Skip to content
Home » General Studies » Digital Personal Data Protection Bill, 2023

Digital Personal Data Protection Bill, 2023

After negotiations spanning nearly five years, involving the government, technology companies, and civil society representatives, the Centre presented the Digital Personal Data Protection Bill, 2023, to Parliament on August 3.

This legislation outlines the protocols governing the collection and utilization of information and personal data of India’s citizens, both by corporations and the government itself. The bill aims to ensure the responsible and secure handling of personal data while upholding the rights of individuals.

Data Protection Law: Key Points To Remember

  • Personal data is any information linked to a specific person.
  • Both businesses and government agencies use this data to provide services.
  • This data helps to understand people’s preferences, thus aiding in personalisation, advertising, and making recommendations.
  • Law enforcement can also benefit from the processing of personal data.
  • However, unrestricted processing can violate privacy, a fundamental right, leading to issues like financial damage, reputation loss, and profiling.
  • India currently lacks a dedicated data protection law.
  • The Information Technology (IT) Act, 2000 governs the use of personal data in India.
  • In 2017, the Indian government created a Data Protection Expert Committee, led by Justice B. N. Srikrishna, to explore data protection issues.
  • The Committee presented its report in July 2018.
  • Following the Committee’s advice, the Personal Data Protection Bill, 2019 was tabled in the Lok Sabha in December 2019.
  • The Bill was then referred to a Joint Parliamentary Committee, which presented its report in December 2021.
  • However, the Bill was withdrawn from Parliament in August 2022.
  • In November 2022, a Draft Bill was released for public feedback.
  • Finally, the Digital Personal Data Protection Bill, 2023 was presented in Parliament in August 2023.

Digital Personal Data Protection Bill, 2023: Key Features

Key Features of the Data Protection Bill, 2023 are:

  • The Data Protection Bill, 2023, outlines specific rights for data principals and obligations for data fiduciaries. However, these do not apply in certain situations like preventing and investigating offenses or enforcing legal rights or claims.
  • The government can exempt some activities from the Bill’s application. These might include government processes related to state security or public order, as well as tasks for research, archiving, or statistical purposes.
  • The Bill calls for the establishment of the Data Protection Board of India by the central government. The Board’s main tasks are to monitor compliance, impose penalties, instruct data fiduciaries on necessary measures during data breaches, and address grievances by affected individuals.
  • Members of the Board will hold their positions for two years but can be reappointed. The government will determine the Board’s size and selection process. Any appeals against the Board’s decisions will be taken up with the TDSAT.
  • The Bill’s schedule specifies penalties for violations, like a Rs 200 crore penalty for failing to fulfill obligations towards children and a Rs 250 crore penalty for neglecting to implement security measures to prevent data breaches. The Board will impose these penalties after conducting an inquiry.

Understanding Key Issues Of Digital Personal Data Protection Bill, 2023

Exemptions to the State may have adverse implications for privacy

  • The Bill provides several exemptions for the processing of personal data by the State.
  • The State, as per Article 12 of the Constitution, encompasses: Central Government, State Government, Local Bodies
    Authorities and Companies established by the Government
  • These exemptions might potentially lead to privacy concerns.

The proposed Bill raises concerns about potential unrestricted data processing by the State, potentially infringing upon the right to privacy.

  • The proposed bill exempts data fiduciaries from the obligations of necessity, purpose limitation, and storage limitation for the interception of communication on grounds such as national security. This exemption raises concerns about the proportionality of the bill.
  • The Bill does not mandate government agencies to delete personal data once the processing purpose has been fulfilled.
  • The Srikrishna Committee recommended that obligations other than fair and reasonable processing and security safeguards should not apply when processing data on grounds such as national security and prevention and prosecution of offences. However, the implementation of obligations such as storage limitation and purpose specification is still undetermined due to the lack of a separate law for it in India.
  • The data protection law in the United Kingdom, enacted in 2018, provides similar exemptions for national security and defense. However, it differs from the proposed Indian bill because the UK law regulates actions such as bulk processing of personal datasets by government agencies under the Investigatory Powers Act, 2016. This regulation ensures the establishment of necessity and proportionality, restricts data retention beyond the warrant period, and provides for parliamentary oversight, which are not included in the Indian bill.

Whether overriding consent for purposes such as benefit, subsidy, license, and certificates is appropriate

  • The proposed bill permits the State to process personal data for the provision of various services without obtaining individual consent. These services include benefit, services, license, permits, or certificates.
  • The bill authorizes the use of personal data acquired for one purpose to be used for another, removing the principle of purpose limitation.
  • The principle of purpose limitation, a crucial privacy protection measure, stipulates that data should only be used for the purpose it was initially collected for.
  • The potential issue arising from this is the State’s ability to profile citizens by combining data collected for various services.
  • Conversely, requiring consent would allow individuals to retain autonomy and control over their personal data collection and sharing.

The Bill does not regulate harm arising from processing of personal data

  • The bill does not account for potential harm resulting from personal data processing.
  • The Srikrishna Committee (2018) had emphasised the need for such harm regulation in data protection law.
  • Types of harm could encompass financial losses, identity theft, reputational damage, discrimination, and unwarranted surveillance.
  • The Personal Data Protection Bill, 2019 had acknowledged these types of harm and mandated preventive measures from data fiduciaries.
  • The Joint Parliamentary Committee endorsed retaining these provisions, aligning with the European Union’s GDPR, which also stipulates harm regulation and compensation.

