally, it has been observed that the bill does not address the risks of harm resulting from the processing of personal data.
Moreover, the bill permits the transmission of personal information outside of India, except to countries notified by the Central government. However, this mechanism might not ensure a comprehensive assessment of data protection standards in countries where personal data transfer is allowed.
Members of the Data Protection Board of India will be appointed for a two-year term with the possibility of reappointment, raising concerns about the board’s independence due to the relatively brief tenure.
Notably, this bill is the first law in India to use she/her pronouns when referring to all genders.
The “Interpretation” provision of the proposed legislation clarifies that the pronouns “her” and “she” refer to an individual regardless of gender.
