Parliament passes Digital Personal Data Protection Bill 2023 amid opposition walkout
New Delhi: The Rajya Sabha on Wednesday passed the Digital Personal Data Protection Bill 2023 with a voice vote following a walkout by opposition members over the Manipur issue. The Lok Sabha passed the Bill on Monday.
The Bill, which comes after six years of the Supreme Court declaring ‘Right to Privacy’ as a fundamental right, has provisions to curb the misuse of individuals’ data by online platforms.
Union minister Ashwini Vaishnaw said the Bill gives new rights to people who use digital services and lays down a lot of obligations on private and government entities around collection and processing of citizens’ data.
The Bill also seeks to protect the privacy of Indian citizens while proposing a penalty of up to Rs 250 crore on entities for misusing or failing to protect the digital data of individuals.
Moving the Bill for consideration and passage in the Upper House of Parliament, Vaishnaw said, “It would have been good had the opposition discussed the Bill today (in the House). But no opposition leader or member is concerned over the rights of the citizens.” He said the Bill has been brought after extensive public consultation.
Underscoring its salient features, the Information and Technology minister said data collected by any entity will have to be used as per “Principle of Legality”, “Principle of Purpose Limitation”, “Principle of Data Minimisation”, “Principle of Data Accuracy”, “Principle of storage limitation”, “Principle of Reasonable Safeguards, and “Principle of Accountability”.
Elaborating on the principles, he said the data collected by the citizens should be used as per law, only for the purpose for which it has been collected, and the quantum of data should be limited to the requirement.
Vaishnaw said citizens will have the right to correct their data and it should be stored with entities till the time it is required and protected by putting in place reasonable safeguards. Referring to certain principles on which the Bill is based, he said according to the principle of legality, data of a person has to be taken based on prevailing laws and cannot be used for purposes beyond which it has been collected.
He said citizens have been given four rights under the Act comprising right to access information, right to correction of personal data and eraser, right to grievances redressal, and right to nominate.
The minister said an independent Data Protection Board (DPB) will be created which is “digital by design” and will provide similar access to justice to people across the country in the same way as privileged people in cities like Delhi and Mumbai.
“The board will comprise experts who understand the field of data and the board is independent by law. Above this board, appeal can be made before telecom tribunal TDSAT and further before the Supreme Court,” Vaishnaw said. Addressing concerns around changes in the Right to Information Act, he said the Puttaswamy judgement has made Right to Privacy a fundamental right, therefore any personal data can be published only through a legally approved process and in no other form, personal information can be shared in any public forum.
“The contradiction in the Right to Information Act has been done away through this Bill,” the Union minister said. He said Europe’s data protection bill has provided for 16 exemptions, while the Digital Personal Data Protection (DPDP) Bill 2023 has provided only four exemptions.
Motion to send the Bill to the select committee of Parliament by Rajya Sabha member John Brittas and V Sivadasan was not moved due to their absence in the House when the bill was put for vote.
During the discussion, YSR Congress Party member V Vijayasai Reddy raised the issue of telephone tapping through softwares.
“Telephone tapping can be done either by taking control of the speaker that we have in the telephone or even the camera on the reverse side of the telephone. In fact, I have physically seen the demonstration that has been given by a foreign company that any app — whether it is WhatsApp, Facetime, Telegram or Signal, anything can be tapped,” Reddy said.
Without naming the firm, he claimed foreign companies selling such solutions sell these to only government institutions.
“The government departments are using the software for their own personal purposes with ulterior motives. Almost 15-20 softwares are there and each costs in the range of Rs 50 to Rs 100 crore. Those who could afford to spend Rs 50 to Rs 100 crore and an annual maintenance contract of say 20 per cent, can tap anybody’s telephone,” Reddy said.
He requested the government to come with a solution to protect personal data from private entities buying such a software.
BJD member Amar Patnaik said the Bill is the most landmark legislation of the country after independence and this is the law of the largest democracy of the world. He, however, said he could not find the word “privacy” in the Bill which was there in the Supreme Court judgement.
He said the words “compensation” and “harm” are also missing.
Patnaik said the norms under the Bill interpret data breach in financial terms.
“What happens if there is reputational damage because of a data breach? What happens if there is a bodily injury? You may say that you can use criminal procedure and IPC to try that person, but it has to be read with this particular Act to make the provisions more stringent,” he said.
He also pleaded that state-level Data Protection Board should be set under the redressal mechanism. YSRCP’s S Niranjan Reddy raised concerns on sweeping power given to the Centre as well as exemption given to start-ups.
Vaishnaw said the exemption to start-ups will be given only after their solution pass the test in regulatory sandbox environment.
TDP member Kanakamedala Ravindra Kumar, TMC(M) member G K Vasan, and AIADMK’s M Thambidurai also participated in the discussion.