Introduction
India is finally vying with its international contemporaries in terms of keeping the law up-to-date with the ever-changing 21st century, especially in the legal arena where technology and law intersect. A good percentage (137 out of 194) of countries have adopted legislation dedicated to data privacy. In 2021, the government withdrew an earlier version of the same bill after a slew of changes suggested by a Joint Parliamentary Committee and promised to come up with a new bill, which it did late last year. The government published the much-awaited draft digital personal data protection bill in November 2022. The revised bill focuses only on personal data, thereby doing away with regulating the use of non-personal data.
After seeing its history in the last part, this blog will attempt to analyse the DPDPB by the reactions it has sought after the last update.
Reactions:
The JPC’s amendments to the bill have been met with mixed reactions from various stakeholders. Here are some of the reactions:
- Industry associations and companies:
- Industry associations, such as the Confederation of Indian Industry (CII) and the National Association of Software and Services Companies (NASSCOM), have welcomed some of the JPC’s (Joint Parliamentary Committee) amendments, such as the removal of the requirement for certain types of data to be stored locally.
- However, some companies have raised concerns about the bill’s provisions, such as the requirement for social media intermediaries to identify the originator of messages.
- The draft bill requires a data fiduciary i.e., an entity that processes user data, to give an itemised notice to users on data sought to be collected in clear and plain language. It also mandates that the user should be allowed the right to give, manage, and withdraw consent from sharing information.
- Civil society organizations:
- Civil society organizations, such as the Internet Freedom Foundation, have criticized some of the JPC’s amendments, such as the removal of explicit consent for data collection and the dilution of some of the provisions related to data localization.
- They have called for stronger protections for the privacy of citizens. Certain provisions such as wherein it is stipulated that the data fiduciary shall not undertake tracking or behavioural monitoring of children or advertising directed at children have been greatly appreciated.
- Political parties:
- Some of the raised concerns include the centralisation of power, a lack of independence of the Data Protection Board, blanket exemptions to some data fiduciaries and exceptions provided to the government in the draft Bill.
- The MPs also hinted that there was no clarity on the timeline for when the draft Bill would be introduced in the Parliament, as it was supposed to be introduced in the second half of the Budget session.
- The Opposition party MPs of the Standing Committee on Information Technology have raised issues with the Data Protection Board, along with the clause on deemed consent. With the deemed consent clause, the data fiduciary has access to the personal data of patients (who get treated at healthcare facilities) and authorises it to share with anyone. Another concern is the impact the Bill has on the RTI Act as it proposes to amend it.
Thus, the bill has raised eyebrows among all the stakeholders involved, be it the grand welcome gesture by the industry associations or the critiques by the opposition of the government. Are you aware of any other factor that we missed out on in the analysis of the bill? Please comment if any, and stay tuned!