Naavi.org

Chandrayan 3 completed a critical manoeuvre yesterday to leave the earth’s orbit and move towards the Moon’s orbit. In a few days, it will start orbiting around the moon a few times before finally landing on the moon. We are all excited and look forward to the success of this mission.

Simultaneously, Data Protection Professionals have been waiting for DPDPB 2023 to be successfully passed into an act even before the Rover lands on the moon.

The Bill has left the drafting orbit and is now in the Parliament. After being debated in the Parliament we hope it will successfully land for assent by the President into a law.

Many members of the Opposition wish both Chandrayan mission as well as DPDPB 2023 mission will get aborted. Hopefully their prayers will not be upheld by the almighty. Perhaps the opposition would wish the almighty is as obliging as the Supreme Court would perhaps do.

For the first time the industry is welcoming the draft and even many privacy activists have welcomed the bill as a good balancing act.

The simplicity of the Bill is striking and this time industry professionals are not feeling the need for “Privacy Law Experts” to de-cypher the bill since the tech professionals themselves can understand and interpret the Bill. This is a big boon for the quick adoption of the Bill in practice.

The next hurdle is of course from the Supreme Court since on some ground this will be referred to the Constitution bench and Kapil Sibal or Abhishek Manu Singhvi will try to convince the Court why the Bill should be scrapped.

Naavi.org hopes that Supreme Court will not become the stumbling block for the law to be passed since it is its own baby. May the baby is not of the gender that the Supreme Court wanted or perhaps not as healthy as it could have been in their view. But we can accept it as it is and try to improve it later.

Hope the Supreme Court listens to “We the People…..”

Naavi

Medianama has published an article today highlighting 15 major concerns regarding the DPDPB 2023.

We appreciate the efforts taken by Medianama in extracting 15 objections out of 44 sections of the Bill. It is a document which will be useful for the opposition parties when they discuss the Bill in the Parliament. I suppose the politicians cannot find more points for objecting to the Bill than what Medianama has documented.

However, Naavi.org has some difference in perception and a point by point comment on the 15 concerns is provided below.

