Six years, four drafts, a joint parliamentary committee (JPC) report, multiple stakeholder consultations and yet, our right to privacy appears as elusive as the proverbial scarlet pimpernel.
The Digital Data Protection Bill, 2023 passed by the Lok Sabha was touted as a simpler yet strong legislation meant to protect user rights, whilst enabling businesses. A lot of debates preceded the last two drafts and predominantly focused on government exemptions. The JPC report, however, placed emphasis squarely on corporate accountability, transparency and liability. This aspect, unfortunately, has suffered the most by way of multiple dilutions in the final version.
The law is not without its positives. A law for personal data protection will finally see the light of day. It provides for the establishment of a data protection board of India (DPBI), which is expected to provide speedy remedies; an appellate authority is also designated; some semblance of the consent and accountability framework that was the bedrock of the now-forgotten 2018 draft finds a place, including the provision of a clear and precise notice for consent (in English and in all Eighth Schedule languages); purpose limitation when data is shared voluntarily; removal of the word “profiling”; and curtailments in the executive delegation of powers, particularly with respect to the powers and functions of DPBI.
But the shortcomings are worrying, especially because they’ll hurt efforts to hold corporate firms to account. These include the removal of publicly shared personal data from the ambit of the bill; the right delegated to the executive to exempt data fiduciaries from critical provisions of the act; the failure to provide an opt-out option without losing the right to use a service or platform; a modification of the Right to Information access to personal data. Limiting the right of individuals to erase only data previously consented to and shared by the data principal (the individual whose data is being processed); ambiguous duties imposed on individuals such as “complying with all applicable laws” and a fine of ₹10,000 if they fail to discharge these “duties”; and the failure to provide the option for recovery of compensation to data principals for breach of their rights.
The data protection law was envisaged to protect us from the abuse of data voluntarily shared. The bill tries to capture this promise through its modified list of legitimate uses of such data. Yet, the very act of sharing personal data, voluntarily and publicly, is removed from its purview. A social media post will likely become exempt from protections. This post could be by a child, a person with disabilities or their parents or guardian. Such failure to protect privacy rights merely on the grounds of public and voluntary sharing of data is myopic. Just as the bill recognises the fact that legal protections cannot be waived even with consent, voluntary sharing of data ought not to deprive an individual of their right to protection against misuse. Or else, the digital footprints left in the sands of cyberspace remain for eternity to plague an individual.
The principle is based on balancing business requirements with individual protection. Hence, whilst essential cookies, for instance, are permitted to be collected under blanket consent, other analytical cookies can be blocked by users. Indians can now lose this right of choice if the Rajya Sabha passes this bill without the explicit inclusion of this critical right. Passing the law is a positive step in itself and enacting a data protection regime could not have come soon enough. The errors or omissions in the bill should not delay this codification of our fundamental right. Remedying these shortfalls without delaying the process is the fine balance that Parliament needs to strike.
NS Nappinai is an advocate in the Supreme Court and founder, Cyber Saathi. The views expressed are personal