Mains Marathon

• In introduction mention about the data protection bill and its objective and aim.
• Discuss the issues with the data protection bill and then give a way forward.
• Conclude suitably.

Answer:

The data protection bill in India aims to establish comprehensive regulations and guidelines for the protection of personal data. Its objective is to safeguard the privacy and rights of individuals, promote responsible data practices, and foster trust in the digital ecosystem.

The bill has been introduced in parliament two times so far but has not been passed yet.

• The first time was in December 2019, when the Personal Data Protection Bill, 2019 (PDP Bill) was tabled by the Ministry of Electronics and Information Technology.
• The second time was in November 2022, when the Digital Personal Data Protection Bill, 2022 (DP Bill) was released by the same ministry.
• The DP Bill is based on the PDP Bill, but with some changes and revisions after a Joint Parliamentary Committee (JPC) finalized and adopted its recommendations in November 2021.

The data protection bill has been criticized and opposed by various stakeholders, such as tech companies, privacy activists, civil society groups, and international partners. Some of the major issues and concerns raised by them are:

• The wide-ranging exemptions to the Centre and its agencies from the data protection obligations and oversight. The bill allows the Centre to exempt any agency from the application of the bill for reasons of national security, public order, sovereignty, or friendly relations with foreign states. This could undermine the privacy rights of individuals and create a surveillance state.
• The dilution of the role and independence of the Data Protection Authority of India. The bill gives the Centre significant powers to appoint, remove, and direct the members and staff of the authority. This could compromise the autonomy and accountability of the authority and create a conflict of interest.
• The introduction of deemed consent as a ground for processing personal data. The bill allows data fiduciaries to process personal data without consent for various purposes, such as public order, employment, or public interest. This could violate the principle of informed and voluntary consent and enable data misuse.
• The removal or weakening of some key provisions that were present in the previous versions of the bill. These include data localization, sensitive personal data, critical personal data, social media intermediaries, criminal penalties, etc. These changes could affect the security, sovereignty, and innovation potential of India’s data economy.

The data protection bill has been delayed and deferred due to various procedural and logistical reasons. These include:

• The lack of adequate consultation and deliberation with various stakeholders and experts on the draft bill. The JPC took almost two years to finalize its report and recommendations on the PDP Bill, during which time it met with hundreds of stakeholders but did not make its proceedings or findings public. The DP Bill was also released without any public consultation or feedback mechanism.
• The lack of clarity and consistency in the drafting and language of the bill. The bill has many vague and ambiguous terms and phrases that could lead to confusion and interpretation issues. For example, it uses terms like “public policy”, “public interest”, “deemed consent”, etc., without defining them clearly or providing any guidance or criteria for their application.
• The lack of political will and priority to pass the bill in a timely manner. The bill has been pending in parliament for almost four years now but has not been taken up for discussion or voting yet.

Some possible ways forward to overcome these hurdles and enact a robust and effective data protection law. These include:

• Ensuring a broad-based and transparent consultation process with all relevant stakeholders and experts on the draft bill. The government should invite public comments and feedback on the DP Bill before tabling it in the parliament.
• Strengthening the rights and protections of individuals over their personal data. The bill should limit the exemptions to the Centre and its agencies to only those that are necessary and proportionate to achieve a legitimate aim.
• Enhancing the role and independence of the Data Protection Authority of India. The bill should ensure that the authority is appointed through a transparent and merit-based process that involves parliamentary oversight.
• Simplifying and clarifying the drafting and language of the bill. The bill should define and explain the terms and phrases that are vague and ambiguous in the current version. It should also use consistent and coherent terminology and structure throughout the bill.
• Prioritizing and expediting the passage of the bill in the parliament. The government should take up the bill for discussion and voting in the upcoming parliamentary sessions.