IT standing committee report on data protection bill sparks controversy

The standing committee on communications and IT has said in its report on citizens data security and privacy, tabled in Parliament on Tuesday, that the digital personal data protection (DPDP) bill should be the main legislation for data handling and privacy and should be enacted into a law at the earliest to safeguard citizens' data and their privacy.

“The Committee, in no uncertain words, stresses the urgent necessity for the early enactment of a robust and all-encompassing legislation that effectively safeguards citizens' data and privacy,” it said. “The Committee also wishes to caution the ministry about the judicious use of rule-making powers and emphasises the importance of employing them responsibly and with utmost care,” it added.

The committee which met twice after the Bill was introduced in November 2022, said that it made recommendations based on the submissions made by the ministry of electronics and information technology during these meetings and not on the actual Bill, triggering controversy since doing so was not permissible by law.

The DPDP Bill has not been shared with the committee and is yet to be introduced in Parliament. A Bill can be referred to a Parliament committee only after it has been introduced in Parliament.

The committee report includes a dissent note from member John Brittas, Rajya Sabha MP, who has said that the recommendations of the committee in the draft report should be considered as void and are beyond the powers of the standing committee as per the rules, which legally bar the committee from examining the Bills that are yet to be introduced. Minister of state for electronics and IT Rajeev Chandrasekhar said, in response to reports based on Brittas’ statement that the DPDP Bill wasn’t considered by the committee since it was not introduced in Parliament.

“No Bill including the proposed DPDP Bill can be referred to any committee unless it is done so by Parliament. In turn, the Bill can be only referred to committee after the Cabinet-approved Bill is introduced in Parliament. The DPDP has not been introduced into Parliament and so question of considering it in committee doesn’t arise,” the minister said in a Twitter post.

Legal experts said that the committee’s report could be considered unconstitutional if it has reviewed a draft legislation. “The Committee report comes across as contentious—in its observations, the Committee clearly alludes to having based its observations on the 2022 draft of the DPDP Bill. It is unconstitutional for any committee to have reviewed a draft legislation before it has been tabled in the Parliament. This raises a major question—highlighted by the IT minister's statement that the Committee was not shown the Bill itself, yet,” said a senior policy consultant who did not want to be named.

“Some changes may have taken place at the cabinet approval stage as well which was more recent than Ministry's representations to the committee. Therefore, the committee's comments cannot be considered to be specific to the final Bill which is presented unless it tallies exactly with Meity's representations in the report,” said Aparajita Bharti, Co-founder at TQH Consulting.

The committee also flagged that the exemptions available to the government in the Bill should not become the rule, as they may be misused. “Therefore, the Committee strongly recommend the Ministry to devise a mechanism to ensure that these exceptions do not become the general rule and are used only in exceptional circumstances, with the aim of promoting ease of living and the digital economy,” it said.

The DPDP Bill 2022 states that the central government may by notification, exempt “any instrumentality of the state” from the provisions of the Bill in "interests of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognizable offence".

The committee said in the report that it was pleased that the provision of the 'deemed consent' clause, which was present in the draft had been removed based on public consultation and feedback from stakeholders. “The personal data can now only be processed for certain legitimate uses,” it said.

Supratim Chakraborty, partner, Khaitan & Co said that the controversy around the ‘deemed consent’ issue was likely in the choice of the words used in the Bill. “Under the grounds of data processing, consent is just one—there are others such as emergency, employment and others. The 2022 draft used the ‘deemed consent’ phrase to put all of this in one bucket. What the final draft could rather bring is a change in nomenclature, in order to bring all of these grounds closer to global laws,” he said.