The Digital Personal Data Protection Bill (DPDPB) 2023 was cleared by the Lok Sabha on Monday. Union Electronics & Information Technology minister Ashwini Vaishnaw had tabled the bill last week.
As is the norm, the bill will now need to be cleared by the upper house, Rajya Sabha, and assented to by the President, to become an act.
The move marks India’s gradual efforts to enact new digital privacy laws, which has seen multiple delays in the past.
The objective of the bill is to regularize the processing of digital personal data in a manner that protects citizens’ privacy. It also aims to empower citizens to better control the information they share online.
For instance, data fiduciaries, which in this case are firms collecting personal data from individuals, must provide notice of why they are doing so.
A “Consent Manager” should be made available to review provided consent, and this entity should register with a Data Protection Board that will be set up by the government. Fiduciaries should obtain “verifiable parental consent” for collecting data from minors.
A data fiduciary should no longer retain information about a user (a “data principal”) once the purpose of keeping that data is no longer served.
The bill also calls for giving users the right to review and correct the data they have provided, as well as to remove such data. They should be able to nominate someone else in case of death or incapacitation. They should have the right to have their grievances processed by the data fiduciary.
The bill, however, has also faced criticism from different corners. For instance, Editors Guild of India (EGI) expressed concerns over possible surveillance of users.
“We note, with dismay, that while the Bill, ostensibly to promote data protection, has failed to make any provisions that bring about the surveillance reform that it urgently needed, and in fact creates an enabling framework for surveillance of citizens, including journalists and their sources…”, it said in a letter.