The Lok Sabha on Monday passed the Digital Personal Data Protection (DPDP) Bill in just 53 minutes without any substantive debate. While the government again stressed that the Bill provides enough safeguards for protection of personal data, concerns flagged about duties and penalties imposed on the data principle, the implications for Right to Information, and exemptions given to the government were not debated at any length.
The one issue that received attention in the House was about independence of the regulator envisaged in the Bill, the Data Protection Board. Bhartruhari Mahtab of BJD (Cuttack, Odisha) asked, “The regulator that you have is not independent. How are you going to build an independent regulator? There is clarity and checks needed on cross-border data transfer restrictions...neither the Bill is very clear about it”.
Rule making power
“Section 28 of the Bill clearly defines that the Board will be an independent body..Rule making power is not an absolute power. On data localisation (cross border), Section 16 clearly mentions that those sectors which requires sectoral regulations for their sectors, they can make. This Bill is a horizontal arrangement and every sector will have the right to make their sectoral regulations accordingly,” said Ashwini Vaishnaw, Minister of Communications and IT.
On question about non-judicial body above the Board, the Minister explained that there is Telecommunications Dispute Settlement and Appellate Tribunal (TDSAT) which has a judicial member and above TDSAT there is Supreme Court.
“So any citizen can take up their grievances up to the Supreme Court,” he added.
There are other issues and concerns with the Bill.
For instance, Clause 15 (d) of Chapter III states that the data principal (DP) must ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary (DF) or the Data Protection Board of India, and failure to adhere with this may enable a penalty of ₹10,000 (Chapter VIII). This is an onerous obligation which may effectively prevent a DP from raising grievances.
Concerns on exemptions
There is a lot of concern also about exemptions given to the government and its authorities. This is especially in the light of the CoWIN portal breach that happened in June 2023.
There are concerns, as in Clause 44 (3) which seeks to amend the entire Section 8 (i) (j) of the Right to Information (RTI) Act, 2005 and replace it with “information which relates to personal information” which has received heavy criticism from stakeholders.