The Indian government recently introduced the Digital Personal Data Protection Bill, 2023 (DPDPB 2023), a year after withdrawing the Data Protection Bill, 2021 (DPB 2021). The new bill aims to be passed during the ongoing Monsoon session of Parliament, with some potential amendments during discussions. However, there are concerns about the bill’s core elements and its impact on individual rights.
The process leading up to the introduction of DPDPB 2023 has been problematic, lacking transparency in public consultations. While the government cited the need for a comprehensive legal framework when withdrawing DPB 2021, it didn’t clarify the changes made from the draft version proposed by the Joint Committee of Parliament.
The bill’s contents reveal some flaws and controversial elements. One significant issue is the exemptions granted to state authorities/instrumentalities, allowing for vague and potentially misused purposes like maintaining public order and security of the state. This raises concerns about increased surveillance without adequate safeguards and oversight.
The bill also retains the concept of “deemed consent” under a new name, which can still undermine the notion of informed consent. Furthermore, the government can assume consent for various purposes, affecting a large segment of the population with low digital literacy.
Regarding data breaches, the bill mandates notifying affected individuals, which is a positive step. However, it leaves data made publicly available (e.g., social media posts) vulnerable to surveillance and unauthorized scraping.
The DPDPB 2023 imposes duties and penalties on individuals, discouraging them from exercising their rights and potentially imposing fines for false complaints. It also weakens the Right to Information (RTI) Act by precluding the disclosure of personal information in the public interest.
One critical concern is the delegation of legislative powers to the Union Executive, granting significant discretion and control. This regulatory trend raises apprehensions about executive overreach, as observed in the IT Rules, 2021, and subsequent amendments.
In summary, the DPDPB 2023, like its predecessor, suffers from flaws that need to be addressed to protect individual rights and ensure greater transparency. The bill’s lack of clarity and the potential for executive overreach raise serious questions about its effectiveness in safeguarding citizens’ data privacy and security. Efforts should be made to address these issues and draft a more comprehensive and balanced data protection law.