Six years after the Supreme Court upheld privacy as a fundamental right, the final version of the Personal Data Protection Bill has been approved by the Cabinet. We are living in a highly digitised world where individuals, machines, enterprises, and government agencies are connected on a single network that has proven to be extremely vulnerable to data breaches and cyber fraud.
However, the Bill has not addressed concerns about the data privacy rights of citizens vis-a-vis the state. It gives unrestricted powers to the Centre to exempt any agency of the state as well as ‘data fiduciaries’ from its purview. The Bill also protects all government officials from any legal action for implementing the provisions of the Act. Given that the government is now a large repository of citizen data collected as a part of Aadhaar, CoWIN and other Digital India initiatives, this could expose citizens to the risks of surveillance, data leaks and fraud. While the government has the legitimate right to access citizen data to deliver public goods and services and for national security purposes, use of this data must be subject to judicial or legislative oversight. Given that a lot of state-driven data collection is mandatory, with citizens having little choice but to share personal information, it is imperative to strike a balance between national security interests and protecting individual privacy rights.
Some provisions of the Bill have been left ambiguous too. Key operational aspects of the proposed Data Protection Board, including the appointment of the chairperson, will be determined by the Centre. The controversial data transfer rules have been relaxed. This would enthuse industry, but the government has retained a veto on the countries with which data can be shared. The rationale for capping the maximum penalty for violations at ₹250 crore is unclear. As India’s large population presents a data gold-mine to technology firms that earn billions of dollars by mining user information, the penalties could have been pegged to the quantum of unlawful gains. Meta recently was fined a record €1.2 billion by Ireland’s Data Protection Commission for a breach of Europe’s General Data Protection Regulation.
But drawbacks notwithstanding, the Bill does empower users to give, review and withdraw their consent for using personal data. Data fiduciaries will be accountable to the regulator for end-use and breaches. They will be barred from tracking, or behaviourally monitoring, children or targeting them with advertising. Overall, the Bill serves as a crucial first step in protecting personal data and right to privacy for Indians. But addressing concerns related to the government’s use of citizen data and creating checks and balances against the use of its sweeping powers to exempt entities, must be the next steps. Hopefully, the lawmakers in Parliament will focus on these gaps to ensure that citizens get a strong data protection law at the earliest.