The much-awaited Digital Personal Data Protection Bill, 2023, was introduced by the Union Minister of Information Technology Ashwini Vaishnaw in the Lok Sabha on Thursday, 3 August.
The objective of the DPDP Bill is to allow an Indian citizen's digital personal data to be processed in such a way that "recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes."
A draft version of the bill was first released by the Ministry of Electronics and Information Technology (MEITY) in November 2022. It underwent several rounds of consultations, where various types of stakeholders were invited to give their feedback on the draft legislation.
Congress MPs Gaurav Gogoi, Manish Tewari, Shashi Tharoor, Adhir Ranjan Chowdhury along with NCP MP Supriya Sule, TMC MP Saugata Roy, and RSP MP NK Premachandran opposed the introduction of the DPDP Bill, 2023.
However, even on the day of its introduction in Parliament, the DPDP Bill doesn't appear to have been spared from controversy, as Congress MP Manish Tewari questioned the Bill being classified as a financial bill. But Vaishnaw later clarified in the Lower House that the Bill is a general bill.
In a landmark 2017 judgment, the Supreme Court had held privacy to be a fundamental right (with reasonable restrictions) of every Indian citizen, and had directed the central government to establish a data protection regime. The passage of this bill in Parliament would end the six-year-long wait for the same.
There have been multiple iterations of a data protection bill in India over the years. Initially, a committee of experts led by retired Supreme Court Justice BN Srikrishna was tasked with drafting a data protection bill in 2017. Two years later, the Personal Data Protection Bill, 2019, was tabled in Parliament but it was referred to a Joint Parliamentary Committee for further evaluation. In 2021, the Committee submitted the draft legislation that had been reworked based on its internal deliberations. However, in 2022, IT Minister Ashwini Vaishnaw withdrew the Personal Data Protection Bill from consideration, citing the need for a "comprehensive legal framework."
Key Features of the DPDP Bill, 2023
Here are the highlights from the DPDP Bill, 2023, that was tabled in the Lok Sabha on Thursday:
What type of data does the Bill regulate? The latest version of the DPDP Bill, 2023, proposes to regulate the processing of only digital personal data belonging to the Data Principal (or user). Hence, it does not offer protection of an Indian user's offline personal data. But the Bill will apply to personal data that has been later digitised.
Under what conditions can personal data be processed? A Data Principal's personal data can be processed as long as it is done for lawful purposes, for which they need to give their consent, or for certain legitimate uses like when the user has voluntarily given their personal data to the Data Fiduciary, or when the personal data is needed for the provision of subsidy, benefit, service, certificate, licence or permit from the State, as per the Bill.
The processing of a user's personal data can be done without their consent in the event of a court order, medical emergency, as health and disaster safety measures, and breakdown of public order.
What about a user's consent? One of the many obligations of the Data Fiduciary (or platform) is to obtain user consent for processing of personal data, where the consent is "free, specific, informed, unconditional and unambiguous with a clear affirmative action," the Bill proposes. The Bill allows for consent to be withdrawn.
What other rights do users have? Under the DPDP Bill, 2023, data principals have certain rights such as the right to obtain summaries of their personal data, the right to correct, update, or erase their personal data, the right to register a grievance with a platform, etc.
What about processing of children's personal data? The DPDP Bill classifies anyone below the age of 18 years as a child and requires platforms to obtain consent for processing of their personal data from the child's parent or legal guardian. It also prohibits platforms from undertaking tracking, behavioural monitoring, or showing targeted ads to children.
What are the exemptions given? Notably, the provisions of the DPDP Bill, 2023, are not applicable on "any instrumentality of the State" as well as certain types of data fiduciaries and organisations that process data for law enforcement or judicial purposes.
What happens if there is a data breach? "In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed," the Bill reads.
Who will investigate data breaches? The DPDP Bill roposes the establishment of the Data Protection Board of India (DPBI) whose functions would include determining non-compliance with the law, adopting "urgent measures" to curb data breaches, and performing any other functions assigned by the government.
If it finds any platform to have violated the provisions of the DPDP Bill, then the Board is empowered to impose a monetary penalty on the aforementioned platform based on certain criteria. "Any person aggrieved by an order or direction made by the Board under this Act may prefer an appeal before the Appellate Tribunal," the Bill reads.
