Data protection Bill passed in Rajya Sabha: What it says about privacy, Centre’s powers, right to info

This is India’s second attempt at framing a privacy legislation, and comes after at least three previous iterations of a data protection law have been considered, and shelved, by the government.

Concerns around the Bill

According to the Bill, the central government will have the right to exempt “any instrumentality of the state” from adverse consequences citing national security, relations with foreign governments, and maintenance of public order, among other things.

Responding to concerns raised on various accounts, IT Minister Ashwini Vaishnaw said that exemptions to the Centre were needed. “If there is a natural disaster like an earthquake, will the government have time to seek consent for processing their data or have to act quickly to ensure their safety? If the police are conducting an investigation to catch an offender, should their consent be taken,” Vaishnaw asked.

He added that the European Union’s General Data Protection Regulation (GDPR) has 16 exemptions, but India’s Bill has four exemptions.

The Bill also states that if an entity is penalised on more than two instances, the central government– after hearing the entity – can decide to block their platform in the country. This is a new addition to the measure, which was not present in the 2022 draft.

Experts have said that the proposal could add to the pre-existing online censorship regime already administered under Section 69 (A) of the Information Technology Act, 2000. The highest prescribed penalty has been capped at Rs 250 crore for not having enough safeguards against data breaches.

There is also concern that the law could dilute the Right to Information (RTI) Act, as personal data of government functionaries is likely to be protected under it, making it difficult to be shared with an RTI applicant.

On the accusation that the Bill dilutes the Right to Information Act, 2005, he said that in the 2017 right to privacy judgement by the Supreme Court, three principles were laid down. “The harmonisation between RTI and personal data has been done in the BIll,” he said.

The control of the Centre in appointing members of the Data Protection Board – an adjudicatory body that will deal with privacy-related grievances and disputes between two parties – is learnt to have been retained as well. The Chief Executive of the board will be appointed by the central government, which will also determine the terms and conditions of their service.

Vaishnaw said that the decisions taken by the data protection board can be appealed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which is led by a judicial member.

The Bill, while laying down consent norms for entities’ collecting personal data of individuals, also allows for a leeway for certain “legitimate uses,” both by the government itself, and private entities.

As per the final version, the Centre can process data of citizens without expressly seeking their consent for national security reasons and to offer other services such as subsidies, benefits, certificates, licence or permit. Private companies have been afforded the privilege to deal with employment-related matters, including corporate espionage.

Relief for industry on some counts

It has also addressed two key long-standing demands of the industry – by allowing relaxations around the age of consent for children, and by significantly easing cross-border data flows, both of which was reported by The Indian Express earlier. One of the key flailings of earlier iterations was that they were seen as too compliance-intensive by the industry, especially smaller businesses. However, with this Bill, the government’s objective has been to balance privacy and innovation.

The Bill gives powers to the central government to prescribe a lower age of consent than 18 years for accessing Internet services without parental consent if the platform they are using can process their data in a “verifiably safe manner”. This would essentially mean a white-listing approach for companies in the edtech sector, and for medical purposes, among other things.

The Centre has proposed to significantly ease cross-border data flows to international jurisdictions – by moving away from a whitelisting approach to a blacklisting mechanism. Earlier, the government had said that it would issue a list of countries where data flows would be allowed. However, the final change means that data flows are allowed by default to all regions unless prohibited by the government – a move that is being seen as a measure to ensure business continuity.

The government could notify entities as “significant data fiduciaries,” after considering factors such as the volume of personal data they possess, the risks they could pose to electoral democracy, and their impact on national security and public order, among other things. Social media platforms like Facebook, YouTube and WhatsApp are likely to be clubbed under this category. These entities are required to appoint a data protection officer for grievance redressal and carry out periodic data protection impact assessments.

The proposed law will apply to processing of digital personal data within India; and to data processing outside the country if it is done for offering goods or services, or for profiling individuals in India.

It requires entities that collect personal data — called data fiduciaries — to maintain the accuracy of data, keep data secure, and delete data once their purpose has been met.