India has now been seeking to establish a single national-level personal data protection bill for about six years, dating back to the 2017 Supreme Court decision that established a fundamental right to privacy in the country. The newest development in this saga is the Digital Personal Data Protection Bill, the first attempt introduced to Parliament since the previous effort was withdrawn in 2022.
Opposition parties are already pushing back, however, demanding that the bill be sent to committee for review. Supporters initially tried to push it through just one house of Parliament by casting it as a financial bill, a classification that would have faced far fewer hurdles to clear to be approved.
2023 Personal Data Protection Bill establishes new obligations, substantial new fines
The new personal data protection bill was introduced in the Lok Sabha house of Parliament last week, with supporters attempting to avoid the contentious battles that accompanied previous efforts by casting it as a financial bill of a type that would not need to also be sent to the Rajya Sabha house for approval. This effort was shot down by Electronics and Information Technology Minister Ashwini Vaishnaw, and the bill will now have to clear both houses to be adopted.
Before that happens, various members of opposition parties have called for committee or panel review of the bill’s terms. The proposed terms of the 2023 Personal Data Protection Bill mirror the EU’s General Data Protection Regulation (GDPR) in many ways, a standard that supporters have been looking to establish for years now. The new rules would establish clear roles for companies as “data fiduciaries” with equally clear obligations to data subjects, including transparent disclosure of what data is collected and what it is used for.
Data subjects would also be granted the right to access and modify stored personal data, as well as have it removed upon request. Companies of a certain size, or that deal in a certain volume of personal data, would be put in a special category of “significant” data fiduciary subject to added requirements to be established by a new Data Protection Board of India (DPBI). This board would be appointed by the Union Government.
The bill would also mandate the appointment of Data Protection Officers, along with “consent managers” tasked with representing the interests of data subjects. Proposed fine amounts would be ₹50 crore to ₹250 crore per violation, but multiple violations could be assessed to the same incident.
Some objections hinge on concerns about government surveillance
The present form of the personal data protection bill preserves one of the key points of contention that has flared up in previous versions: broad exemptions from the law for government agencies when they are “fulfilling legal obligations” or are acting in the interest of “the security of the State.”
Hyderabad MP Asaduddin Owaisi said that the personal data protection bill would likely lead to a “surveillance state” as presently constituted, a concern shared by the Internet Freedom Foundation and several other privacy groups. The government is also granted the power to create compliance exemptions for private companies without much in the way of restriction, something that could potentially be abused to pick and choose favorites.
The personal data protection bill also contains “legitimate interest” exemptions for private organizations, in the manner of the ones laid out in the GDPR, but they have not been fully fleshed out yet. Details of special protections for children also remain to be decided.
The complaint system will also hinge on individual action. If a potential data protection issue is not addressed by the service provider within seven days of bringing notice of it, the data subject may then file a complaint with the DPBI. The individual must attach their genuine personal information to the complaint or face a fine of up to ₹10,000 (about $121). There is an appeal process for DPBI decisions, which must be initiated with the Telecom Disputes Settlement and Appellate Tribunal within 60 days.
If the recent history of personal data protection bills in India is any indication, at minimum it will take some time to hash out terms and address political conflicts. The last effort at developing such a bill took years to develop, and in the end so many changes were made to the assorted drafts that the government opted to withdraw the bill and start from scratch. As it passed through its various draft forms over the years, the prior proposal gradually tacked on a number of elements that had little to nothing to do with personal data protection online: proposals to regulate non-personal data types already covered by other entities, device and hardware manufacturers, and even a proposal to create the Indian version of the SWIFT banking system within the framework of the bill.