Parliament has kicked off its second attempt to hammer out a data privacy law after the Union government introduced the Data Protection Bill, 2023 on Thursday. This is the second time a law on data privacy will be deliberated upon by lawmakers, an exercise almost certain to be turbulent if the resistance on Thursday by the Opposition is any indicator. Some members expressed concerns about both the form of the draft law and the way it was drawn up. Indeed, these two are important issues that need deliberation and explanation, with many concerning provisions — mostly from a civil rights perspective — requiring significant scrutiny. But these conversations risk losing sight of the proverbial woods for the trees.
Overall, the need for a data protection law has never been more acute. Even in its current, controversial form, the proposed law will lay down important guardrails without which millions, if not hundreds of millions, are bleeding personal information on a daily basis. In everyday life, people are asked to submit copies of their identity documents in duplicates, even triplicates, by anyone selling a product, offering a service or even for gatekeeping physical access. Individual phone numbers, declared at one innocuous-seeming restaurant waiting list, end up in directories of spammers who have demolished the notion of do-not-call lists, websites continue leaking sensitive information and mobile phone apps keep seeking access to data unrelated to their purpose. The bill introduced in Lok Sabha on Thursday makes such privacy-breaching practices illegal.
The reason the 2023 bill is crucial is because there exists no legal mandate for consent when it comes to personal information. The proposed law will make consent — specific, unambiguous and unconditional — mandatory before data is sought. It also allows an individual to revoke that consent, and requires that once that happens, the personal information so permitted be then destroyed (subject to some other legal obligations). There are, however, certain exemptions that mean these obligations are not universal; in particular, they largely do not apply to the government or when it involves any work with the government (seeking a service, accessing subsidies, or securing certificates or documents). These exemptions have been criticised for being too liberal and the government will do well to reconsider this aspect. The data bill has had to strike a difficult balance between privacy protections, security considerations and ease of business compliance. In the security domain, the data bill needs a relook. There seem to be no checks or conditions for acts such as sweeping surveillance, and a lack of safeguards that should ideally have been defined in the data protection law. On its impact on industry and business, however, the bill seems to strike the right notes among stakeholders, who were largely wary after the experience of Europe’s General Data Protection Rules (GDPR). The EU law is a standard-bearer for civil rights protections but has been criticised for stifling innovation. For now, it appears the Indian attempt is accommodating of such concerns, even though companies will still need to (as they must) make significant changes to account for these privacy protections. The criticisms aside, the law is an important first step — and it must be taken quickly, with as many improvements as possible. Tweaks will be inevitable for a legal framework as complex as this, but that must not hold up its existence altogether.
Experience unrestricted digital access with HT Premium
Explore amazing offers on HT + Economist