The Digital Data Protection Bill, 2023, was passed in the Lok Sabha on Monday and will now have to be cleared by the Rajya Sabha. The fresh iteration, which has undergone a few drafts, seems to have incorporated suggestions made to its 2022 version, although it is not clear what the submissions were as the consultation process was not brought to light by the government. The highlight of the Bill is the provision that personal data of an individual, the data principal, may be processed by an entity or a person, the data fiduciary, for a lawful purpose only after the consent of the data principal or “for certain legitimate uses”. These “uses” are situations where such data may be processed without obtaining the data principal’s consent, such as by government agencies for providing licences, welfare benefits, permits and services. This Bill includes an obligation on the part of the data fiduciary to notify the data principal — and the Data Protection Board (DPB), to be established by the government to adjudicate on compliance or not with the Bill — if there is a personal data breach. There are other obligations defined for the data fiduciary as well, but one issue with the Bill is that it does not include the need for informing data principals about third-parties with whom the data could be shared, or duration of storage.
Too much leeway is provided to agencies of the state in the form of exemptions. The Srikrishna Committee’s Draft Bill in 2018 allowed for exemptions to be granted to state institutions from acquiring informed consent from data principals or to process their data in matters related only to the “security of the state”, and also called for a law to provide for parliamentary oversight and judicial approval of non-consensual access to personal data. In the 2023 version, the state is empowered to process data through wide-ranging exemptions and the government is allowed, in effect, to collect information which could be used for mass surveillance. In overriding consent to be obtained by the state from the data principal for purposes of providing benefits, subsidies, and licences, the Bill also does away with purpose limitation — using the data only for the specified purpose. It seeks to introduce amendments that effectively remove the public interest exception to disclosure of personal information under the Right to Information Act, thereby diluting accountability and transparency in the functioning of government officials. The Bill also continues to retain a much weaker version of the regulatory Data Protection Authority envisaged in the 2018 version in the DPB which will only have adjudicatory and not regulatory powers, and whose members will be appointed by the Union government. The Bill must be thoroughly discussed and these discrepancies ironed out in the Rajya Sabha.