Proposed Data Protection Bill Faces Scrutiny Over Government Control and Powers

Digital Personal Data Protection (DPDP) Bill 2023 | Representative image | Photo courtesy: The Probe

The government recently listed the Digital Personal Data Protection (DPDP) Bill 2023 for passage, which will be presented before the Lok Sabha. Previously, the Union Cabinet had approved the draft data protection Bill. This marks the government's second attempt at passing a privacy Bill in Parliament, following the Supreme Court's declaration of privacy as a fundamental right six years ago. The DPDP Bill will serve as India's primary data protection framework if passed.

Dr Pawan Duggal, Supreme Court advocate and cybersecurity expert speaks to The Probe’s Rageshree Sengupta 

Over the years, the data protection draft Bills have undergone several revisions, incorporating many additions and omissions. However, these changes have been controversial, as certain provisions of the Bill have sparked ongoing debates and concerns. The earlier iteration of the privacy Bill, known as the Personal Data Protection Bill, was withdrawn in August last year by the Union Minister of Electronics and Information Technology. Subsequently, the government released an updated draft of the privacy Bill in November, renaming it the Digital Personal Data Protection Bill. While the final version of the cabinet-approved Bill has not yet been made public, the versions that are already in the public domain have generated more questions than they have provided answers creating a sense of ambiguity and uncertainty.

The Watered-Down Data Protection Bill 

“India has a chequered history as far as data protection is concerned. India doesn’t have a dedicated law on data protection. We do not have a dedicated law on privacy, nor do we have a dedicated law on cybersecurity. So, given this unique policy vacuum, India becomes a fertile ground for targeting data, individuals and their digital activities in the digital ecosystem. This is why the government decided to bring about a dedicated framework on data protection,” narrates Dr Pawan Duggal, Supreme Court advocate and cybersecurity expert. 

Also Read | CoWIN Data Breach Reveals Security Gaps In India’s Critical Information Infrastructure

Dr Duggal explains, “The government set up a committee under the chairmanship of a retired judge of the Supreme Court. The committee gave its report in 2018, but along with that report, they also gave a proposed template for the personal data protection Bill. The government examined both the report and the draft Bill and said that many things must be added. The government made a lot of changes and then tabled the personal data protection Bill 2019 in Parliament in December 2019. That’s when there was a chorus in the Parliament that this is a very complicated Bill and, therefore, must go to the Joint Parliamentary Committee (JPC). The JPC examined the Bill for almost two years and came up with a report in December 2021. It actually suggested about 90-plus amendments. The government accepted some recommendations and came out with the Digital Personal Data Protection Bill 2022 for public comments. The draft Digital Personal Data Protection Bill of 2022 was a much narrower and more restricted version of the 2018 Bill and a far more narrower version of the 2019 Bill. The cabinet has approved the Bill now, and it will be presented before the Parliament. Since the government has the numbers, they can get this Bill passed in the upcoming session”. 

Data Protection vs Data Processing 

The Digital Personal Data Protection Bill (DPDPB) of 2022 faced criticism for failing to address data protection concerns effectively. Instead, it was perceived to establish a framework that primarily facilitated data processing activities for both state and private actors. Critics argue that the Bill did not offer sufficient safeguards to protect individuals' personal data from misuse, unauthorised access, or exploitation. Some argued that the Bill granted excessive powers to state and private entities, potentially compromising individuals' privacy rights and allowing for the potential misuse of data for surveillance or commercial purposes.

Anushka Jain, lawyer and a Policy Counsel at the Internet Freedom Foundation, states, "The last version of the Bill we saw was a concise document with approximately 30 provisions, lacking comprehensive coverage. This Bill has undergone numerous changes throughout the years, expanding and contracting in scope. There are several issues with the latest version. Firstly, the objective of the Bill itself is problematic. In any data protection Bill, the primary objective should be to safeguard the personal data and privacy rights of Indian citizens. However, the Bill seems to prioritise ensuring data processing while balancing privacy rights against the need for data processing. Essentially, the focus appears to be on data processing rather than the fundamental data protection principles. This clearly reflects the government's priorities."

Data Protection Board Not Independent

The Data Protection Board outlined in the DPDP Bill 2022 has faced significant criticisms, primarily focusing on its perceived lack of independence and transparency. Stakeholders and experts have raised concerns about the level of control exerted by the government over the board, potentially compromising its autonomy and efficacy.

