India’s new data protection bill makes a good show of user rights — but can it deliver on its promises?

India’s new data protection bill makes a good show of user rights — but can it deliver on its promises?
Internet users in India have to choose between the over reach of private companies or the governmentBI India
  • India’s Personal Data Protection Bill, 2019 is likely to be placed in front of Parliament sometime this month.
  • The underlying goal of the proposed laws is to assign rights to users over the collecting, storage and usage of their information.
  • However, vague language and open-ended clauses leave room for government overreach and resulting misuse.
When it comes to data privacy it looks like users have every option available to them except for the one they want — control over their data. This includes knowing who’s collecting data, where it’s being stored, how it’s being used and what can be done if it's misused instead.

There have been one too many instances where personal information, anonymised or not, has been used with bad intentions. One prominent example from recent history was Cambridge Analytica’s use of data from Facebook to profile voters during the 2016 US Presidential election.

With the recent increase in cyber crimes, the government of India is coming up with its own data protection laws, which officials claim is based on the European Union’s General Data Protection Regulations (GDPR).

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More
Any data that can identify an individual — either directly or indirectly — is covered under the Data Protection Bill, 2019. This includes names, addresses, financial information, IP addresses, cookies, device IDs and other data.

Hobson’s choice that Indian internet users face
The bill outlines that an organisation needs to tell an individual from before collecting or using their data. The exceptions to this are if the data is processed under law or court order, for purposes related to employment or for a ‘reasonable’ purpose specified by the Data Protection Authority (DPA) — the nodal organisation that will be looking after the entire framework.


Reasonable purposes include the operation of search engines, fraud prevention, mergers and acquisitions, and credit scoring but is not limited to any prescribed scope of activity.

Moreover, clause 91 of the bill allows the central government to access anonymised or non-personal data to frame policies in the internet of the ‘digital economy’. “Such provisions show that the proposed law is far more interested in treating data as a resource,” noted the Internet Freedom Foundation (IFF).

This indicates that there is still considerable scope for a user’s data to get collected without their consent. The only difference is that instead of a private company exploiting your personal details, it will be the government with little in its way to stop overreach.

Even ‘critical’ and ‘sensitive’ data — such as religion, age, gender and other personality identifiers — may be available to the government in the interest of ‘national security’. The vaguely worded clause leaves room for misuse, according to critics.

User rights under the Personal Data Protection Bill:
  • The right to obtain confirmation from the fiduciary on whether their personal data has been processed.*
  • The right to seek correction of inaccurate, incomplete, or out-of-date personal data.
  • The right to have personal data transferred to any other data fiduciary in certain circumstances
  • The right to restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
*A data fiduciary is an entity or individual who decides the means and purpose of processing personal data.

Penalties under the Data Protection Bill, 2019:
Processing or transferring personal data in violation of the BillFine of ₹15 crore of 4% of annual turnover, whichever is higher
Failure to conduct a data auditFine of ₹5 crore or 2% of annual turnover, whichever is higher
Re-identification and processing of de-identified data without consentImprisonment of up to three years, or fine, or both

Authority without independence
In the case of data misuse, users had to file a complaint under the Information Technology Act, the Indian Penal Code, Consumer Protection Act, Indian Contract Act or look to sectoral regulators until now. With its new set of laws, India hopes to cover all issues under the ambit of the DPA.

If there is ever any breach of personal data, the organisation in-charge will have to inform the DPA. After that, however, the apex body will be in charge of deciding whether the data breach should be communicated to the affected users or direct the company to mitigate the threat.

The decision making is still not in favour of the users themselves. Moverover, the independence of the DPA has also been called into question.

The members that comprise the DPA includes a chairperson and six committee members, which will be appointed by the central government on the recommendation of a selection committee. The committee itself is formed by senior civil servants, including the Cabinet Secretary.

Critics claim that the government has too much power to appoint and remove members at its discretion. This also implies a level of ability to influence the members of the DPA and the underlying committee.

The Hobson’s choice in front of internet users in India is whether they’re okay with information being used by private companies to make a profit or to hand data over to the government with whom many are facing a trust deficit.

India is asking the QUAD for money to boost vaccine production and counter China’s moves on the global stage

Gold prices are falling and the world’s biggest market for the yellow metal is hoping for more shoppers

India’s blockchain tech to make SMS more secure is leaving users locked out of their accounts — and potentially more at risk