The Digital Data Protection Bill, 2023, was approved by the Lok Sabha and will now require Rajya Sabha’s approval. This updated version incorporates suggestions from its 2022 predecessor, although the details of these suggestions remain undisclosed due to a lack of government transparency during the consultation process. A key aspect of the Bill is that personal data can only be processed by entities or individuals, known as data fiduciaries, after obtaining consent from the data principal or for specific legitimate purposes. Certain situations, such as government agencies providing licenses and services, allow data processing without explicit consent. The Bill requires data fiduciaries to inform both the data principal and the Data Protection Board (DPB) about any data breaches. However, it doesn’t address informing data principals about third-party data sharing or storage duration.
The Bill provides excessive exemptions to state agencies, granting them significant leeway. The 2023 version grants broader exemptions to the state for data processing, potentially enabling mass surveillance. It also removes the necessity for consent when the state collects data for benefits, subsidies, and licenses, undermining the principle of using data only for specific purposes. Additionally, the Bill weakens the public interest exception for disclosing personal information under the Right to Information Act, reducing government accountability and transparency. The DPB, similar to the regulatory Data Protection Authority proposed in the 2018 version, maintains limited powers and members appointed by the Union government. The Bill needs thorough discussion in the Rajya Sabha to address these discrepancies.