The Centre has once again fallen short in putting in place a strong Personal Data Protection Bill that ensures adequate protection to citizens against the misuse of personal data. Given the proliferation of digital platforms whereconsumers of Internet services are increasingly being subjected to surveillance by the state and data mining by private entities,a data protection law must be regarded as a critical piece of legislation of our times. When the Minister of State for Electronics and Information Technology (MeitY) withdrew the earlier version of the draft Bill in August, there were wide expectations that the policymakers will fill the gaps pointed out by various entities, including the Joint Parliamentary Committee (JPC).

One of the major criticisms of the earlier draft was around the powers given to the Centre to exempt any agency of the government from the application of the Act. But Clause 18 of the revised draft carries forward this provision by giving the Centre wide-ranging powers to exempt any entity, and granting immunity to the state machinery from the application of the law. This would expose the citizens to potential surveillance by the Centre with no recourse to misuse of data. The other major concern in the new Bill is that it has done away with the setting up of a Data Protection Authority and has proposed to create a Data Protection Board instead. This perhaps implies that the tenure of its members and appointment of the Chairperson will be determined by the Centre, rather than through a process laid down by the law. If the Board is to be independent, the Centre should appoint a committee comprising government officials, judicial members, and industry experts to make appointments.Various other provisions of the Bill have been left ambiguous, giving the Centre discretionary powers. For example, the proposed law rightly prohibits processing children’s data but gives the Centre the power to make exceptions. The controversial data localisation rules have also been relaxed which would enthuse the industry, but here also the Centre will determine the countries with which data can be shared.

To be fair, there are some improvements over the earlier version. For instance, the draft Bill makes it mandatory for data fiduciaries to inform users in the event of a data breach. The earlier version of the Bill did not have this provision. Clearly, the draft Bill will have to go through a number of iterations before it can be made into law. The first version went through multiple rounds of consultations and scrutiny by different bodies over four years before it was withdrawn. While regulators in the US, China and the EU have put in place laws to address concerns around privacy and data protection, India has so far adopted a piecemeal approach.

The Centre should fix the gaps in the new draft quickly and ensure that citizens get a strong data protection law at the earliest. It is also critical to bring a balance between the individual, the companies which hold and process our data, and the State.