Opinion Revised Personal Data Protection Bill: One step forward, one step back

After months of uncertainty, last week, the Union government released the revised version of the Personal Data Protection Bill for public comments. The Bill, now called the Digital Personal Data Protection Bill, 2022, comes three months after an earlier draft version of the Bill was withdrawn following considerable backlash over its onerous provisions. Some of the changes made in the latest version of the bill indicate a rethink on these provisions within the government. For instance, the revised Bill has dropped some of the more contentious rules that govern cross-border data flows after facing considerable opposition from Big Tech. There remain, however, some areas of worry. One concern centres over the independence and the extent of authority vested in the proposed Data Protection Board that will be tasked with overseeing compliance with the Bill. The other relates to the exemptions extended to government agencies from adhering to some of the provisions of the Bill.

The earlier version of the Bill had imposed stringent conditions on cross-border data flows. Companies were mandated to store a copy of “sensitive” personal data within India, while taking out “critical” personal data from the country was barred. The new draft makes a significant departure on this issue by not imposing any such requirements on firms. Companies do not have to store data exclusively in India. They can now transfer the data to countries which are listed by the government. However, on what basis the government chooses a particular country is not yet clear. Will it be determined by considerations other than privacy, such as trade and geopolitics? Notwithstanding that, easing the rules on data storage will be welcomed not only by Big Tech but also by the burgeoning start-up ecosystem in the country.

Advertisement

Some of the other aspects of the Bill, however, warrant greater introspection. Take for instance the proposal to set up a Data Protection Board. The board’s members and its chairperson will be appointed at the government’s discretion. This along with indications that the latest version ends up curtailing the board’s powers raise concerns over its independence. Equally contentious are the expansive exemptions that have been afforded to the government and its agencies with limited safeguards. The joint parliamentary committee, which had dwelt on the earlier version of the bill, had suggested that the exemption be provided under a “just, fair, reasonable and proportionate procedure”. However, as reported in this newspaper, this finds no mention in the revised draft. By simple notifications, government agencies can be exempted from the Bill’s provisions on grounds of national security. At a time of government overreach, these arguably contentious provisions, which will vest greater power with government as opposed to an independent statutory authority, need to be reexamined.