Does it propose to amend the RTI Act? Yes, the DPDP Bill proposes to omit a part of the Right to Information Act, 2005, which reads, "Information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:
Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person."
IT Committee Report Endorses DPDP Bill, 2023
In the run-up to the DPDP Bill being introduced in the Lok Sabha, the Parliamentary Standing Committee on IT tabled a report that backed the data protection legislation, even though many members of the committee had reportedly not seen the latest version of the bill.
"The Committee have been informed that the fundamental principles that underpin personal data protection laws in various jurisdictions, also form the basis of the Draft Digital Personal Data Protection Bill. These principles include the lawful, fair, and transparent usage of personal data by organizations, the principles of purpose, data minimization, accuracy, storage limitation, and the need for reasonable safeguards," read a press release with highlights from the report.
"The Committee firmly believe that no legislation can be perfect from the outset. It evolves over time and is fine-tuned in response to changing circumstances. The Committee, therefore, urge that the provisions that cannot be fully defined within the scope of the Bill can be addressed through rules prescribed under the Bill, which are subsequently presented to Parliament," the release added.
However, the adoption of the report by the IT Standing Committee, headed by Shiv Sena (Shinde) MP Prataprao Jhadav, may not have been unanimous as Opposition MPs objected to endorsing the Bill without reading the latest draft, according to The Hindu.
In letters addressed to Lok Sabha Speaker Om Birla and Rajya Sabha Chairperson Jagdeep Dhankar, Rajya Sabha MP John Brittas argued that the stipulated rules and regulations were not followed by the Committee in drafting the report on the DPDP Bill.
"According to the unequivocal provisions in Rules 331E (1) (b), 331H (a) & 331H (b) of Lok Sabha Rules and Rules 270 (b) & 273 (a) of the Rajya Sabha Rules, referred above, the Standing Committees are explicitly prohibited from examining any Bills that have not been referred to them by the Chairman or the Speaker after their introduction in either House," Brittas was quoted as saying by Moneycontrol.
In response to the controversy, IT Minister of State Rajeev Chandrasekhar denied that the DPDP Bill had been referred to the IT Standing Committee. He tweeted, "No bill including the proposed DPDP (Digital Personal Data Protection Bill) can be referred to any committee unless it is done so by Parliament. In turn, the bill can be only referred to committee AFTER the Cabinet-approved bill is introduced in Parliament."
What Happens Next?
Since the Digital Personal Data Protection Bill, 2023, has been introduced in the Lok Sabha, what next? The bill will be further listed for consideration and passing in the Lower House. If it gets the nod, then the bill will move to the Rajya Sabha before finally being submitted to President Murmu for her assent to enact it into law.
While there is always a possibility for the DPDP Bill to be referred to a parliamentary committee for further scrutiny, it is unlikely to happen. The Monsoon Session of Parliament, which began on 20 July, has been stormy from the start as proceedings of both Houses have been severely disrupted by the Opposition demanding a discussion on the violence in Manipur.
As a result, crucial pieces of legislation such as The Wild Life (Protection) Amendment Bill and The Registration of Births and Deaths (Amendment) Bill have been passed in Parliament without adequate debate and discussion.
In an attempt to force PM Modi to make a parliamentary statement on Manipur, the Congress and BRS had filed no-confidence motions against the central government. The motions were adopted by Lok Sabha Speaker Om Birla, who said that a date and time for the discussion will be assigned.
However, with still no clarity on when the Manipur debate will take place in Parliament, Opposition MPs are protesting the introduction and passage of bills by the government. Congress MP Manish Tewari claimed that since the no-trust vote is still pending, all legislation passed in the interim are "constitutionally suspect," according to PTI.
“When leave of the House to the moving of a motion has been granted, no substantive motion on policy matters needs to be brought before the House by the government till the Motion of no Confidence has been disposed of," Lok Sabha MP NK Premachandran was quoted as saying by The Indian Express.
What bearing will all this have on the Digital Personal Data Protection Bill, 2023? Can it be passed by both Houses before the end of the parliamentary session? Will it be constitutionally acceptable to do so?