Concerns on DPDPB 2023

Medianama Concerns	Naavi.org Comment
1 The government’s broad powers to exempt itself, demand information from companies, and retain data for an unlimited period can result in mass surveillance:    The DPDP Bill allows the government to issue a notification to exempt any of its agencies from the Bill on grounds like the security of the State, maintenance of public order. etc.    In other words, any exempted agency of the government can collect and process the personal data of citizens without following any of the safeguards prescribed in the DPDP Bill and for any purpose they want. Additionally, Section 36 allows the government to demand personal data from private companies “for purposes of this Act,” which is not a phrase that is elaborated.   Both these provisions, combined with the fact that the government can retain personal data for an unlimited period regardless of whether the purpose for which it was collected has been served, means that the government has a carte blanche to carry out mass surveillance.   Furthermore, there is an automatic exemption for processing personal data for the prevention, investigation, etc., of crime, without the need for the government to issue any notification.	The reasonable restrictions to the Right to Privacy is provided under Article 19(2) and accordingly processing of data for purposes such as security of state has been exempted.   The interpretation of Section 36 is mischievous and incorrect. There is no such implication in the Bill that the Government may demand personal information under this section.   This kind of interpretation indicates that certain persons are thinking of denying even legitimate information to the Government from the Data Fiduciaries and if this is so, they are only interested to carry on an illegal activity under the guise of Privacy.   Government has a duty to provide security to its citizens and hence certain powers to retain information even of personal nature belonging to the citizens is the legitimate requirement of Governance.   It is strange  that even for processing information for law enforcement there  is a demand for a notice. This essentially means that all criminals should be given prior notice that their information is being tracked.   The objection is therefore completely unacceptable.
2. Free pass for scraping of publicly shared personal data:   Clause 3(c)(ii) of the Bill states it shall not apply to personal data that is made publicly available by the user.   As an example, the Bill illustrated that if an individual, while blogging her views, has publicly made available her personal data on social media, then processing of that data won’t come under the purview of the data protection law.   This allows companies to process publicly available personal data without any consent or without adhering to any other provisions of the Bill.   For example, AI services like OpenAI’s ChatGPT and Google Bard will be able to scrape publicly available personal data from the internet to train their models. This also raises possibilities of facial recognition tools using publicly available profile photos to train their systems.	If personal data is made publicly available by the Data Principal there is no reason why there should be any objection.   We may note that the law says” Made publicly available” and not “Is publicly available”. Hence consent is ingrained in this provision.   As regards 3(c)b(ii)(B), the consent is not required as the information is made public under a legal obligation.   If we recognize the difference between “Publicly Available” and “Publicly made available”, then the objection becomes unsustainable.
3. Definition of child as someone under the age of 18 creates access issues for children and a compliance burden for companies:    The DPDP Bill has additional obligations for companies processing data of children, defined as anyone under the age of 18.   Importantly, it requires such companies to get “verifiable consent” from parents before processing children’s data.   This not only takes away agency from teenagers by restricting their ability to access websites without parental consent but also puts companies in a tough spot as they will have to carry out some form of age verification (which itself would require collecting personal data such as government-issued IDs) of all their users to ensure that they are not collecting personal data of any children without parental consent.   The Bill allows for some companies to be exempt or have a lower age threshold if they process children’s data in a way that is “verifiably safe.”   But it is not clear what fits this criteria and it creates two different standards for companies processing children’s data.   A seventeen-year old and an eight-year old should not be treated the same and a graded approach should be adopted by the Bill.	This objection clashes with the necessity of the society to “Protect Children” from certain dangers.   All over the world similar legal measures of restricting access to certain information based on age is used. The issue of age verification and obtaining consent from guardian is also a global phenomenon which does not have an easy solution.   Whether the actual age at which restrictions be removed should be 18 or less is an academic debate. If Consent is a form of contract, then contract law has to be respected and 18 year cut off also has to be respected.   Since DPDPB 2023 considers a child as a joint data principal with the guardian, the consent of the joint data principal will be required.   Use of “Digital Age” concept and  introducing measures to switch parental consent to individual’s consent  during a period surrounding the attaining of 18 years has been discussed by Naavi.org earlier and can be considered during the notification.   The ”burden” on data fiduciary for obtaining verifiable consent is a reality and has to be met by data fiduciaries who are providing services to children.
4. The government’s power to block content goes beyond the already controversial Section 69A of the IT Act:    Under Section 37, the government can block access to websites or content on advice from the Data Protection Board in case of repeated offences by the entity or in the “interests of the general public.”   This broad phrasing goes beyond the already controversial powers of the government to block content under section 69A of the Information Technology Act of 2000.   Additionally, the powers of a Data Protection Board to advice on blocking “content” is problematic given that the Board is entrusted with issues related to data protection and “content” is a broader ambit that other regulations such as the IT Act already deal with.	Section 37 only empowers the Data protection Board which otherwise has quasi judicial powers to advise the Government to initiate action for blocking access when required.   This is only a supplement to Section 69A and actually reduces the power under Section 69A making it mandatory for the authority under 69A to require a written request from the DPB for blocking.   The objection is therefore is invalid ab-initio.
5. The “as may be prescribed” Bill:    The phrase “as may be prescribed” appears at least 26 times in the 20-page bill leaving a lot to delegated legislation. This allows the government to notify rules later on to clarify these provisions.   Such rules don’t go through the same parliamentary rigour as the bill itself, because of which these rules can be overbroad and go beyond the scope of the parent legislation, as is being argued about the IT Rules of 2021, which was issued under the IT Act of 2000.	It is not feasible to hard code all requirements on regulation of a dynamic domain such as “Data Protection” and hence resorting to notifications is unavoidable.   GDPR regulators actually created WP29 system now managed by EDPB for issuing such regulations, notifications on an ongoing basis. It has been a practice for these activists to take every rule and notification directly to Supreme Court and the Supreme Court obligingly uses its powers to scrap many such notices as we have seen in the context of ITA 2000 notifications or UIDAI related notifications.   In case of UIDAI and IRCTC even routine tender documents have been referred to Supreme Court alleging infringement of fundamental rights and the Supreme Court is most obliging to consider such complaints.   The objection is therefore without substance.
