On Wednesday, the Rajya Sabha passed the Digital Personal Data Protection Bill, 2023 — a heavily debated bill that is meant to be a part of a “comprehensive data privacy law” to govern the processing of digital personal data. The bill aims “to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes…” With the Lok Sabha having passed the bill on August 7, it now only requires the President’s assent before becoming law. While incumbent ministers have hailed the new bill as a move to protect the rights of all citizens, the bill has also amassed substantial criticism from the opposition and experts alike, especially for granting several exemptions to the government that may increase the threat of surveillance.

Experts have long been advocating for a data protection law, especially amid growing concerns around data privacy and the manner in which companies and third parties collect and use people’s data. The current data protection bill has been in the making for a long time, and has undergone several iterations. In 2021, a version of the bill – Data Protection Bill, 2021 – was released, which was later withdrawn by the Minister for Communications and Information Technology Ashwini Vaishnaw. Then came a new bill which was released for public consultation in November 2022. However, despite a Right to Information application being submitted, these submissions were not made public, reported The Hindu. The latest version of the bill was recently tabled in the Parliament on August 3.

The bill outlines both the rights of citizens and the manner in which personal data – that is collected online as well as data collected offline and then digitized – may be processed. According to reports, it excludes non-personal data and any data that may be available in a non-digital format. PRS Legislative Research adds that the bill will also allow for processing personal data outside India if it relates to providing any goods or services to Data Principals (or the people whose personal data is being processed) in India.

The bill also states that this personal data can only be processed for lawful purposes and with the consent of the individual. However, consent may not be required for specific uses, such as when data is being processed by the State for permits, benefits, and licenses, stated PRS Legislative Research. According to the Internet Freedom Foundation’s (IFF) first read of the 2023 bill, this specific “legitimate uses” clause in the new bill seems to be a replacement of the “deemed consent” clause of the 2022 bill, where data fiduciaries (that is, any person or persons who determine the purpose and means of processing personal data) could assume people’s consent in cases where it was deemed necessary, such as in the wake of breakdown of public order, for employment purposes, or in public interest. This particular clause in the previous iteration of the bill had raised several concerns around non-consensual processing of data. However, IFF noted that the latest bill, while retaining this clause under new terminology, does away with the “public interest” aspect, which was vague and could easily be misused.

Users can request the correction, completion, updation, or erasure of their data, as per the latest bill. They may also seek grievance redressal and have the right to nominate another to exercise their rights in case of death or incapacitation, reported The Hindu. However, the new bill also imposes penalties, of upto Rs. 10,000, on Data Principals if they violate their duties of not registering a false or frivolous grievance. However, The Hindu notes that this may effectively prevent people from registering grievances in the first place.

The bill’s provisions that have been criticized the most have to do with the exemptions it outlines for the government, wherein the government is given the power to exempt state agencies from provisions of the soon-to-be law on grounds including security of state, public order, and prevention of offences, noted PRS. The Union government also retains the power to exempt certain private players and Data Fiduciaries – for instance, startups – from specific provisions. In addition to widening exemptions granted to the government, the bill also “fails to put into place any meaningful safeguards against overbroad surveillance which weakens the right to privacy of Indian citizens,” noted IFF.

A report in The Hindu further notes that Data Fiduciaries are required to inform Data Principals in case of any data breach. However, they are not required to disclose how one’s data is being shared with any third parties, the duration for which that data is stored, and if the data is transferred to other countries for processing.

While the Bill provides for the creation of the Data Protection Board (DPB) that will oversee non-compliance of the law, IFF notes that these appointments are to be made by the Union Government, weakening the role of the DPB and placing its independence in question.

Another provision of major concern are the amendments that experts claim will dilute the Right to Information Act, 2005, as these remove the “public interest consideration to the disclosure of personal information,” according to IFF. The RTI, in its current form, allows citizens to request information including data such as government officials’ salaries. However, the proposed amendments may weaken officials’ accountability to the people and imperil democratic functioning.

In light of the several concerns the latest bill raises, experts and rights groups have termed it “disappointing” and highlighted how it may allow the government to access data to a great extent without the individual’s consent, reported Al Jazeera. Rights group Access Now released a statement, saying the bill “jeopardizes privacy, grants excessive exemptions to the government, and fails to establish an independent regulator.” Meanwhile, IFF’s statement, released on the day this bill was tabled in the Parliament, had noted that since the bill does not adequately safeguard citizens’ right to privacy, it should not be passed in its current form. Drawing comparisons with the 2022 bill, IFF added, “When the DPDPB, 2022 was released for public consultation, we had stated that this version of the bill should be withdrawn due to its failure to satisfactorily protect the privacy of Indian citizens. The DPDPB, 2023 reiterates the shortcomings of the DPDPB, 2022 and fails to inculcate several of the meaningful recommendations that had been made during the consultation process, which were subsequently made public by the relevant stakeholders.”