Citizens’ Data Security and Privacy

Standing Committee Report Summary

• The Standing Committee on Communications and Information Technology (Chair: Mr. Prataprao Jadhav) submitted its report on ‘Citizens’ Data Security and Privacy’ on August 1, 2023.  The Committee noted the rising risk of misuse of personal data, and highlighted that a data protection law must be urgently introduced.  One member of the Committee submitted a dissent note regarding the rule making powers of the central government, exemptions to government agencies, and non-inclusion of non-personal data.  Key observations and recommendations of the Committee include:

• Draft Digital Personal Data Protection Bill, 2022:  The Committee noted that the Ministry incorporated questions that were raised during previous consultations for the data protection law, into the 2022 Draft Bill.  These questions included the rule making powers of the central government, compensation from those whose process data, age of consent, and the establishment of a grievance redressal mechanism for data principals.  The Committee recommended that the Ministry incorporate visual elements for consent and notice mechanisms to extend benefits to people who are not digitally literate.

• The Committee noted that the Ministry is in the process of bringing a Bill to establish a framework for processing digital personal data while balancing protecting personal data.  It noted that implementing a suitable law will enhance data security and ensure that personal information is safeguarded.  It also noted that the 2022 Draft Bill protects person data as a whole, without further classification.  This avoids issues of interpretation and classification-based protection.

• Exemptions for processing personal data:  Under the proposed data protection Bill, the state may process personal data for legitimate uses.  These include: (i) performing functions under law, (ii) providing subsidies, benefits, or licenses, (iii) protecting the sovereignty, integrity, and security of the state.  Noting that the right to privacy is not absolute, the Committee held that there is a possibility of such provisions being misused.  It recommended that the Ministry ensure such exceptions do not become the general rule and that they be used in exception circumstances only.  The Committee recognised the need for rule making powers of the Ministry to keep the law in sync with current developments.  However, the Committee urged the Ministry to use the rule making powers judiciously and responsibly.   

• Progress on the Digital India Bill:  Personal data is currently protected under the Information Technology Act, 2000 (IT Act).  The Committee noted that the IT Act is outdated, and a comprehensive framework is required to specify rights and responsibilities in case of digital personal data.  The Ministry stated that they are working on the Digital India Bill to replace the IT Act.  The Committee recommended that the Ministry promptly finalise and enact the Digital India Bill. 

• Criminal and civil liabilities:  The 2022 Draft Bill and the Personal Data Protection Bill, 2023 allow for alternate dispute resolution, and considers violations by data fiduciaries as civil wrongs.  The Committee noted that there was no provision for criminal liability in the Bills.  Some sections of the Indian Penal Code (IPC), such as 405 (theft of data) could be utilised to invoke criminal liability.  The Committee urged the Ministry to create awareness about such provisions under the IPC and of alternate remedies.  It also suggested that a helpline number or AI-based chatbot be established to provide such guidance.

• Rule-making powers of central government:  The 2022 draft Bill contains provisions that allow for the delegation of legislation by prescribing rules.  Taking cognizance of the dynamic nature of information technology, the Committee appreciated the space for making subordinate legislation.  However, they cautioned the Ministry to utilise the rule making powers judiciously and employ them with utmost care and responsibility.  As per a dissent note, there was excessive use of delegated legislation in the draft Bill which did not specify the scope and method of implementation of certain provisions.