August will mark the sixth anniversary of the Supreme Court of India affirming privacy as a fundamental right. However, the long-awaited law on personal privacy and data protection is still in the making. This week, the union cabinet approved the draft Digital Personal Data Protection (DPDP) Bill, signalling progress towards the enactment of the law.
A History of Deliberation
The journey towards the Data Protection Bill began with the constitution of the Justice Srikrishna Committee, which was tasked with examining the Supreme Court judgment and drafting a bill. The process has undergone multiple iterations, with input from civil society and data privacy experts.
These stakeholders have made several suggestions to strengthen the bill in favour of individual citizens, who are often seen as mere sources of data for data fiduciaries, including governments and private corporations.
Government's Approach Criticized
The government's approach to the data protection law has drawn criticism. While private corporations may prioritize profit motives, the government has a constitutional obligation to uphold citizens' rights in formulating and implementing the law.
As the largest collector and custodian of personal data in India, the government and its agencies should have been more conscientious in presenting a bill that upholds rights and provides accessible compliance and grievance redressal mechanisms for citizens.
Delayed Transparency and Legal Protection
India's digitalization and the growth of the digital economy have transformed various aspects of citizens' lives. However, the government has been slow to establish transparency and legal protections that citizens urgently need. Consequently, vast amounts of data have been collected and misused without any accountability.
Changes in the Upcoming Bill
The upcoming Data Protection Bill includes significant changes to the draft circulated in November 2022. One noteworthy change is the provision that empowers the central government to lower the age of consent from 18. Additionally, certain companies may be exempted from additional obligations regarding the protection of children's privacy if they can process their data in a "verifiably safe" manner.
The inclusion of a case-by-case approach to defining the age of consent is a departure from the previous draft, which hardcoded the age at 18. This change addresses the concerns of industry players, especially social media companies, which would have faced disruptions in their operations if parental consent were required for users under 18. However, this approach aligns with data protection regulations in the Western world, such as the European Union and the United States, where the age of consent is lower.
Government's Justification
The decision to change the age of consent was made based on the recognition that children can be independent stakeholders on the internet who may want to access services without parental consent. This change aims to strike a balance between protecting children's privacy and providing them with the freedom to access services independently.
Further Relaxations and Exemptions
The upcoming bill also includes other significant changes. It offers further relaxations for cross-border data flows, shifting from a whitelisting approach to a blacklisting mechanism. This change aims to streamline data transfers to international jurisdictions. Additionally, certain entities dealing with the collection and processing of children's data may be exempted from seeking parental consent if they can demonstrate that their data processing methods are verifiably safe.
Government Exemptions Raise Concerns
However, the provisions granting exemptions to the government and its bodies in the draft DPDP Bill have raised concerns. Justice (retired) B.N. Srikrishna, who proposed the first draft of the bill in 2018, expressed significant concern over these provisions. He argued that the draft grants too much leeway to the government and does not adequately protect individuals' fundamental right to data privacy.
Need for Independent Regulation
Justice Srikrishna emphasized the need for an independent regulator, such as the Data Protection Authority, envisioned in the 2018 draft. He criticized the current bill for potentially enabling executive interference and infringing upon individuals' privacy rights. He also highlighted the shortcomings of the proposed Data Protection Board, stating that it would be a puppet of the government, lacking independence and necessary safeguards.
The specific changes made to the DPDP Bill remain unclear, and it is expected to be tabled in the upcoming monsoon session of Parliament, scheduled to begin on July 20. This session will provide an opportunity for lawmakers to scrutinize the bill and address concerns regarding exemptions, the role of the government, and the protection of individual privacy rights.
Penalties and Exemptions
The draft DPDP Bill, in its current form, proposes a penalty of ₹500 crore for data breaches. However, it also grants wide exemptions to courts and enforcement agencies concerning key requirements. These exemptions apply when personal data is processed for the prevention, detection, investigation, or prosecution of any offence or contravention of the law or when processing is necessary for the performance of judicial or quasi-judicial functions.
In conclusion, the approval of the draft Digital Personal Data Protection (DPDP) Bill marks a significant step toward establishing a comprehensive data protection framework in India. However, concerns remain regarding the exemptions granted to the government and its bodies, as well as the need for an independent regulatory authority. The upcoming parliamentary session will be crucial in addressing these concerns and ensuring that the final legislation upholds the fundamental right to data privacy for all Indian citizens.