Topic: GS2 – Indian polity.
Context:
- The Digital Data Protection Bill, 2023, was passed in the Lok Sabha and awaits Rajya Sabha approval.
- The revised version incorporates suggestions from the 2022 version, but consultation details were undisclosed.
- The Bill highlights processing personal data after consent, except for legitimate uses like government services.
Issues raised about The Data Protection Bill of 2022:
- Amendment to the RTI act: The Bill includes a provision to amend the Right to Information (RTI) Act, which has been empowering Indian citizens since its enactment in 2005.
- The enactment of a data protection law does not require any amendment to the existing RTI law, as noted by the Justice A.P. Shah Report on Privacy.
- The DPDP Bill 2022 proposes amendments to Section 8(1)(j) to exempt all personal information from disclosure, raising concerns about transparency and accountability.
- The government’s Power: The DPDP Bill 2022 empowers the executive to draft rules and notifications on a wide range of issues, potentially allowing arbitrary exemptions for certain entities and violating citizens’ privacy.
- Possibility of unfair treatment: The government could potentially exempt its cronies and government bodies like UIDAI, while others would have to comply with stringent data fiduciary obligations.
Issues over the Data Protection Board:
- The oversight body proposed under the DPDP Bill must be adequately independent to act on violations of the law by government entities.
- Issues overhead enemy of data protection board: The draft Bill lacks provisions to ensure the autonomy of the Data Protection Board responsible for enforcing the law.
- The central government is empowered to determine the strength, composition, and appointment process of the board, including the chairperson and other members.
- Autonomy of the Data protection board: The chief executive responsible for managing the board will be appointed by the government, giving it direct control over the institution.
- Potential for misuse of provisions:The creation of a government-controlled Data Protection Board, with the power to impose fines up to ₹500 crore, raises concerns of misuse to target political opposition and critics of government policies.
- Undermines the Right to Information Act 2005: by replacing the high benchmark for exemption with a broad definition of “information related to personal information.
- Lack of legal recourse: Unlike Europe’s General Data Protection Regulation (GDPR), the DPDP Bill 2023 does not address the issue of data collection, and citizens’ ability to seek legal recourse for privacy violations.
Way forward:
- Ensure transparency and public consultation: during the drafting of the DPDP Bill to address concerns and build public trust.
- Establish an independent and autonomous Data Protection Board: to enforce the provisions of the law and protect personal data effectively.
- Clearly define the provisions: regarding the composition, appointment process, and removal mechanisms of the Data Protection Board to prevent undue government influence.
- Strengthen provisions to protect citizens’ right to information: and ensure that the DPDP Bill does not compromise transparency and accountability.
- Conduct a comprehensive debate and discussion in Parliament: to address the shortcomings and implications of the Bill before its enactment.
Model question: Examine the key provisions and objectives of the Digital Personal Data Protection (DPDP) Bill in India. Discuss its potential implications for citizens’ right to privacy, data protection, and transparency. What measures can be adopted to ensure an effective balance between data protection and government’s access to data for legitimate purposes? (20 Marks)