Opinion Express View on data protection Bill: Personal is private

After months of delay, the Union cabinet on Wednesday, approved the draft data protection Bill, clearing the way for it to be introduced in Parliament in the upcoming monsoon session. This Digital Personal Data Protection Bill forms an integral part of the regulatory architecture that is being ushered in by the ruling dispensation to govern India’s ever expanding digital economy. While more clarity is awaited on the finer points of the Bill, some modifications have been carried out in the version of the legislation that was put forth in November last year, as reported by this newspaper. However, some of the more contentious aspects of that version have reportedly been retained. These require careful examination.

Of particular concern is the sweeping exemptions afforded to the central government and its agencies. As per reports, the government will have the right to exempt “any instrumentality of the state” from adverse consequences citing national security, relations with foreign governments, and maintenance of public order. Considering that the Indian state gathers vast amounts of personal data, there are legitimate concerns that such wide-ranging exemptions could create the space for misuse of data. Equally worrying is the discretion that the government is likely to exercise in the appointment of members to the data protection board. The chief executive of the board — that will be charged with ensuring compliance, dealing with grievances and disputes — will be appointed by the government. In an environment, when concerns are being voiced over the independence and autonomy of institutions, this raises troubling questions over the board’s degrees of freedom. Reports also suggest that a change is being made in the manner in which cross-border data flows will be dealt with. The legislation is likely to have shifted towards a blacklisting framework from a whitelisting approach. This would involve allowing data flows to all jurisdictions, other than those on a negative list, to whom transfers would be curtailed. However, what remains unclear is the manner in which this negative list will be created — for instance, will the choices be influenced by the prevailing geopolitical environment? And while the Bill has also prescribed penalties for failing to prevent a data breach at upto Rs 250 crore per instance, there does remain some ambiguity over the definition of “per instance”.

Advertisement

Considering the dramatic expansion of the digital economy in the country, bringing in a robust data protection architecture is of critical importance. This Bill needs to go through a process of extensive discussion in Parliament. The provisions need to be tightened, ambiguities removed, and discretion minimised.