After almost half a decade of negotiations involving the government, tech firms, and representatives from civil society, the Digital Personal Data Protection Bill, 2023, was presented in India’s Parliament on August 3rd. This bill outlines protocols for how both corporations and the government can gather and utilize personal information and data of Indian citizens.
Over these five years, the legislation underwent several revisions. It initially began as a draft legislation influenced by Europe’s privacy safeguards, granting citizens more control over their online data. However, midway through, certain provisions were altered to accommodate companies and foster competition, somewhat mirroring aspects of US legislation.
The final Bill presents a mixed package. While it introduces significant provisions governing how private entities handle users’ personal data, many of these standards do not extend to the government itself, which enjoys substantial exemptions and authority over enforcement processes.
This encompasses the gradual weakening of the Data Protection Authority of India, the designated regulator and enforcer of the law. Additionally, there are multiple exemptions for the central government and its affiliated entities, which were heavily criticized in the earlier draft. The government can appoint members to the data protection board, raising concerns about potential control in cases where it has vested interests.
Other elements include provisions allowing the central government to bypass rules for obtaining express consent from citizens. The government also holds the right to exempt “any instrumentality of the state” from negative repercussions, citing national security, foreign relations, and public order, among other factors. In these aspects, the Bill seems closer to the Chinese approach than the EU legislation it initially drew inspiration from.
