The Union Cabinet on Wednesday approved the Digital Personal Data Protection (DPDP) Bill, 2023, to be tabled in Parliament in the upcoming Monsoon session, starting July 20.
Sources in the government said the Ministry of Electronics and Information Technology (MeitY) received and considered 21,666 suggestions to the draft Bill that had been circulated for comments in November 2022.
“After the draft was published, the consultations were extremely extensive… It is probably the most extensive consultative process any Bill would have gone through. Many stakeholders in the consultations were happy with the outcome — there were 48 stakeholders outside the government and within the government, there were 38,” a top official at MeitY said.
According to the official, the Bill proposes to levy penalty of up to ₹250 crore on entities for every instance of violation of norms, which is half of the amount mentioned in the draft earlier. The draft Bill had said it aims “to provide consent-based data collection technique”, while stipulating penalties of up to ₹500 crore (which may go up manifold in future) for data breaches and violations.
While this may please the industry, the fundamental issues raised by experts and activists — such as the Centre’s overriding authority over the Data Protection Board and exemptions to the government — have reportedly not been addressed.
Justice BN Srikrishna, who had proposed the 2018 draft of the Personal Data Protection Bill (PDPB), had said the regulatory board is a “captive of the government” and the qualifications, tenure and procedure of appointment of the presiding officers have all been relegated to delegated legislation. Moreover, he characterised the blanket exemptions granted to the government under Section 18 of the draft Bill as a “dangerous situation” and a “clear invitation to the executive to act arbitrarily”.
There are other provisions flagged by internet societies and experts tracking the draft Bill as problematic. “The present Bill, when compared with its predecessor, is significantly less explicit in the harms which are recognised under it. For example, the Bill does not mention unreasonable surveillance as a harm, a definition which was available in the previous Bill,” said Mishi Choudhary, technology lawyer.
“This law would address issues of surveillance but Section 18 of the Bill has widened the scope of government exemptions even further. The requirement of proportionality, reasonableness and fairness have been removed for the Central government to exempt any department or instrumentality from the ambit of the Bill,” she added.