6. Weakens the RTI Act by giving the government more reasons to deny information:    The DPDP Bill amends the RTI Act of 2005 to state that the government is not obliged to disclose information that relates to personal information. Earlier this could be overridden in case of larger public interest. By making this amendment, the Bill weakens the RTI Act as the government has one more broad ground to deny information requested.   “A new era of corruption will be introduced as personal data like assets and liabilities, education qualifications of corrupt officials, won’t be sought under RTI Act,” MP Adhir Chowdhury pointed out in the parliament.	Right to Information and Privacy are opposing principals and conflicts cannot be avoided. At the same time RTI should not be mis- used for extracting personal information.   Such cases need judicial intervention and the aggrieved RTI activist need to get Judicial order to extract personal information which is feasible.   The objection is therefore speculative.
7. No consent is required for sharing data with others:    When obtaining consent, a company does not have to disclose who all the data will be shared with and for what purposes.	The pervious version of notice under DPA 2021 and DPDPB 2022 was detailed and was very cumbersome.   This has now been simplified. Even under GDPR, such information is required to recognize only “Types of processors” to whom data is shared and not the names of the processors and sub contractors.     These are business sensitive information that cannot be shared without damage to the business of the organization.
8. The notice informs users very little about what happens with their personal data:    The notice to be shown to users when obtaining consent is only required to state what personal data will be collected and for what purpose, unlike previous iterations of the bill, which required companies to state how long they will store data, if they will share it with third parties, where the data was collected from, details on any cross-border transfer of the data, etc.   Additionally, companies are not required to publish privacy policies on their site as required by previous iterations of the bill.	The notice includes the information on how the rights may be exercised by the data principal and how complaint can be made besides the indication of the purpose.   There is therefore a means of collecting the information about how the data will be processed which will be of interest only to a class of information hunters and not ordinary data principals.   The Consent managers will also be able to contribute in this regard to prevent any misuse. The DPB has to act either through its own monitoring or when non compliance is brought to their attention.   Hence Objection is not relevant
9. No clarity on what safeguards companies have to implement to protect from data breaches:    The DPDP Bill requires companies to take “reasonable security safeguards” to prevent personal data breaches and failure to do so can attract the highest band of penalty of up to Rs 250 crores. But there is no clarity on what measures should be taken and what constitutes as “reasonable” safeguards	There are different frameworks such as PDPSI or ISO 27001/27701 for the purpose.   Hence Objection is not relevant
10. No compensation for victims of personal data breaches:    While the Data Protection Board can impose a penalty of up to Rs 250 crores on an entity for a personal data breach, none of this goes towards the user, who is the victim of the data breach. Additionally, the Bill removes section 43A of the IT Act, 2000, which provided for such compensation.	This law is meant to discipline the industry. There are other laws to impose civil penalty or criminal punishments. Section 43 of ITA 2000 can be used to claim damages through adjudication under ITA 2000 since data principal can consider any damage suffered to him as a contravention of Section 43.   Simultaneously Section 66 of ITA 2000 also can be invoked.   Hence Objection is not relevant
11. The Data Protection Board will be a puppet of the government:    The Chairperson and Members of the Data Protection Board will be appointed by the Central Government on terms specified by the government, raising questions about the Board’s independence from the government.   For instance, if the Board has to investigate a misuse of personal data of the government, there will be a conflict of interest because the government is essentially the judge, jury, and executioner of its non-compliance.	This is a speculative statement.   The DPB  will have members and Chairman who should be professionals and not become puppets by choice.   There is a criteria for appointment and just as appointment or extension of terms of ED/CBI officials are routinely debated at the Supreme Court, every appointment in DPB is also justiciable.   Hence Objection is not relevant.
12. Penalties for users for failing to fulfil duties:    The DPDP Bill allows the Data Protection Board to levy a penalty of up to ₹10,000 if a user fails to perform their duties as listed in the Bill.   One of the duties, for example, is that users should not register false or frivolous grievances or complaints with a Data Fiduciary or the Data Protection Board.   This provision could deter users from filing complaints in the first place in fear of a fine. A bill that’s about protecting the right to privacy of users should not be levying any penalties on users.	This is required to ensure that Andolan Jeevies donot hijack the operation of the law. If false and frivolous complaints are made then the DPB should have the discretion to impose penalties just as Courts impose costs on frivolous PILs.   Hence Objection is not relevant
13. Exemptions for the use of personal data for debt recovery need safeguards:    There are some exemptions granted to personal data processed for debt recovery.   For example, if a person takes a loan from a bank and defaults on their monthly instalment, the bank may process the personal data of the individual to ascertain their financial information and assets and liabilities.   Without any safeguards, this can be problematic as we frequently see instances of fake loan apps engaging in unethical recovery practices by accessing contact lists and photo libraries of borrowers and blackmailing them using this personal data.	This is another speculative objection without basis. DPB should be trusted to adopt guidelines to prevent any misuse of the law either to hide an offence or misuse of personal data.   Unethical recovery practice is the domain IPC and not part of DPDPB as long as DPDPB is not a hindrance to the operation of IPC.   Hence Objection is not relevant
14. No safeguards for sensitive and critical personal data:    Certain types of data such as health, biometric or financial personal data merit stricter conditions for processing and storing. Earlier iterations of the bill had sensitive and critical personal data as subsets of personal data that were subject to additional safeguards.   Such classifications don’t exist in this bill.	Classification of data fiduciaries as “Sensitive” can address this requirement. All Significant Data Fiduciaries need to conduct periodical audit besides external data audit and have a DPO to assist the compliance.   Hence Objection is not relevant
15. Does not apply to anonymised data:    The law will not apply to anonymised personal data, which could be a problem because not only can anonymised data be deanonymised but it can also be layered on top of personal data to draw inferences of individuals.	It is well understood that Anonymised data is not personal data.   De-Anonymization is a Cyber Crime and is covered by Section 66 of ITA 2000.   Hence Objection is not relevant

