Data Protection or Govt. Protection?

India’s data protection and privacy laws cleared its first hurdle amidst continued concerns over whether it was actually aimed to protect the citizens or the administrators. For starters, several of the proposals red-flagged by privacy experts in the original draft, have been retained in the one that was approved by the Lok Sabha on Monday. 

The two major issues that raised the hackles of data privacy advocates relates to the discretionary authority that they believe is being given to the administration as well as the power that the government has given itself to waive compliance requirements for some specific segments of data fiduciaries such as startups. Of course, the government’s authority to set up a data protection board and appoint all its members is also being dubbed as autocratic. 

What is the Bill’s status and how long before it becomes law?

As things stand currently, the Digital Personal Data Protection Bill has been greenlit by the Lower House of Parliament where the ruling party has a clear majority. For the proposals to become law, it needs to be approved by the Upper House where the government could cobble up an alliance to push it through, albeit with some degree of sweat. 

The Bill was reintroduced last week, approximately a year after an earlier version was abruptly withdrawn last year. The proposals make it mandatory for companies collecting user data to get explicit consent before processing it. However, by adding “certain legitimate uses” to the body of the Bill, the administrators have left enough leeway to sidestep the requirement of consent. 

Concerns are around the role of administrators 

So, in actual terms the Bill would allow platforms to process a user’s personal data without consent if the said user provides it voluntarily in certain situations such as sharing payment receipts or providing public services. A report published by the Indian Express says “In its new avatar, the proposed law has also accorded virtual censorship powers to the Centre.”

In fact, several publications have been wary of the proposal that provides protection to the government (read administrators or bureaucrats) and the data protection board from legal action. A similar provision in the now defunct Farmers’ Bill had resulted in civil agitation for months that eventually forced the government to withdraw it. 

There’s no debate on the need of data protection

Of course, there is no denying that the Bill itself is critical for India, given the fast-paced growth that digital transactions are witnessing over the past few years. Rapid growth in internet usage and online retail means that user data could get misused, especially given the low levels of awareness around user data privacy norms in the country. 

Moreover, India’s efforts are in consonance with those of other governments and IT minister Ashwini Vaishnaw was right when he termed the new laws as being necessary to protect the right to privacy of Indian citizens. What has come up as a challenge though is the impression that the faceless bureaucrats could once again be deciding on exceptions. 

The law would cover digital data and personal information handling even if it takes place outside the country, so long as it relates to providing goods and services to Indian individuals. This means companies such as Amazon, Flipkart etc. fall under its ambit directly and provides the government with the authority to decide the countries that can receive personal data. 

However, what’s raised hackles is the bureaucracy’s role

In fact, a scathing editorial published by The Telegraph describes the entire activity as Big Brother finally donning “the cloak of immunity from prosecution” and doing so by “widening the ambit of the good faith principle to itself.”. The shield against the invasion of privacy rights enshrined in Article 14 of the Constitution crumbles further in the new bill, the article says. 

Furthermore, the opposition parties as well as sections of civil society and independent think tanks have been apprehensive about these provisions. They argue that it is not about which regime is in power, but that such laws would remain even if there is a change of regime as the ultimate authority rests with the administrators, not those duly elected by the people. 

The minister has to protect his officials though

Though the minister sought to allay fears claiming that the Bill was drafted in consultation with 48 organizations and 39 central ministries, advocacy groups claim it had failed to include several of the recommendations made during consultative meetings. However, the government reaffirms that accepted principles of digital data protections have been included. 

The bill includes the principles of legality, purpose limitation, data minimization, accuracy, and storage limitation, among others, says minister Vaishnaw while pointing out that with more than 900 million Indians connected to the internet, the need for protection of rights, security and privacy in the digital world becomes paramount.