Ashwini Vaishnaw, Minister of Communications, Electronics and Information Technology, and Railways, said in an interview with businessline that the Digital Personal Data Protection Bill 2023 “lays down a foundation, where grievance redressal, access to justice, and protection of personal data, will become highly democratised with equal access available to those in far-flung areas and citizens in big cities”. Edited excerpts:
The Digital Data Protection Bill is already in place. What has been the response so far from the industry and regulators?
We have had very extensive consultation with every section of the society and stakeholders. We met with about 48 organisations, 39 government departments/ State governments/ Ministries/ PSUs/ regulators. We received about 23,666 suggestions. Then we had the entire background on Joint Parliamentary Committee, examining each and every aspect of the subject. So, we had the benefit of such extensive consultation, that’s why the law is very much in line with the expectations of the industry, common citizens, and regulators.
What will be the composition of the Data Protection Board (DPB)?
The DPB will comprise those understand the nuances of digital economy. It’s a world which is very difficult from the physical economy/ the analog economy, so our focus will be on getting the right people onboard, and we are working extensively on this. Getting the rules in place will be very simple, and the rules will be within the framework of the law. The way it works in our system is Constitution — within the Constitution we make laws and within the laws, we make the rules. Rules cannot be beyond the law, just like laws cannot be beyond the Constitution. So, within that framework, we will be working and making the rules. The digital platform and the Data Protection Board should be implemented within next few months.
What is the rationale behind imposing duties and penalties on Data Principal? Clause 15(d) of Chapter III states that DP must ensure not to register false/ frivolous grievance with Data Fiduciary or the DPB, and failure to adhere may lead to a penalty of ₹10,000.
Our Prime Minister has repeatedly put emphasis, saying that if every citizen follows his/ her own duties, then the rights of other citizens are automatically implemented. That’s philosophy under which the ‘Kartavya Path’ and many other things are getting implemented today, where the focus is also on the duties of the citizens. So, we have kept this provision because we believe that every citizen has the duty to follow the law. Duty makes sure that correct information is given, duty not to impersonate and duty to avoid frivolous litigation.
In June, 2023 a major privacy breach with respect to CoWin portal led to personal details of vaccinated users getting leaked on Telegram. Again, in July, 12,000 confidential records of SBI were made public on Telegram. In this context, isn’t it a cause of great concern that wide exemptions have been given to the government and its authorities under Clause 17(2)(a)?
The Health Ministry had given a clear answer to this…there were no breach on CoWin platform. It is absolutely safe…The data protection provisions and the penalties will apply to all. Reasonable safeguards for preventing breaches, safeguards for protecting privacy, all those will have to be implemented by everybody. The fact that we have the law in place now will significantly improve the privacy of citizens’ data.
Another clause is children’s data…there are so many third-party apps today where children’s data are stored. Would that be a concern?
Every person who is collecting data of any citizen will have to have certain safeguards to be put in place. In case of children, extra safeguard will have to be put in place because social media can have harmful impact on children. We need to protect our children from the harmful impact, but also ensure that they can use technology. For example, in the case of education and healthcare…the use of technology has to be encouraged, while in case of games, which have violence in them, we need to protect our children from that.
On data transfer, it was mandatory earlier to store data within India, but it is not so now and, therefore, several stakeholders have raised concerns on how the law will be applied.
Under this law, whether the data is stored in India or outside, everybody has to follow the same regulations — the same principles and obligations. The rights of citizens will not be compromised whether the data is stored in India or stored outside India. Every sector will have very specific requirements. Let’s say financial services will have their own requirements and health sector will have its own requirements.
This law is a horizontal law, which applies to all sectors, and over and above this horizontal law, if any particular sector/ vertical, has specific needs, we can provide for those regulations. That’s the way it is structured. The law of India shall apply to data, which is stored anywhere in the world. Let’s say one e-commerce entity providing services to citizens here, but that data is kept in another country, even then the law will be applicable to that particular e-commerce entity.
But there are intermediary companies who don’t abide by the laws, and we have seen in the past also when a lot of them flouted the Indian laws.
Everyone will have to follow the same principles and those obligations will apply to intermediaries also. They will also have to take all the steps to protect our citizens’ personal data.
How would you react to criticism about Clause 44(3), which seeks to amend the entire Section 8(1)(j) of the Right to Information?
It is very clear and I have said that in Parliament, too. The day Puttaswamy judgment was pronounced by the Supreme Court, that day itself the provision of Section 8 (j) in the RTI had already become infructuous. What is Section 8 (j) of RTI…basically that is the exemptions from RTI. So, personal data was already exempted from the RTI, there was a carve out given on that which still exists. If there is any legal requirement of publishing personal data of a public servant, that will still hold.
For example, all officers are obligated to publish their annual property renewal. That will still be there…all the officers are obligated to give their correct date of birth, give the educational qualifications…that will still be obligated. All public representatives are obligated to give an affidavit giving details of their personal life, that will still apply.
Most of the chapters have a mention of the Board, giving them the ultimate power on decisions. Wouldn’t it mean the Board is the sacrosanct of any decision?
This is a very standard construct and that is how it should be. The Data Protection Board or any other law if you see, whenever a regulator/ an independent body, is created then this construct is applicable everywhere. There are four layers — grievance redressal mechanism within the company itself, Data Protection Board, TDSAT, and Supreme Court. They will provide a very quick redressal mechanism.
There is question mark on the DPB’s independence as all members of the regulator are to be appointed by Central government.
I will give you an example. TRAI is called the golden regulator or the best regulator. SEBI is also very independent. Who appoints SEBI Chairperson? It is the government. Who gives the salary or compensation to SEBI members? It is the government. Who decides the terms and conditions of employment? It is the government. Does it make them any less independent? Independence comes from the structure of the regulator. Here, the law itself provides that the Data Protection Board will be an independent body.
The law provides that the terms and conditions of employment cannot be changed by the government. The law provides that the regulator or any member, if they have dealt with any particular subject, they have to disclose. That’s where independence comes from. The people who understand law are saying this is the best possible construct. It will be a body of experts who understand digital economy.
Published on August 13, 2023