Naavi

PDF Copy of the above

Following the presentation of the DPDPB 2023, several comments have been published in different publications.

Penalty

NDTV carried the following interview in which the upper limit on the penalty came for discussion. The interview clarifies a number of doubts that the opposition has raised yesterday and has been carried through by the Soros group of media.

One of the issues Mr Rajeev Chandrashekar has stated is about the total penalty. Even earlier he had made a statement that the penalty may be imposed for “Each Instance”.

Currently the Bill speaks of 7 types of penalty. Each of this is a different type of breach. Earlier there was a Rs 500 crore upper limit which seems to have been removed. Hence the possibility of 7 different parts of the penalty table could be aggregated and the total penalty may exceed Rs 500 crores.

Now he has even mentioned that breach of each set of personal data may be considered as a separate breach. This sort of interpretation was being used under HIPAA earlier. Now we may see that there could be a discretion for the Board to consider 7 different types of breach as well as the number of data sets breached. This could mean that we may not be far behind the GDPR which has imposed a fine of US $1.2 billion.

However our law is also considerate to state that the penalty will be proportionate and take into account the likely impact of the imposition of the monetary penalty on the person. Hence it is unlikely that the Board will impose fines which are not sustainable in the appeal stage.

RTI

The second most important objection is on “Dilution of RTI”. Mr Chandrashekar has also rightly answered it in his interview . RTI is not to be misused to harness personal data. Any data released under RTI also becomes “Public Data” and therefore there is a clear danger of RTI being misused. In my view the power of refusal of personal data was already available under RTI and hence the new provision is not significant.

Government Powers

The next objection is that the Bill will provide too much power to the Government and creates two kinds of data fiduciaries namely Government and the others. This also appears to be unfounded and is a speculation that can be made on any legislation. From the same yardstick, any law including IPC can be considered as adversely affecting the fundamental rights.

However the right to privacy itself is not considered “Absolute” and reasonable restrictions are in order.

DPDPB 2022 under Section 2(i) defines a Data Fiduciary without distinguishing the Government or non Government. Hence the Act applies to the Government subject to the exemptions and legitimate uses.

