India passes data protection legislation in Parliament

The Rajya Sabha on Wednesday passed the Digital Personal Data Protection Bill-2023 by voice vote even as opposition members staged a walkout over the Manipur issue.

The bill comes six years after the “right to privacy” was declared a fundamental right, with provisions to prevent the misuse of individuals’ data by online platforms.

Introducing the bill in the Rajya Sabha, I&T minister Ashwini Vaishnab said: “We received inputs from 48 organizations and 39 ministries and received a total of 24,000 comments on the bill. For the first time, citizens of the country using digital services have been given rights and companies that are mining data have been given obligations.”

Vaishnav said the bill focused on a broad set of principles including legality (an individual’s data cannot be used for any purpose other than the intended purpose), principle of purpose, data minimization, accuracy, storage limitation (so that the data organization must delete the data after the end of use), and accountability.

He further said the bill enshrines four rights including the right to information, the right to rectification or deletion of information, the right to redressal of grievances and the right to the nomination (in case of death). He also mentioned that an independent data protection board would be set up, which would fall under the jurisdiction of the Telecom Disputes Tribunal and could also approach the Supreme Court in case of appeal.

Terming the bill as a landmark piece of legislation in independent India, BJD MP Amar Patnaik raised some concerns. “I did not find the word ‘privacy’ in the bill, nor did I find the word ‘compensation’. And yet these words were central to Puttaswamy’s judgment.

YSRCP’s S Niranjan Reddy, while supporting the bill, asked the minister to look into exempting start-ups. Said: “There is a danger of a big data company setting up a data mining start-up to use this data for purposes other than what is stated,” he said.