“Regarding the Data Protection Board, we need to see if these provisions of the DPDP Bill 2022 find mention in the data protection bill 2023 draft, but while it is supposed to be an independent regulator of the data ecosystem, the last few drafts have invited some objections and criticisms from some stakeholders who said that there is a massive control of the government of the personal data protection board which may lead to a compromise on the efficacy and independence of the board. Also, several questions have been raised on the transparency and accountability of the said data protection board of India,” rues Duggal.

Concerns have also been raised about the effectiveness of oversight and accountability measures to ensure the board acts in the best interest of data protection and privacy. Critics argue that the current provisions do not establish robust mechanisms to hold the board accountable for its actions, potentially undermining public trust in its operations.

Also Read | The WhatsApp Privacy Policy Saga: India’s Data Protection Regime And You

“The Data Protection Board, as envisaged under the Bill is not as independent because the union government has been empowered to appoint the Chairperson and decide on how the board will be appointed. This defeats the entire purpose of a board,” asserts Jain. 

The Problem of Deemed Consent

According to the proposed Data Protection Bill, sharing an individual’s personal data for a specific government program may be interpreted as implied consent for the use of that data in assessing eligibility for other schemes. This provision implies that by agreeing to share personal data for a particular government benefit program, individuals are considered to have given deemed consent for the utilisation of their data in determining eligibility for various other schemes.

“As we speak, nothing is clear as the cabinet-approved Bill is still not in the public domain, but we know the contentious provisions. There are many problematic provisions in the draft Bills that have been discussed so far. The government has an overriding power to collect and process, and use data. The government has introduced the concept of deemed consent. Some of the provisions are very broad, which says that consent would have been deemed to have been taken if it is believed that it is fair and reasonable to collect and process that data. This kind of gives carte blanche to the business or the government to escape any kind of liability without taking the user’s consent. Here is what one must remember in the data protection Bill: the biggest stakeholder is the user, not the government. So, how can the user’s rights be infringed by using a Bill such as this which is being primarily introduced to protect citizens’ data?” asks Nishchal Anand, founding partner of Panda Law and an intellectual property and technology law attorney practising in New Delhi.

Like Anand, Jain notes that the deemed consent clause, which allows for non-consensual data processing in certain situations, can be hugely problematic for the user and breach the citizens’ privacy. “We need to see in the final Bill what is the status of the deemed consent clause. That apart, the notice requirements under the Bill are not as comprehensive as they should be. The Bill allows for a lot of wide exemptions to be put in place both for the government and private sector, which basically allows them to be exempt from the provisions of the Bill. The Bill does not talk about surveillance, nor does it put in place any safeguards against the surveillance being carried out by the government in India. There are many issues with the Bill’s last draft”.

Provisions on Paper vs Implementation

Dr Duggal emphasises the need for the new Bill to align with India’s existing IT laws. Although the government has introduced significantly higher penalties, there remains a question regarding their effective implementation.

“It is crucial to ensure that there is no conflict between India's data protection bill 2023 and the country's mother legislation, the Information Technology Act of 2000. The regulation of the entire personal data ecosystem should prioritise effective remedies and access for citizens. The mere provision of theoretical remedies would not be sufficient. According to public information, the new Bill is expected to impose fines ranging from 250 to 500 crore rupees, which are seemingly the highest penalties specified in India. However, it is essential that these provisions are not merely on paper, but effectively implemented to achieve the desired impact,” emphasises Duggal.

The data protection Bill has also been blamed for not addressing the issue of compensation while it extensively talks about penalties. Ritesh Bhatia, a cybercrime investigator and data privacy consultant, says, “As users are the primary stakeholders, in the event of a data breach, it is crucial to ascertain the compensation affected users will receive”.

Also Read | “India at the centre of a major global data breach” | The Probe Exclusive

Under Section 43 of the Information Technology (IT) Act, 2000, entities that fail to protect sensitive personal data and information from unauthorised access or disclosure may be held liable for compensation. Dr Karnika Seth, a lawyer and cyber law expert, raises concerns about certain areas of the DPDP Bill 2023 that require careful examination. Specifically, she points out that while Section 43 of the IT Act provides remedies for individuals in case of a data breach, this appears to be lacking in the data protection Bill. 

To ACCESS and SUPPORT our exclusive stories and impactful public interest journalism, subscribe to our YouTube channel. Click on THE PROBE'S LOGO below to subscribe.