Amidst a backdrop of heightened concerns surrounding data privacy and government oversight, the Digital Personal Data Protection Bill (DPDP Bill) has been the subject of intense debate. While it aims to establish a data protection board, the proposed bill has also raised alarm over potential government overreach. Here is an explainer of the DPDP Bill
Source: Business Today
Explained
The draft DPDP Bill, 2023, is scheduled to be tabled in Parliament on the 3rd of August in what would be India’s second attempt at framing privacy legislation, six years after the Supreme Court declared privacy as a fundamental right. Given India’s status as the largest market for major tech conglomerates worldwide, this bill assumes critical importance. Despite concerns raised by privacy experts, the final version of the bill appears to have preserved the contentious provisions from the original proposal presented last November. A particular concern is the retention of broad exemptions for the central government and its agencies, allowing them to claim immunity from adverse consequences, citing reasons such as national security, foreign relations, and public order maintenance.
Source: World Law Alliance
A key provision has come under scrutiny, allowing the government to compel any entity to furnish information upon request, granting the Centre significant control over the implementation of the law. Furthermore, whispers of an expanded online censorship regime have emerged, with reports indicating that entities found in violation of regulations on two occasions could be subjected to government-imposed blocks. As India awaits the unveiling of the final version of the bill, concerns persist over the balance between data privacy and governmental control.
Furthermore, the DPDP Bill is anticipated to introduce a significant amendment that empowers the central government to take drastic action against entities found in violation of regulations. If an entity faces penalties on more than two occasions, the government will be authorized, after a hearing process, to make a crucial decision – whether to block the entity’s platform entirely within the country. This measure would expand the existing online censorship regime already enforced under Section 69 (A) of the Information Technology Act, of 2000. While the bill seeks to establish strict consent norms for entities collecting personal data from individuals, it also leaves room for certain “legitimate uses” permitted to both governmental bodies and private entities, presenting a potential avenue for further debate on striking the right balance between privacy protection and other essential interests.
Under the proposed DPDP Bill, the Centre gains the authority to process citizens’ data without explicit consent, justifying it on grounds of national security and for the provision of various services, including subsidies, benefits, certificates, licenses, or permits. Additionally, concerns have been raised about the bill potentially granting the central government the power to set a lower age of consent, below 18 years, for accessing internet services without parental consent. This possibility comes with the condition that the platform facilitating such access can guarantee the secure processing of user data.
The upcoming DPDP Bill introduces a significant change by allowing the government to designate certain entities as “significant data fiduciaries” based on various factors, including the scale of personal data they handle, potential risks to electoral democracy, and implications for national security and public order. This designation is expected to encompass social media giants such as Facebook, YouTube, and WhatsApp.
Source: Outlook India
Proposed individual rights, like the right to the erasure of personal data, may be suspended in specific circumstances, such as data processing for legal claims or agency investigations. The data protection board, comprising members with diverse expertise, could be granted authority to summon and examine individuals under oath during its violation investigations. The data protection board members, including the chairperson, may face restrictions preventing them from accepting employment at any entity that is subject to violation-related proceedings for at least one year after their tenure on the board concludes.
