Data protection bill will enable safeguards: IT minister
Rajeev Chandrasekhar, MoS IT, electronics, and skill development, talks about how the Digital Personal Data Protection Act will protect against data breaches and misuse.
- The Digital Personal Data Protection Bill 2023 has become law after being passed by the Lok Sabha and Rajya Sabha.
- The legislation protects individuals’ personal data and introduces a series of checks and balances for such data usage.
- MoS IT Rajeev Chandrasekhar believes that the DPDP Act will protect personal data from being misused or exploited.
- Citizens can file complaints with the Data Protection Board in case of data breaches or misuse by service providers.
For the 84 crore Indians who are on the web, the internet is a tricky space. Service providers routinely demanded personal information as a mandatory request. Sometimes, personal data is hacked, leaked, or misused by third parties. Until recently, a lack of adequate data protection safeguards rendered us helpless. The Digital Personal Data Protection (DPDP) Bill 2023, now passed into legislation, protects the personal data of individuals and prevents its misuse.
From moving the Supreme Court to upholding the right to privacy to designing an effective law to uphold these rights, Rajeev Chandrashekhar has played a pivotal role in empowering internet users. It was a long-awaited reform that he has spearheaded since 2018.
“We worked hard to make this happen. I believe that the DPDP Act helps set a global standard for data protection and data privacy. It is a benchmark for data privacy,” says Rajeev Chandrasekhar, Minister of State for Electronics and IT, Skill Development and Entrepreneurship in an interview with YourStory.
Till now, privacy legislation in the world has been synonymous with the General Data Protection Regulation, which is a European law. The minister hopes the DPDP will soon become the global conversation starter for matters related to privacy.
The DPDP Act is split into multiple areas focussing on regulation, enforcement, and penalties. For the first time in the country, the Act has paved the way for setting up a Data Protection Board that will be responsible for investigating data breach complaints. Through a series of checks and balances, the Act ensures that personal data is only used for the stated purpose.
“If you look at the Act with an open mind, you will find there are reasonable exemptions that are lawful,” the minister explains. For instance, if there is an individual trapped in an earthquake and needs a blood transfusion, the government bodies can access their data to deal with the medical emergency.
Enabling data safeguards for the masses
The DPDP Act 2023 has created a protection framework for not just the internet users of today, but also for the future. The minister believes that ~120 crore Indians will use the internet by 2025-26, including those who may not be literate, and hence it is imperative that their data isn’t misused.
The passage of the Bill, however, was not devoid of controversies. The Editors Guild of India issued a statement expressing concerns about the DPDP Act and stated that the law may legalise surveillance of journalists and their sources. However, the minister rejects these claims and says that the law will not breach any individual’s fundamental rights, including journalists.
“The internet is not about editors and journalists. It is about all the citizens that use the internet and their rights are equally important. Nobody gets a free pass to personal data,” he adds. It also means that nobody, including the government, can escape liability in case of data breaches.
One thing to remember, however, is that privacy is a fundamental right and not an absolute right. According to the minister, this means that the DPDP Act protects those in the public services from falling victim to malicious attempts (including under the Right to Information Act) to seek sensitive personal data.
“Right to information is not equal to right to personal information. There is a limitation,” he adds.
How the DPDP Act works:
- The law will go into effect on a set date, called Day Zero.
- There will be a transition period for all stakeholders before the law goes into effect.
- On Day Zero, every internet platform that has collected personal data in the past must inform the citizen.
- The citizen has two options: either consent to the data collected or ask the platform to delete it.
- If there are discrepancies, the citizen can file a complaint with the Data Protection Board.
What’s in it for startups?
The DPDP Act is a critical piece of legislation for startups operating in India because it governs data usage and user consent for sharing data. This is even as the DPDP Act has three very contradictory objectives, in the minister’s own words.
The three objectives include protecting citizens' rights, ensuring growth with minimal compliance for startups and innovation-led companies, and offering data access to the government during emergency situations.
On one hand, the Act provides ample room for innovation, while on the other, it curtails exploitative business practices. The minister explains that the DPDP Act doesn’t create a compliance burden for startups.
“The rules are easy to follow for ethical businesses. However, if a company has built its entire business model around exploitation and misuse, we are putting a brake on it,” the minister says.
The Act follows a four-pronged approach towards data protection and data privacy. It includes seeking consent before data use, utilisation of minimal data, using data only for its intended purpose, and storing data only for a fixed period. Early-stage startups will also be given certain exemptions so that they can conduct their daily operations without glitches. These exemptions will hold for a period until the startups become bootstrapped to a certain scale.
Passing such transformative legislation in a diverse country like India is not easy. But what worked for the government was that they followed a process of consultations and deliberations, seeking public opinion at the draft stage.
“We don't want to legislate because we want to legislate. We want to legislate what people want us to legislate,” he adds. The DPDP Act 2023, says the minister, is as much the creation of all of those who participated in the stakeholder consultation.
The long-awaited data protection legislation is done, but the minister has a lot more on his agenda. The Digital India Bill 2023 is the next major legislative reform, one that seeks a complete overhaul of the two-decade-old Information Technology Act. The minister says that the DPDP Act and Digital India Bill will guide the “techade” or the next decade of technology opportunities. With public consultation set to begin soon, this too will be legislation for the people, by the people, and of the people.