More than six years after the Supreme Court declared privacy as a fundamental right, the government’s move to put in place a credible data protection mechanism has been clumsy, tentative and largely untrustworthy. The final version of the Digital Personal Data Protection Bill, 2023, tabled in the Lok Sabha by IT Minister Ashwini Vaishnaw, raises more concerns than it seeks to address. The key among them is the sweeping powers that it gives to government agencies in all aspects: accessing personal data in the interest of a loosely defined public interest, exempting government departments in the future from the guardrails of the law, and total control over the appointment of the Data Protection Board – an adjudicatory body that will deal with privacy-related grievances and disputes. Despite privacy experts flagging several problematic provisions of the earlier draft versions, the Centre has chosen to retain them in the final avatar of the legislation.
The impression one gets is that, instead of protecting the privacy of citizens, the new legislation may usher in an online censorship regime. Government agencies are exempted from giving an explanation to citizens about the purpose of collecting and processing their data. The central government will have the right to exempt “any instrumentality of the state” from adverse consequences, citing national security, relations with foreign governments, and maintenance of public order, among other things.
The data protection legislation has been in the works since 2017, when the apex court unanimously held the right to privacy as a fundamental right under the Constitution.