Exemptions are provided under Section 17 and Legitimate uses are indicated in Section 7. Legitimate use provides that a data fiduciary may process the personal data for the following uses.

(a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.

(b) for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where––

(i) The data principal has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or

(b) for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where––

(i) she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or

(ii) such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data.

(c) for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State;

(d) for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force;

(e) for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India;

(f) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual;

(g) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public
health;

(h) for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order.

These legitimate reasons (a) (d), (e) (f) (g) (h) are all are generally available for all Data Fiduciaries.

(b) and (c) are exclusive to Government and related to Government functions. Hence no objection can be raised on the same.

Exemptions under Section 17 apply to instances including the above cases where the “Consent” may be not required.

Exemptions under Section 17 applies excepting two sub sections of Section 8, the chapter on Rights and the transfer of data outside India.

Section 8 has 11 sub sections out of which the following donot come under exemption.

A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor

A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.
Rights and Duties of Data Principal

Out of the six sub sections of Section 17(1), (a) relates to legal right or claim applicable to all, (b) applicable to judicial bodies, (C) applicable to law enforcement, (d) relates to BPOs, (e) relates to mergers etc and (f) relates to credit recovery. None of these make any exclusive provision in favour of the Government.

Subsection 17(2) applies to the Government and we may look at it in detail.

17(2) (b) relates to research and archiving which is mostly cases of anonymised information. Section 17(2)(a) relates to “Sovereignty and integrity of India, Security of State, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognizable offence” all of which fall under reasonable exceptions under Article 19(2). The procedural aspects required to claim this exemption is through creation of an “Instrumentality” and it cannot be arbitrarily exercised by any official. The “Instrumentality” may be subject to judicial review.

Under 17(3) Government may exempt Start Ups and other private data fiduciaries from certain provisions like notice, data retention and accuracy of data.

Exemption to Government is limited to data retention and erasure and data retention.

In view of the above the objections raised on Government having been exempted is in correct.

Composition of DPB

One more objection is that the DPB will be a Government body. This is an empty charge since any such body has to be appointed by the Government and whether it is SEBI or TRAI or IRDAI or RBI, all appointments cannot be made by involving CJI and LOP . Already the SC has become an extended executive and it is unfair to expect that LOP will now be allowed to take all decisions on appointment. We know in the case of CBI or other appointments that the LOP never agrees with the PM and hence such involvement of opposition which is fundamentally interested in not allowing the Government to work is not required.

Money Bill.

There is also a comment on why the Bill is considered as a money Bill. We donot know what will be the view of the Speaker in this regard but it is clear that the Bill envisages a debit to Consolidated fund of India for setting up of DPB and credit of penalties into the Consolidated fund of India. For this purpose and since these expenditure and revenue is not included in the annual budget it is correct to consider this as a “Money Bill” only.

Though Mr Ashwin Vaishnaw and Rajeev Chandrashekar have both confirmed that the Bill has been introduced as a general bill, it would be appropriate to consider it as a money bill only.

In case the Bill can be classified as a Money Bill and passed quickly it should be welcome.

Naavi

Yesterday (3rd August 2023), Government introduced the Digital Personal Data Protection Bill 2023 (DPDPB2023) in the Parliament.

As expected there were technical objections for the introduction from the opposition members some of whom wanted it to be referred to a standing committee and for presenting it as a Finance Bill. Objections were recorded on there being no provision for compensation for the data principal and the amendment to the right to information act. The minister clarified that the bill was being presented as a general bill.

Subsequently the speaker put the objections to the tabling of the bill to vote and the house by voice vote over ruled the objections. The Bill was therefore tabled and will be taken up for discussion some time later in the session.

The official copy of the Bill is now available at prsindia website The bill has been presented at www.dpdpa.in for easy viewing on a chapter to chapter basis.

In the meantime as we removed the redlined version of DPDPB 2022 vs the draft from the website www.dpdpa.in, others have released similar red-lined version which captures the change from the recent DPDPB 2022 version and the DPDPB 2023 version.

