The journey towards a data protection legislation in India has not been without its twists and turns. In 2017, the Supreme Court, in the landmark Puttaswamy judgment, unanimously ruled that privacy is a fundamental right of Indian citizens. It kickstarted a five-year-long process, which has now seen four versions of the Data Protection Bill.
The latest version of the is the Digital Personal Data Protection (DPDP) Bill, which was released by the Ministry of Electronics and Information Technology (MeitY) for public consultation on November 18, 2022.
A law that frames the contours of India’s digital economy is of vital importance. But has the Government of India, through the DPDP Bill, managed to protect the rights of India’s digital nagriks, or citizens? Depends on who you ask.
In a recent statement, Union minister for Electronics and IT, Ashwini Vaishnaw, said that the Parliamentary Standing Committee on Communications and IT had given a “big thumbs up” to the government’s draft Bill.
What exactly gave the minister this impression, when the Bill has not even been formally referred to the committee for closer examination? The committee, during its sitting in December last year, had invited MeitY representatives to hear their views on ‘citizens’ data security and privacy’, which included a preliminary discussion on the recently released DPDP Bill. The members raised several issues with the Bill. However, since it has not been formally sent to the committee, approval or disapproval of the draft Bill, at this stage, is out of question.
Perhaps it’s no surprise that the IT minister is peddling a false narrative in public; the ruling party has a habit of bulldozing through parliamentary democracy and rule of law.
Also read: Why India’s Proposed Data Protection Authority Needs Constitutional Entrenchment
While its comments and recommendations will be out in the public domain only once the Bill is referred to the committee, I strongly opine that the draft Bill fails to protect the privacy of India’s citizens.
First, the Bill is skeletal in form, delegating massive rule-making power in the hands of the Union government. This allows room for vagueness, ambiguity, and a lack of legislative scrutiny.
Second, according to clause 18(2), why does the government have broad-ranging powers to exempt itself or its agencies from complying with the Act? The now withdrawn Personal Data Protection Bill, 2019, also had broad exemptions to the government and its agencies, but such exemptions were subject to safeguards and oversight mechanisms.
Third, there is a big question mark on the independence of the Data Protection Board. How can the Board be called an “independent” regulator, when the appointments, removal of the chairperson and governing body is decided by the government?
Fourth, is children’s safety and data privacy even a priority for the government? It has given itself the power to exempt entities from complying with the Act while processing data of children. This is concerning, given that a study by HRW found that government apps such as Diksha and e-Pathshala were engaging in practices that infringed the data privacy of children.
The government has also dropped “surveillance” from the scope of “harm” under the Bill. Technology companies, including edtech firms, will now get unimaginable access to track and monitor children and use their data for profit-making purposes.
Finally, does the DPDP Bill satisfy the fourfold test of privacy, i.e., legality, legitimate aim, proportionality, and procedural safeguards, as laid down by the Supreme Court in the Puttaswamy judgment?
The IT minister ought to address these concerns about the Bill, and publish ‘public feedback’ on the draft, before he accords any imaginary approval.
The author is a Lok Sabha MP and a member of the Standing Committee on Communications and IT.
