Personal data law: Safeguards to be brought when exemptions kick in

“Detailed safeguards for personal data protection will be incorporated in subordinate legislation within the framework of this Act,” Vaishnaw said, when asked whether there will be additional safeguards in subsequent rules for the way the government’s agencies will deal and handle personal data while being exempted from the Act.

Under the Digital Personal Data Protection Act, 2023, the government has been granted wide-ranging exemptions when processing citizens’ personal data on grounds of ‘national security’, ‘friendly relations with other states’, and ‘public order’, among other things. The provision has drawn significant criticism from Opposition members and privacy activists.

At least 25 rules have to be formulated to operationalise the Act, and the government has also been empowered to enact rules for any provision that it deems fit. Vaishnaw said while a large part of the language in the provision that grants exemptions to the government on account of national security has been borrowed from the provision in the Constitution which imposes reasonable restrictions on the freedom of speech and expression, some grounds for restrictions have not been added to the data protection Act.

“Exemptions for national security in Data Protection Act, 2023 are in alignment with reasonable restrictions on freedom of speech and expression in the Constitution of India. The restrictions provided in the Constitution of India also include decency or morality, defamation, and contempt of court. These restrictions have not been included in the data protection Act. All entities will have to take reasonable security safeguards to prevent personal data breach,” he said.

According to Section 17 (2) (a) of the data protection law, “The provisions of this Act shall not apply in respect of the processing of personal data — by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these…”
In an interaction with this paper earlier in August, Vaishnaw had defended the exemptions, saying that the law has adequate safeguards for citizens, and that the “fear against the government’s power” comes from citizens’ experience with previous governments.

He had also said that India’s law has fewer government-related exemptions than the European Union’s General Data Protection Regulation (GDPR), which is widely held to be the most stringent privacy law of anywhere in the world. “If we look at other laws around the world, the GDPR has about 16 exemptions for the government. The exemptions for government in our law are the same as provided by our Constitution,” he had said.

The law requires companies to gather personal data of users through a consent-based mechanism, even as it allows some relaxations to that end for certain “legitimate uses”. The penalty for not being able to take enough safeguards for preventing a data breach could go as high as Rs 250 crore.

The law also has a censorship provision, as it empowers the Central government to block any platform that has violated its provisions on at least two different instances. This has also been a major criticism of the law as it is being seen as an extension of the online censorship powers the Centre already enjoys under Section 69 (A) of the Information Technology Act, 2000.
The data protection Act also allows significant concessions to small businesses and start-ups from some key provisions including exempting them from the requirement to maintain the accuracy of a user’s personal data which is to be used to make a decision that affects the user.