Chandrayaan 3, India’s ambitious lunar exploration mission, achieved a significant milestone as it successfully executed a critical manoeuvre to depart Earth’s orbit and commence its trajectory towards the Moon. The spacecraft is now primed to embark on several orbits around the lunar body before making its historic landing. The excitement surrounding this mission is palpable, with hopes pinned on its successful outcome. Simultaneously, another critical development has been unfolding on the legislative front — the Digital Personal Data Protection Bill 2023 (DPDPB 2023) — which has garnered its own share of attention and anticipation.
The DPDPB 2023 recently marked a pivotal moment in its legislative journey by securing passage in the Lok Sabha through a voice vote. This iteration of India’s data protection legislation retains key elements from its original version proposed in November, even amidst concerns raised by privacy experts. Notably, provisions allowing exemptions for government entities and granting virtual censorship powers to the Center have been maintained. This marks India’s second attempt to craft a comprehensive data protection law, following multiple previous iterations that were deliberated upon and set aside by the government.
The Bill’s passage in the Lok Sabha sets the stage for the upcoming Rajya Sabha debate and vote, which will determine its ultimate fate. However, certain aspects of the Bill have sparked concerns and discussions among experts and stakeholders.
One of the most debated elements pertains to the exemptions granted to the central government, enabling it to bypass certain consequences by invoking national security, foreign relations, and public order considerations. While proponents argue that such exemptions are essential for swift decision-making during emergencies, critics highlight the potential misuse of these powers and its implications for individual rights and privacy.
IT Minister Ashwini Vaishnaw defended the exemptions by drawing parallels with real-world scenarios, asking whether seeking consent during urgent situations like natural disasters or criminal investigations is practical. In comparison to the European Union’s General Data Protection Regulation (GDPR), which features 16 exemptions, the DPDPB 2023 includes just four, according to Vaishnaw.
Another contentious addition to the Bill involves the central government’s authority to block platforms within the country following multiple penalties against an entity. This measure has raised concerns about potential censorship, particularly considering India’s existing online censorship regime under Section 69(A) of the Information Technology Act, 2000. The maximum penalty for insufficient data breach safeguards has been capped at Rs 250 crore, underscoring the government’s commitment to data protection and accountability.
However, the Bill’s potential impact on the Right to Information (RTI) Act, 2005 has also been a topic of discussion. As personal data of government officials could be protected under the DPDPB 2023, sharing such information with RTI applicants might become more challenging.
Responding to these concerns, Vaishnaw highlighted the harmonization efforts between RTI and personal data within the Bill, pointing to the principles established in the 2017 right to privacy judgement by the Supreme Court.
The Bill outlines the formation of a Data Protection Board responsible for addressing privacy-related disputes and grievances. The central government retains control over the appointment of board members, and the Chief Executive’s appointment will also fall under its purview.
Notably, the Bill strives to strike a balance between privacy and innovation by allowing certain “legitimate uses” of personal data by both the government and private entities. For instance, the Centre can process citizens’ data without explicit consent for national security reasons and to provide essential services such as subsidies and certificates. Private companies are similarly empowered to handle employment-related matters, albeit with certain limitations.
The DPDPB 2023 also addresses industry demands by easing consent norms for children’s data and streamlining cross-border data flows. The Bill permits the Centre to set a lower age of consent than 18 years for accessing online services if platforms can ensure secure data processing. Additionally, cross-border data flows are facilitated by default, unless expressly prohibited by the government, fostering business continuity and international cooperation.
Moreover, the Bill introduces the concept of “significant data fiduciaries,” encompassing entities based on factors like data volume, impact on electoral democracy, and national security concerns. Social media giants like Facebook, YouTube, and WhatsApp are likely to fall under this category, necessitating the appointment of data protection officers and periodic assessments.
In conclusion, Chandrayaan 3’s remarkable journey towards the Moon and the progression of India’s Digital Personal Data Protection Bill 2023 both signify significant strides in their respective domains. While Chandrayaan 3 seeks to unlock lunar mysteries, the DPDPB 2023 aims to usher in a new era of digital data protection. As the Bill navigates through legislative debates and potential revisions, the spotlight remains on how India will safeguard personal data and privacy while fostering technological innovation and progress.