Positives of the Bill
- Comprehensive Data protection Law mandating organisations including both Central and State Government organisations to follow the principle of lawful, fair, transparent personal data collection including publishing of privacy policy/ notice, explicit consent management, purpose limitation, data minimisation, storage limitation for all personal data collected and processed, thereby ensuring that the Right to Privacy under Article 21 of the Indian Constitution is fully implemented.
- Promoting Business and innovation - (1) The law prescribes only pecuniary punishments and not penal punishments like imprisonment. This is in tandem with the Government’s policy to decriminalize financial laws through Jan Vishwas (Amendment of Provisions) Bill, 2023. (2) Provides for appropriate obligations for various Data Fiduciaries classes. This is realized through the ‘Exemptions’ clause in the law which contains different and relevant exemptions for respective data fiduciaries such as very small/startups, normal data fiduciaries, significant data fiduciaries. (3) Allows for cross border data flow in general while also taking care of restrictions mandated for certain types of personal data as provided under the extant laws/ regulations/ MoUs etc, thus enabling growth of Digital Economy. Since the law calls for black list of restricted/prohibited geographies rather than a white list, it seeks to shift burden on providing restrictive list on the government rather than on data fiduciaries.
- Maintaining necessary framework for Law Enforcement authorities to operate - Limited exemptions to Law Enforcement agencies while full exemption to agencies meant to protect national security, Sovereignty and Integrity, Public order, relations with foreign friendly countries or to prevent any cognisable offence relating to the above.
- Data Protection Board to work in Digital Mode – For the first time in the history of India, a statutory body corporate is designed to function in digital mode thereby providing ease of access to citizens to secure justice. It also marks a beginning of application of digital public infrastructucognizableciary.
- Consent Managers - The concept of Consent manager being an Intermediary capable of ensuring the rights of individuals in terms of consent given to different platforms/ data Fiduciaries, tracking of the consent over a period of time thus acting as an interface between the organisations/ Apps (data fiduciary) and the users (data principal). A consent manager can be a third-party entity who does not hold managerial position under data fiduciary, thereby reducing compliance as data fiduciaries have option to deploy third parties to carrying out expeditious responsibilities of consent manager.
- Cutting across language barriers – The law grants individuals options to exercise consent through other Indian languages other than English. Considering the fact that India is not fully digitally literate, it will promote awareness and transparency with regard to data governance.
Issue of Concerns
- Blocking Data Fiduciary to process personal data : While the law may seem to give discretionary power to government to block personal data, the law has prescribed two checks and balances. Firstly, this power can only be exercised if and when Data Protection Board tenders its ‘advice’ for blocking for access. Secondly, law prescribes ‘public interest’ as a necessary criteria before blocking access power may be exercised.
- Complete exemption for certain state bodies - The exempted State instrumentalities under the law have been granted immunity and mandates from all the provisions of this law. These exemptions are necessary for certain State instrumentalities in the interest of governance. Also, this phenomena can be seen under the GDPR also, where ‘complete exemptions’ clause is applicable to wide array of instances and instrumentalities.
- Omission of Sec. 43 A of IT Act, 2000 - While law seeks to omit Sec. 43 A of the Information Technology Act, 2000 thereby departing from the concept of right to demand compensation in case of unlawful processing of personal data, the same has little practical implications. Firstly, this law has been practically not been used by adjudicating officer and as such it was dormant provision. Secondly, compensation relief can still be availed through judicial intervention.
- No provision for prescribing Standards for Reasonable safeguards, thereby making it difficult for the data protection board and also for the organisations to demonstrate reasonable security practices.
- No penal provisions for data processors while simultaneously casting obligations through contractual route by a data fiduciary. It may result in multiple audits by different data Fiduciaries on the same data processor.