It is interesting to note that unlike the previous days when ITBill 1999 was introduced or the ITA 2008 was passed in 2008 the awareness about the Data Protection Bill is very high in the professional circles. The Bill has been quickly analysed and several views have been published.

One detailed critical view has been provided in this video about the changes to the RTI act.

While we understand the need for politicians to oppose any activity in the Parliament and push everything to the future, professionals should focus on the need for constructive criticism without stopping the law being passed.

To debate the Bill in a more constructive way, FDPPI along with Manipal Law School as its academic partner is organizing a virtual round table today the 4th August 2023 on Zoom, at 7.00 pm. The discussion should approximately take about an hour.

The discussion would be live webcast on youtube and should be available at this link

The main issues to be discussed are ..

a) Is the Bill considered as a Finance Bill obviating the need for passage by the Rajya Sabha?

b) Does the Bill cover the basic requirements of a data protection law such as Rights of data principals and Obligations of data fiduciaries?

c) Are the “Legitimate use” and “Exemptions” provide a reasonable freedom to business?

d) Is the concept of “Duty” of the Data Principal and a penalty for violation of the duty welcome?

e) Is the Grievance redressal system from Company to DPB to TDSAT to ADR and High Court effective?

f) What are the remedies to a Data Principal? Does he/she not have rights to claim compensation? If so why?

g) What is the change made to RTI act? Is it as bad as it is made out to be?

h) How is the Data Protection Board being constituted? Is it properly represented?

i) Any other point of discussion that arises.

We look forward to a useful discussion.

Naavi

Also Refer

NDTV: Penalty can be “Per Breach”…Rajeev Chandrashekar

Miscellaneous articles

In what appears to be the latest version of the Bill to be tabled tomorrow, the draft DPDPB 2023 with 44 sections is now available.

Click here for a Copy

Mr John Brittas, one of the members of the IT Standing Committee which reviewed and commented on the draft DPDPB 2022 has submitted a dissent note which has been promptly been circulated by a section of the media to criticise the proposed Bill. (Refer here)

Also Justice B N Srikrishna in his interview to The Hindu some time back also had criticised the DPDPB 2022

However most of the concerns expressed by John Brittas and Justice B N Srikrishna seems to have been addressed in the version which may be presented in the Parliament.

We are still not clear about the official version which will be presented but the above version with 33 sections appear to be one created after the IT Committee report and has addressed many of the issued. It still has one or two minor modifications that may be required like definition of harm and handling of publicly available data. But these can be incorporated during the discussion.

Mr Srikrishna’s objection on the constitution of the Data Protection Board has been addressed by reverting to the earlier PDPB version of a Board with a Chairman and Six members though the tenure has been reduced from 5 years to 2 years.

Brittas objections like the objection to the amendment to RTI has been discussed in the past and does not hold substance. The Concerns on “Deemed Consent” has been addressed through the Legitimate Interest and there are provisions for addressing deliberate violations.

The power of claiming compensation by data principals is available under ITA 2000 (Section 43) and can be invoked along with the adjudication under DPB. It would however be better if the DPB is provided the power to provide compensation also so that the issue would be settled in one hearing.

Brittas seems to support the data localization and Government should be happy to introduce it through notifications.

Mr Brittas has objection to Right to Data Portability and Right to Forget not being included. These are not sacrosanct. A Data Principal can get the information back and re-submit if he wants. Transfer of data from one business competitor to another under “Portability” is a matter of convenience but not critical. Right to Forget is not possible in India as it can be grossly misused.

It is recognized that Data Protection Law will have a conflicting interests like Startups needing exemption and the Government has accommodated an enablement clause for such purposes which Mr Brittas has an objection to.

Exemption to Government has been an eternal objection but this is an issue which cannot be resolved to the satisfaction of Privacy Activists since there is a security requirement to consider.

The Dissent note of John Brittas is well constructed and needs to be taken note of when the rules and regulations are formulated by the DPB. For the time being the Bill is good to be passed with some minor corrections.

We hope that the Parliament will allow the Bill to be passed or more appropriately the Government will pass it whether there is consensus or not.

Naavi