DPDP Bill 2023: Protecting Data, Challenging Rights

Balancing Data Protection and Citizen Rights: An Analysis of India's DPDP Bill 2023

The Digital Personal Data Protection Bill 2023, recently passed by the Lok Sabha, retains the core elements of the original legislation proposed in November 2022. However, it has raised concerns about its impact on citizens' rights, particularly the Right to Privacy and the Right to Information.

Key Features of the Digital Personal Data Protection Bill 2023:

1. Applicability: The bill applies to the processing of digital personal data collected online or offline and digitized within India. It also extends to personal data processed outside India for providing goods or services in India.

2. Consent: Personal data can only be processed with an individual's lawful consent, which can be withdrawn at any time. Notice must be given before seeking consent.

3. Rights and Duties: The bill grants individuals certain rights, including obtaining information, seeking corrections, and grievance redressal. However, they also have responsibilities, such as refraining from filing false complaints.

4. Obligations of Data Fiduciaries: Entities processing data must ensure accuracy, build security measures to prevent breaches, and retain data only as long as necessary. Government entities are exempt from certain requirements.

5. Data Protection Board of India: A board is established to address non-compliance with the bill's provisions. The government appoints its members, raising concerns about independence.

6. Transfer of Personal Data: Transfers of personal data outside India are subject to government notifications and prescribed conditions.

7. Exemptions and Penalties: Government agencies can be exempt from the bill's provisions in specific cases. Penalties are imposed for non-compliance, with the highest penalty being Rs 250 crore for data breach failures.

Concerns about the Bill:

1. Exemption Powers: The central government can exempt state entities from consequences, citing reasons like national security, potentially leading to reduced accountability.

2. Online Censorship: Entities penalized multiple times can be blocked by the government, potentially adding to existing online censorship measures.

3. Government Control: The government's influence in appointing the Data Protection Board's members raises concerns about its independence.

4. Data Collection Restrictions: The bill lacks discussion on restricting data collection, unlike the GDPR in Europe.

Impact on Rights to Information and Privacy:

1. The DPDP Bill 2023's modification of Section 8(1)(j) of the RTI Act weakens the public's access to personal information held by public servants.

2. Tensions between the Right to Information and Right to Privacy arise, as the former aims for transparency, while the latter protects against intrusion.

3. While both rights complement each other, the bill's provisions could potentially hinder transparency and empower unscrupulous data collection.

4. The bill defines "lawful purposes" broadly, potentially enabling access to data by both government and private entities.

Conclusion:

The DPDP Bill 2023 seeks to address data protection concerns but raises issues around citizen rights and government control. The balance between privacy, transparency, and accountability remains a challenge, especially given the potential limitations in seeking legal recourse for breaches of privacy.

Thank You