Over 20k suggestions sent on data privacy law: Officials

The government has received over 20,000 submissions from the public as feedback over the proposed digital data protection law, officials aware of the matter have said, adding that the response is manifolds more than the typical suggestions for tweaks they receive,

A draft of the digital data protection bill was shared in November, 2022, and became controversial for a number of provisions that gave the government a variety of exemptions from privacy protections, and falling afoul of the 2017 Supreme Court judgement that held privacy as a fundamental right.

Usually, the government receives 1,500 to 2,000 suggestions, officials familiar with the matter said.

The Bill is set to be introduced in the monsoon session of Parliament this year.

According to one of the officials who asked not to be named, the government has taken into consideration Europe’s GDPR (General Data Protection Regulation), which is largely regarded as the standard-bearer for privacy protections, and has combined them with measures that do away with cumbersome compliances for businesses.

Also Read: The how of data protection - The importance of autonomy and consultation

“There will be checks and balances, especially to regulate sharing of personal data with a data fiduciary,” the official said. “In case personal data has to be shared by a data principal, there will be safeguards to ensure that the third party does not divulge it either,” the person added, without disclosing specifics.

The draft will need to be approved by the Cabinet, before it is tabled in Parliament.

The government, including ministers, at the time defended the draft, saying it struck the right balance of protection while being industry friendly.

One of the respondents who sent in suggestions, Supreme Court lawyer and founder of Cybersaathi, NS Nappinai, submitted that “protection of individual rights and balancing the requirements of industry against abuse by them of personal data is critical to a robust personal data protection enactment. To formulate a draft that neither protects individuals from corporate or Government excesses does not spell out a robust privacy legislation”.

Also Read: Looking at the cross-border data flow regime in the DPDP Bill 2022

“Exemptions and protection of governance requirements are essential but the same ought to be proportionate. Any such exemptions ought to be clearly laid down within the parameters of the parent Act and not be left to subordinate legislations,” her response stated.

With reference to children’s data, Nappinai said that the provision gives “unfettered powers to the executive is untenable and ought to be deleted”.

Similarly, digital rights body Internet Freedom Foundation (IFF) too flagged issues, saying the 2022 draft allowed data fiduciaries to “deem” or assume consent of the data principal if the processing is considered necessary as per certain situations which Clause 8 lays down. “Here, essentially the DPDPB, 2022 allows for non-consensual processing of personal data. It is essential that consent is the foundational framework upon which any data protection regulation in the country is built and any derogation from it needs to be tailored narrowly,” it said in its response to the ministry.