India's Digital Personal Data Protection (DPDP) bill is expected to be approved by the lower house of the country's bicameral Parliament, Lok Sabha, but it still faces opposition from privacy rights groups and the India Bloc opposition party.
The DPDP is aimed at establishing comprehensive guidelines to give individuals greater control over their information, strengthen data privacy, and empower individuals to manage who has access to their data. It also prescribes penalties of $30 million (INR 250 crore) for a failure to take reasonable security safeguards against a breach.
What's in the Bill
Stephen Cavey, CEO of Ground Labs, comments that this bill replaces the original Personal Data Protection Bill from 2019, but fell away after multiple changes were proposed by the Ministry of Electronics and Information Technology. He says the new version has positive and negative elements, but believes it will happen in a matter of time.
"India is the largest democracy, and it definitely takes time to pass any bill to ensure all aspects have been covered," Cavey says. "It must go through the route of India's legislative process to be approved.
The proposals include an expansive definition of what a data principal is, and requires data fiduciaries to provide data principals with a notice stating what personal data will be collected, and the purposes for which such personal data will be processed.
The bill also allows data fiduciaries to process personal data based on the consent obtained from individuals, and also permits the processing of personal data based on "deemed consent." Data fiduciaries will be required to take reasonable efforts to ensure personal data they processed or is processed on their behalf is accurate and complete. The DPDP also requires every data fiduciary to implement reasonable security safeguards to prevent personal data breaches and to protect the personal data in its possession or control.
Personal data breaches are defined as "any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data."
What Are the Privacy Concerns?
The bill specifically states that the data fiduciary (the entity who determines the purpose and means of processing personal data) shall give the data principal the option to access such request for consent in English or any language specified in the Eighth Schedule to the Constitution of India.
That final part has proved to be a tricky point though, as a PwC insight called this a "much-debated mandatory localization" as the central government may notify such countries or territories outside India to which a data fiduciary may transfer personal data.
Cavey says the concerns about the bill are that this draft is more relaxed than the previous draft, and that fiduciaries will have more power over the data principals. "Less protection means that detection and investigation will be harder for the regulatory body," he says.
The bill also states that the central government holds the authority to select the members of the Personal Data Protection Board, thus compromising its independence. Cavey says this is a main concern about how the Data Protection Board operates, how independent it will be, and how it will work in conjunction with the government.
Concerns for Citizens' Privacy
There are several areas that worry privacy advocates. Privacy and policy attorney Raktima Roy said in a LinkedIn post that the bill mandates government data access and gives it the power to take down content with little to no safeguards. And considering that India already has laws on interception, monitoring, and content blocking with limited procedural safeguards, these new provisions in the data protection bill may be contradictory.
"Not only is there rightful dissent over this by judges, opposition members, and civil society in every iteration of the bill that has carried this exemption so far, it is also commercially unsound because it might make it hard to obtain an adequacy decision from any country that needs to see strong data protection laws in place in India before permitting data transfers here," Roy said.
One provision states that Central Government may notify countries or territories outside India to which a data fiduciary may transfer personal data.
Also, the bill is digital by design, so if a citizen needs information, they would have to submit their queries or complaints digitally. Likewise if an individual or organization has access to the Internet and needs a piece of certain public-related information, the government can choose to refuse under breach of privacy and levy a monetary penalty on the individual or organization.
There is also a potential contradictory impact on the 2005 Right To Information (RTI) Act, which grants citizens access to data or information from governments and domains held by public authorities. However, the DPDP says that the government can refuse to give out that information, if it deems that the information sought has no relationship to any public activity, has no connection to any public interest, or that it would cause unwarranted invasion of privacy.