The revised data protection bill, which is open for public consultation till December 17, has fewer clauses than the version that was withdrawn three months ago following objections from various quarters to several of its provisions. The new Digital Personal Data Protection Bill, 2022, has addressed some issues raised about the earlier version but has not addressed other important concerns. The new bill does not have some provisions about cross-border data flows which were opposed by Big Tech and the start-up community. In the earlier version, companies had to store “sensitive” personal data within India, and taking “critical” personal data out of the country was barred. The new draft does not insist on storage of data exclusively in India and allows transfer to select countries that would be listed by the government. It does not say how these countries will be chosen.
But there are major areas where the bill has taken retrogressive steps on privacy and personal data. Its scope is limited to the processing of digital personal data and excludes offline data from its purview. This goes against the recommendation of the joint parliamentary committee which had examined the earlier version and submitted its report last year. The report had suggested that the legislation should cover both personal and non-personal data because it is often not possible to differentiate between the two. The new bill has also diluted the role of the regulator. The earlier bill had provided for a data protection authority with clearly defined powers. The new bill provides for a Data Protection Board with diminished powers and independence. The board’s chairman and members will be appointed by the government and their tenure will be decided by it. It cannot be considered an independent body.
Another matter of concern is the exception the draft bill gives to the government and its agencies. It empowers the government to exempt its agencies from the bill’s provisions through a simple notification on grounds of national security. This clearly goes against the recommendations of the parliamentary committee. The committee had suggested that the exemptions should be provided in accordance with a “just, fair, reasonable and proportionate procedure”. The broad-brush exemption for government agencies is certain to be misused for violation of privacy and would enable the growth of a surveillance state. Some provisions are also ambiguous and give discretionary powers to the government. The bill prohibits processing children’s data but gives the Centre the power to make exceptions. The bill seems designed not to protect citizens’ personal data and privacy against all potential invasions but to give the government powers and legitimacy to have unhindered visibility into citizens’ data, activities and lives. It may be best to discard this draft, too.