India’s Digital Personal Data Protection (DPDP) bill is on the verge of being approved by the lower house of Parliament, Lok Sabha. However, the bill is facing opposition from privacy rights groups and the India Bloc opposition party. Despite the objections, the bill is expected to be taken up for consideration.
The DPDP bill aims to establish comprehensive guidelines to give individuals greater control over their personal information. It seeks to strengthen data privacy and empower individuals to manage who has access to their data. The bill also sets penalties of $30 million (INR 250 crore) for failing to implement reasonable security measures against data breaches.
Stephen Cavey, CEO of Ground Labs, comments on the bill, stating that it is an upgraded version of the original Personal Data Protection Bill from 2019. The bill underwent several changes proposed by the Ministry of Electronics and Information Technology, leading to its replacement. Cavey acknowledges that the bill has both positive and negative elements but believes that it will eventually be approved through India’s legislative process.
The proposals within the bill include an expansive definition of a data principal and require data fiduciaries to provide individuals with a notice stating the purpose and means of data collection. The bill allows data fiduciaries to process personal data based on consent obtained from individuals or “deemed consent.” It also mandates data fiduciaries to implement reasonable security measures to protect personal data from breaches.
However, there are privacy concerns surrounding the bill. One of the contentious points is the mandatory localization of data. The central government may notify countries or territories outside India to which a data fiduciary may transfer personal data. Privacy advocates argue that this provision gives the government excessive control over data access and raises concerns about the independence of the Personal Data Protection Board.
Raktima Roy, a privacy and policy attorney, highlights the worry that the bill could enable government data access and content takedown without adequate safeguards. India already has laws on interception, monitoring, and content blocking, and these new provisions in the DPDP bill may contradict existing regulations. Roy also raises concerns about the impact on data transfers and the potential difficulty in obtaining adequacy decisions from countries requiring strong data protection laws in India.
The bill’s digital design is another point of concern. Citizens seeking information will have to submit their queries or complaints digitally. However, this could pose challenges for individuals and organizations without internet access. The government can refuse to provide certain public-related information under the pretext of breach of privacy and even impose monetary penalties.
Additionally, there is a potential conflict with the Right To Information (RTI) Act of 2005. The DPDP bill grants the government the authority to deny access to certain information if it is deemed unrelated to any public activity or interest, or if it would invade someone’s privacy.
Despite the opposition and privacy concerns, the DPDP bill is moving forward in the legislative process. It remains to be seen whether the objections will lead to meaningful changes to address the privacy issues raised by various stakeholders. As India’s largest democracy, it is crucial to ensure that the bill strikes the right balance between data protection and individual rights.