Privacy bill clears first hurdle amid calls for review of draft law

The Digital Personal Data Protection (DPDP) Bill, 2023 cleared the Lok Sabha on Monday by a voice vote despite opposition members of Parliament, the Editors’ Guild, and sections of industry questioning the legislation’s impact on the right to privacy.

Congress MPs Manish Tewari and Shashi Tharoor said the bill needed to be sent to a parliamentary panel. The Editors’ Guild of India raised concerns about specific provisions mentioned in the bill that have the potential to harm the freedom of the press.  The Guild has also requested Lok Sabha Speaker Om Birla to send the bill to a parliamentary standing committee for review. 

This bill will next be presented before the upper house of parliament, the Rajya Sabha, where the ruling coalition lacks a majority. 

The bill outlines procedures on how corporations and the government can collect and use information and personal data of Indian citizens. Since 2017, the legislation had undergone multiple iterations. Initial draft legislation mirrored several provisions of Europe’s privacy protection act, empowering citizens by giving them the right to decide how their online data can be used.  Later iterations reflected corporate interests and showed similarity with US legislation on data protection act.  

The current bill is an amalgamation of serious provisions for how private entities or data fiduciaries can handle users’ personal data excluding any instrumentality of the state, which can bypass the provision of seeking consent from data principals if national security is concerned. 

Rajesh Dangi, chief digital officer at NxtGen Infinite Data Center, said in a LinkedIn post that the bill needs more clarity and could lead to confusion and inconsistent implementation.  He added that the enforcement capabilities lie with Data Protection Board, and if the board needs more resources, it may undermine the intended protections. 

“The bill primarily focuses on protecting digital personal data and may not adequately address other forms of cumulative and /or derived data sets and data processing or emerging technologies. This limited scope may leave certain data and individuals vulnerable to privacy breaches,” he wrote, adding that the bill does not provide specific guidelines on data retention periods. 

The Editors’ Guild has raised concerns about the lack of exemptions for journalists from certain obligations of the law where the reporting on certain entities may conflict with their right to personal data protection. While referring to the Justice Srikrishna Committee report, which provided a framework for balance between personal data protection and public interest, it said the same needs to be added to the current bill. The provision under Section 36 of the DPDP bill empowers the government to ask any public or private entity (data fiduciary) to furnish citizens’ personal information, including journalists and their sources. 

The Guild also raised concern over clause 17(2)(a) that allows the Union government to issue a notification exempting any “instrumentality of the State” from the provisions of this bill, thereby keeping them out of the ambit of data protection restrictions, including internal sharing and processing of data and Section 17(4) allows the government and its instrumentalities to retain personal data for an unlimited period of time, it added. 

“We note that while the bill, ostensibly to promote data protection, has failed to make any provisions that bring about the surveillance reform that is urgently needed, and in fact creates an enabling framework for surveillance of citizens, including journalists and their sources,” the Guild said.

Similarly, specific provisions shift the balance in favor of non-disclosure of information, including information sought by journalists in the public interest, thereby reducing accountability. The Guild has also flagged concerns over the composition of the Data Protection Board and stressed the need for it to be independent of the government.