India’s latest data protection bill provokes fresh privacy concerns
A controversial new data protection bill, which sets out rules for use of personal data by private firms and the government, has been tabled in India.
Minister of electronics and information technology, Ashwini Vaishnaw, put forward the Digital Personal Data Protection Bill 2023 in Lok Sabha – the lower house of India’s parliament – on 3 August.
The bill is meant to limit cross-border transfers of data, penalise companies and institutions for data breaches, and provide a framework for establishing a data protection authority to ensure compliance.
It is based on six principles, including the lawful, relevant, secure and transparent collection, storage and use of citizen data; data accuracy requirements; and reporting rules in the instance of a breach.
Individuals must have given “free, specific, informed and unambiguous” consent for their data to be used – or have been understood to have given their consent in less sensitive cases – except where consent is not deemed necessary.
Under the proposed law, companies and institutions that do not comply or fail to take reasonable measures to prevent data breaches can be fined around US$30m for accidentally disclosing, sharing, altering or unlawfully destroying personal data. The penalty rises to around US$60m for repeated breaches.
The ministry of information technology said the bill provides for the processing of digital personal data in a manner “that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes”.
Bill could facilitate state surveillance, say rights groups
However, the bill is proving controversial, with opposition MPs and privacy experts saying it gives the government too much power and fails to adequately safeguard the data of the nation’s 1.4 billion citizens.
The primary reason for contention is the provision that government agencies be exempt from the law in cases where national security or law and order are thought to be under threat, with opponents fearing abuse of power by agencies.
Members of the opposition, including Asaduddin Owaisi, the leader of the All India Majlis-e-Ittehadul Muslimeen (AIMIM), Trinamool Congress MP Sugata Roy, and Indian National Congress MP Manish Tewari strongly opposed the bill, claiming that it violates the fundamental right to privacy. They demanded that it be sent to a standing committee for scrutiny.
Another provision of the bill states that the Data Protection Board be given advisory powers to recommend to central government that social media and online platforms that have repeatedly beached the rules have content taken down or have citizens’ access to them blocked in the “public interest”.
“The clause provides for harsh steps as and when needed, but we hope to use them sparingly,” an official said, as reported by The Economic Times. “The [central government] must have powers that keep the internet safe and trusted. If an intermediary fails to keep data of citizens safe from breaches repeatedly, mere imposition of penalties will not solve the problem.”
Like opposition MPs, rights groups have also decried exemptions to the government and its agencies, and cited dilution of the powers of the Data Protection Board and amendments to the Right of Information (RTI) Act as other concerns. The bill states that government officials can turn down RTI requests on the basis of right to privacy, though the groups say this could be abused.
Read more: Indian government urged to prioritise privacy as it embarks on data-sharing plan
“The bill grants the central government excessive discretionary power, does not create an independent regulator, creates uncertainties in cross-border data flows, and undermines people’s rights,” international digital rights group, Access Now said, according to The Economic Times.
The New Delhi based Internet Freedom Foundation said the bill “fails to address many data protection concerns and instead puts in place a regime to facilitate the data processing activities of state and private actors.
“The further widening of exemptions granted to government instrumentalities may facilitate increased state surveillance.”
Latest data protection bill of many
Similar concerns were raised under previous iterations of the bill. One bill introduced in 2019 – seen as part of prime minister Narendra Modi’s desire to more strictly regulate tech giants – was shelved almost exactly a year ago after big tech firms complained that stringent regulations would increase their compliance burden and data storage requirements and give the government power to obtain user data from them.
The decision to withdraw the bill came after a parliamentary panel’s review suggested so many amendments that the government conceded that a new “comprehensive legal framework” was required.
The introduction of the first data protection bill followed a landmark ruling by the Supreme Court of India in 2017 that citizens have a fundamental right to privacy.
Rajeev Chandrasekhar, minister of state for electronics and information technology, described the latest bill as a “very significant milestone” in Modi’s “vision of Global Standard Cyber Laws for India’s $1 trillion digital economy” and emphasised that it had been written after extensive consultation with all stakeholders, including citizens.
He said the bill would “protect all citizens, allow the innovation economy to expand, and permit government’s lawful and legitimate access in national security and emergencies like pandemics and earthquakes”. He added that it was “contemporary, future ready yet simple and easy to understand”.
Vaishnaw said issues raised by the opposition would be answered during debate in parliament.
About Mia Hunt
Mia is a journalist and editor with a background in covering commercial property, having been market reports and supplements editor at trade title Property Week and deputy editor of Shopping Centre magazine, now known as Retail Destination. She has also undertaken freelance work for several publications including the preview magazine of international trade show, MAPIC, and TES Global (formerly the Times Educational Supplement) and has produced a white paper on energy efficiency in business for E.ON. Between 2014 and 2016, she was a member of the Revo Customer Experience Committee and an ACE Awards judge. Mia graduated from Kingston University with a first-class degree in journalism and was part of the team that produced The River newspaper, which won Publication of the Year at the Guardian Student Media Awards in 2010.
Related Posts
