India’s Digital Personal Data Protection Bill

India’s Data Protection Bill a threat to privacy

The introduction of India’s Digital Personal Data Protection Bill, 2023, to parliament today, August 3, does far more to threaten privacy than to protect it.

As several members of Parliament opposing the Bill highlighted in India’s lower house, Lok Sabha, the Bill violates the right to privacy, grants unchecked powers to the government, and expands the scope for surveillance. The rights of 1.4 billion people in India hang in the balance.

India’s new Bill is not the People’s Privacy Bill that it should be. Digital India urgently needs a robust, rights-respecting data protection law — not one that enables government-led invasions of privacy and the expanding of surveillance. Further, it obscures the right to information which is crucial for accountability from public officials. It’s a win-win, but only for government and big tech. Raman Jit Singh Chima, Asia Pacific Policy Director at Access Now

The current draft is the most damaging one yet in terms of the unrestricted powers it grants to the government and its failure to effectively regulate private firms dealing with data. In addition to sweeping exemptions, the government has been given broad powers to block information and services on vague grounds such as “in the interests of the general public.” This draft also reflects a mutation from data protection to censorship as it empowers the proposed Data Protection Board and the government to block information without any oversight. 

An effective, world-class data protection law requires core tenets: an independent regulator; actionable rights and remedies; clarity on cross-border data flows; and business certainty and meaningful accountability from all data collectors, including the government. The Bill is devoid of each of these. 

Over a decade of engagement and multiple iterations later, India’s so-called Data Protection Bill contains the same flaws that civil society has criticised for years. The Data Protection Board lacks independence from the government, which is among the largest data miners. People whose privacy has been breached are not entitled to compensation, and are threatened with penalties for submitting certain complaints. Alarmingly, there have been no consultations in languages other than English, resulting in the exclusion of millions who will be affected. Namrata Maheshwari, Asia Pacific Policy Counsel at Access Now

Members of Parliament must ensure that the Digital Personal Data Protection Bill, 2023, does not pass without substantive amendments. Changes must make privacy the primary focus, otherwise the Bill will fail the people of India, representing a lost opportunity for the country to be a global leader with an effective, rights-respecting, and business-enabling data protection regime.