Absence of Data Portability and Right to be Forgotten in the Bill

  • The current Bill does not include the right to data portability and the right to be forgotten.
  • The 2018 Draft Bill and the 2019 Bill, previously introduced in Parliament, offered these rights.
  • The Joint Parliamentary Committee suggested keeping these rights in the 2019 Bill.
  • The General Data Protection Regulation (GDPR) also includes these rights.
  • The Srikrishna Committee (2018) highlighted the importance of these rights in a robust data protection law.
  • The rights of data portability and to be forgotten endorse individual autonomy, transparency, and accountability, empowering individuals to manage their data.

Concerns Over Cross-Border Data Transfer Provisions in the Bill

  • The Bill allows the central government to limit personal data transfer to specific nations via notification, suggesting an unregulated transfer to all other nations.
  • The objective of regulating international data transfer is to protect the privacy of Indian citizens. There could be heightened vulnerability to data breaches or unauthorised data sharing with foreign governments and private entities if the receiving country lacks robust data protection laws.
  • The 2019 Bill stated that for certain types of data, transfer should only be permitted to countries providing an adequate protection level. This indicates a requirement for a case-by-case evaluation of each country’s standards before data transfer.
  • The 2022 Draft Bill took a different approach, permitting the central government to notify countries where any personal data can be transferred. This still implies a need for individual country assessment.
  • The selective restriction mechanism doesn’t necessitate such a rigorous evaluation, raising questions about its effectiveness in adequately protecting data during cross-border transfer.

Potential Impact of Shorter Term on the Independence of the Board

  • The proposed Bill stipulates a two-year appointment term for members of the Data Protection Board of India, which is intended to function independently.
  • Members are eligible for re-appointment after their term expires, a factor that could influence the Board’s independent functioning.
  • The Board’s key responsibilities include monitoring compliance, conducting investigations, and determining penalties.
  • The Supreme Court observed in 2019 that shorter terms, coupled with the potential for re-appointment, can increase the Executive’s influence and control, particularly in tribunal cases.
  • Comparatively, regulatory authorities with adjudicatory roles, such as the Central Electricity Regulatory Commission and the Competition Commission of India, have five-year terms under their respective Acts.
  • The Telecom Regulatory Authority of India (TRAI) has a three-year appointment term, while the Securities and Exchange Board of India (SEBI) has a five-year term, as specified through Rules.

Variations in Child Definition Across Different Jurisdictions

  • The Bill defines a ‘child’ as an individual under 18 years of age.
  • In the USA and UK, individuals over 13 years can consent to the processing of personal data.
  • The General Data Protection Regulation (GDPR) of the European Union sets the age at 16, but member countries can reduce it to 13.
  • The Srikrishna Committee (2018) suggested considering factors for determining the age of consent for children, such as: i.) A minimum age of 13 and a maximum age of 18; ii.) A single threshold for ensuring practical implementation.
  • The committee noted that 18 years might be excessive for a child’s full autonomous development.
  • However, to align with the existing legal framework, the age of consent should be 18.
  • Under the Indian Contract Act, 1872, the minimum age to sign a contract is 18.

Other Concerns

  • The Bill mandates data fiduciaries to acquire verifiable consent from a child’s guardian before processing their personal data.
  • Confirming the age of users is required to differentiate children from adults and obtain guardian consent.
  • The Bill aims to prevent any data processing activities that may harm a child’s well-being, but lacks clarity on what constitutes harm.
  • The central government can grant certain data fiduciaries, including startups, exemptions from some obligations like notifying users about data collection and processing.
  • Even when excused from providing prior notice, data fiduciaries must still obtain free and informed consent from users. This could spark debates over whether informed consent is possible without proper notice.

What Is The Right To Data Portability?

  • The right to data portability empowers data principals or users to retrieve and transfer their data from one data fiduciary (an entity that processes data) to another.
  • This right ensures that the data is provided in a structured, commonly used, and machine-readable format, making it convenient for the user.
  • It bolsters the control of data principals over their own data and can potentially ease the migration of data between different fiduciaries.
  • However, concerns have been raised about the potential exposure of trade secrets of the data fiduciary while executing this right.
  • The Srikrishna Committee in 2018 suggested that as long as trade secrets are not disclosed, this right should be guaranteed.
  • The Joint Parliamentary Committee held the view that trade secrets should not be a reason to deny data portability, and the only valid ground for denial should be technical feasibility.

Right To Be Forgotten

  • The ‘right to be forgotten’ is a concept which allows individuals to limit the exposure of their personal information online.
  • Recognising the infinite nature of the digital world, the right to be forgotten seeks to apply restrictions similar to the natural limits of human memory.
  • The Srikrishna Committee (2018) acknowledged the importance of this right, but also flagged the need for balance with other rights and interests.
  • When implementing the right to be forgotten, there might be conflicts with other rights, such as freedom of speech, expression, and the right to access information.
  • The Committee suggested the application of this right should consider factors like the sensitivity of the personal data, its relevance to the public, and the public role of the person whose data it is.

Related Readings For UPSC Prelims & Mains 2024

Tags: