The government will not be able to violate the privacy of citizens under the proposed data protection law as it will get access to personal data only in exceptional circumstances like national security, pandemic and natural disasters, Minister of State for Electronics and IT Rajeev Chandrasekhar said.
Speaking during an online discussion, the minister said the National Data Governance Framework Policy has provision for handling anonymisation of data — which is not part of the draft Digital Personal Data Protection (DPDP) Bill 2022.
Chandrasekhar also said the proposed Data Protection Board — which will adjudicate matters related to data protection — will be independent and will not have any government officer on the board.
While responding to questions around privacy on Twitter Live on Saturday evening, the minister re-phrased the question of a participant to clarify the stand of the government and provisions in the draft DPDP Bill 2022.
“Let us say that the government wants to essentially violate the privacy of citizens with this law. Is it possible? That’s the question. The answer is no. The bill and laws lay out in very clear terms what are the exceptional circumstances under which the government can have access to the personal data of Indian citizens…. national security, pandemic, healthcare, natural disaster.
“These are exceptions. Just like freedom of speech is not absolute and is subject to reasonable restriction, so is the right to data protection,” Chandrasekhar said.
The draft DPDP Bill has exempted certain entities notified as data fiduciaries by the government from various compliances, including sharing details for the purpose of data collection.
The provisions from which government notified entities will be exempted deal with informing an individual about the purpose for data collection, collection of children’s data, risk assessment around public order, appointment of data auditor, among others.
The bill proposes to exempt government notified data fiduciaries from sharing details of data processing with the data owners under the “Right to Information about personal data”.
The draft DPDP Bill also bars individuals from sharing unverifiable and wrong information with data handling entities, which some people believe will deter anonymisation on internet platforms, especially on social media.
The minister further said the National Data Governance Framework has provisions to deal with anonymous data while the scope of the DPDP Bill is limited to personal data protection only.
“We have a National Data Governance Framework Policy that is to deal with the entire non-personal data and anonymised data space. This (DPDP Bill) is a very narrow well defined legislation to do with digital personal data protection.
“The anonymised data, standards of anonymisation, the use of anonymous data, etc are all going to be decided by the India Data Management Office (IDMO) under MeitY,” Chandrasekhar said.
He said before IDMO’s launch, there will be again a conversation about the non-personal data framework.
The minister said the Data Protection Board (DPB) will be an independent body and it says so in the bill — ‘independent of the government’.
“You will not find people like me or bureaucrats sitting on the Data Protection Board. It is important to understand that DPB is not a regulator. DPB is an adjudication mechanism to adjudicate a breach that has occurred. It is independent as the government will not be on the board,” Chandrasekhar said.
He added that the DPB will have an oversight of the high court because all of its decisions will be scrutinised by the court system.
“The punitive consequences of data breaches that we have mentioned in the bill should act as deterrent, catalyse the behavioural change in all data platforms in the way they look at personal data of Indian citizens. They will look at it with more responsibility,” the minister said.