Coming soon: The first ‘data protection’ law

Editor’s note: Please don’t forget to take our big reader survey—your feedback is critical to us. We only do this once a year and the results help shape splainer’s growth and direction. So we plan to nag you about this over the coming weeks. 

First, a timeline

Here’s how we got here: 

• In 2017, the Supreme Court recognised the right to privacy as a fundamental constitutional right—and directed the government to create a framework to protect citizens’ data.  
• In 2019, the government introduced the Personal Data Protection Bill that set the basic ground rules for how personal data should be collected and stored. 
• It also proposed the creation of a new regulatory agency, the Data Protection Authority (DPA) —which will monitor the implementation of the law. 
• A Joint Parliamentary Committee was set up to study the provisions of the bill and give its recommendations—and submitted its report in November, 2021.
• In December, the government tabled a draft version of the bill.
• But in August 2022, it abruptly withdrew the bill from the parliament, stating that a more “comprehensive legal framework” will be presented soon.
• In November, a new draft was released for public comment.
• In July, 2023, the cabinet approved the draft—which is mostly unchanged—which was introduced in Parliament yesterday.

First: Data protection from companies

The basic rules: for any company that collects your data are as follows:

• Personal data should be used in a way that is “lawful, fair… and transparent to individuals.” 
• It should only be collected with the clear and unambiguous consent of the person: “Every individual should know what items of personal data [an organisation] wants to collect and the purpose of such collection.”
• The data collected should be minimised—and must be accurate.
• The information cannot be stored “for perpetuity.” There must be a fixed time limit—and a person can ask their data to be erased at any time.
• There must be reasonable safeguards to ensure there is no misuse or unauthorised collection of data.
• The government will slap a fine of Rs 2.5 billion (250 crore) on any company that fails to implement proper measures to protect user privacy. The fine for non-disclosure of a data breach is Rs 2 billion (200 crore).

Key point to note: The original version of the bill had applied stricter rules for “sensitive” data—which was removed in the 2022 version. So all user data now sits in the same basket.

The new exception: This latest draft permits the companies to retain the personal data for ‘Business Purpose’—even after the purpose for collection is no longer applicable.

Also, ‘deemed consent’: This is an exception to the requirement of “free, specific, informed, unconditional, and unambiguous” consent:

It allows platforms to collect personal user data when it is voluntarily provided, such as when accessing public services. The government may also access personal data from platforms in this provision to provide subsidies or to perform functions required by law.

Consent is also “deemed” if the data is necessary “for the purposes related to employment”. Since this overly vague exemption is given to all companies, experts worry it is likely to be misused.

The Data Protection Board: This will be set up to handle all data-related grievances—whether of individuals or companies. Although it is supposed to be independent, the union government will appoint all members of its committee—and exert total control over their tenure:

The bill outlines that a member of the data protection board can only resign through written notice submitted to the government. This resignation comes into effect either three months after submission, upon receiving government approval or once a new successor is appointed or the existing term expires.

Justice BN Srikrishna—who proposed the 2018 draft of the bill—says the regulatory board is a “captive of the government.”

Where’s my data? The government initially wanted all Indian user data to be stored within the country. But this created great uproar among tech companies—and credit card companies like Visa etc. So the 2022 draft created a whitelist of nations—where data can be stored offshore. The latest version instead creates a blacklist—banning the data from being stored in certain countries. 

Digital nagriks, beware! The Indian bill is also unusual in how it treats individuals—called ‘digital nagriks’. They too can be fined—unlike data privacy laws around the world. But they cannot apply for compensation:

The draft does away with the clause for compensation to affected data principals and proposes to impose a penalty of Rs 10,000 on individuals providing unverifiable or false information while applying for any document, service, proof of identity or address, or registering a false or frivolous complaint with a data fiduciary (who collects and processes the data) or with the board.

Next: Protection from the government

To put it bluntly, there isn’t any. The government and its agencies are treated like “a separate privileged class.” 

One: The bill gives the union government the power to exempt itself from any or all provisions of the law—in the name of “sovereignty and integrity of India, security of the state, friendly relations with foreign countries, maintenance of public order or preventing incitement to any cognizable offence relating to any of these.”

Two: The government can also access personal data from companies to provide welfare subsidies or benefits. In the 2022 draft, the number of situations where it could access personal data was exceptionally large:

Individuals, in the most recent public bill draft, are deemed to have given consent if the data processing “is necessary” for “the performance of any function under law,” “for compliance with any judgment or order issued under any law,” “for responding to a medical emergency involving a threat to the life or immediate threat to the health of the [individual] or any other individual,” and “for taking measures to ensure safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order,” among others. It would also exempt situations in which it is “reasonably expected” that someone would provide their personal data to an organisation voluntarily, the processing of “publicly available personal data,” and credit scoring.

And it remains unchanged in the final draft submitted to parliament.

Three: There is no concept of “unreasonable surveillance” any more:

For example, the Bill does not mention unreasonable surveillance as a harm, a definition which was available in the previous Bill,” said Mishi Choudhary, technology lawyer. “This law would address issues of surveillance but Section 18 of the Bill has widened the scope of government exemptions even further. The requirement of proportionality, reasonableness and fairness have been removed for the Central government to exempt any department or instrumentality from the ambit of the Bill,” she added.

Also this: The government also has the power to exempt any company from the provisions of the law. This clause supposedly protects startups from burdensome compliance requirements. And it can allow some companies to collect children’s data if it is “done in a manner that is verifiably safe.”

The bottomline: A constitutional right to privacy is meaningless if the government has unlimited power to override it.

Reading list

The reporting on the latest bill is wretchedly scant. For what’s changed in the latest version, see Hindu Business Line, Mint and Hindustan Times. But here are two good overviews from The Hindu and Indian Express of the 2022 draft—which has mostly remained unchanged. The privacy concerns around that draft still hold true—so this Hindu report is still worth your time. For a defence of the bill, see this Mint column. We did a Big Story on the first 2021 version—which underlines worries about excessive government power.