The much-awaited Digital Personal Data Protection Bill (DPDP) was tabled in the Lok Sabha on Thursday prescribing how personal data can be collected, processed, safeguarded and prescribing penalties up to ₹250 crore in case of breaches. The bill contains wide-ranging exemptions to the government and has provisions for setting up of a regulator — the Data Protection Board — which will be appointed by the government.
The government clarified that the bill was not being presented as a “money bill”.
What the bill offers
Digital platforms will need to take unconditional, free, specific and informed consent from users for processing their data. The “data principal” shall have the right to access information about personal data for which consent has been previously given. At any point, the data principal shall have the right to correction, completion, updating and finally, erasure of her personal data for the processing of which she has previously given consent.” This means that users have the right to withdraw consent at any point after which the platforms must stop processing their data and erase it.
For erasure of data, “the data principal shall make a request in such manner as may be prescribed to the data fiduciary for erasure of her personal data and upon receipt of such a request the data fiduciary shall erase her personal data unless retention of the same is necessary for the specific purpose or for compliance with any law…”.
In a relief to the industry, the Bill has allowed cross-border data transfers, voluntary undertaking of data breaches and removed criminal penalties prescribed in the earlier draft. Personal data can be transferred to any country except certain geographies that the government may include in a blacklist.
The clause regarding processing of personal data outside India says that the Central Government may, by notification, restrict the transfer of personal data by a data fiduciary for processing to such country or territory outside India as may be notified.
Regulatory body
Chapter V of the Bill envisages setting up of the Data Protection Board of India. “The Board shall consist of a chairperson and such number of other members as the Central Government may notify. The chairperson and other members shall be appointed by the Central Government such manner as may be prescribed,” said the Bill.
According to the proposed Bill, the Centre may have the right to collect any information from the Data Protection Board of India (to be set up) and any Data Fiduciary or intermediary.
“No suit, prosecution or other legal proceedings shall lie against the Central government, the Board, its Chairperson and any Member, officer or employee thereof for anything which is done or intended to be done in good faith under the provisions of this Act or the rules made thereunder. The Central government may, for the purposes of this Act, require the Board and any Data Fiduciary or intermediary to furnish such information as it may call for,” the Bill said.
According to experts, this provision is an attempt to weaken the authority of the Data Protection Board, and thus, curtailing citizens’ control over their personal data, and also making it prone to misuse to target individuals, groups, and communities.
They further observed that the provision may be used to clip the wings of the Right To Information (RTI) Act, thereby weakening it.
Advisory powers
Another point that has evoked concerns is that it advises blocking access, by the public, to any information generated, transmitted, received, stored or hosted, in any computer resource that enables such Data Fiduciary to carry on any activity relating to offering of goods or services to Data Principals within the territory of India.
“Section 37 provides the Data Protection Board certain advisory powers through which the Board may recommend blocking public access to a computer resource or a platform,” raising concerns that such a provision may be utilised for blocking content by the Board,” Prashant Phillips, Executive Partner at Lakshmikumaran and Sridharan Attorneys, said.