ALLAYING FEARS OVER wide-ranging exemptions to the Centre and its agencies under the data protection law, Union Minister for Communications and Electronics & Information Technology Ashwini Vaishnaw said the law has adequate safeguards for citizens, and that the “fear against the government’s power” comes from citizens’ experience with previous governments.
“The way we have prepared the law, it has adequate safeguards for citizens. A lot of the fear against the government’s power comes from citizens’ experience with previous governments. But that is not the case today. People have a lot of trust in our government,” Vaishnaw told The Indian Express.
He was responding to a question on why enough safeguards have not been prescribed in the Digital Personal Data Protection Act, 2023, for when the central government or its instrumentalities are exempt from adhering to any and all provisions of the law while processing citizens’ personal data for reasons including national security, and public order, among other things.
Vaishnaw said India’s law has fewer government-related exemptions than the European Union’s General Data Protection Regulation (GDPR), which is widely held to be the most stringent privacy law of anywhere in the world. “If we look at other laws around the world, the GDPR has about 16 exemptions for the government. The exemptions for government in our law are the same as provided by our Constitution,” he said.
Vaishnaw also said one of the “most important aims” of the law is to bring in “more accountability for big technology companies”. “Some of the major social media companies that operate in the country have huge data of users. For those companies, the law is very clear about their responsibilities and there are punitive consequences if they violate the law,” the Minister said.
The law requires companies to gather personal data of users through a consent-based mechanism, even as it allows some relaxations to that end for certain “legitimate uses”. The penalty for not being able to take enough safeguards for preventing a data breach could go as high as Rs 250 crore.
The law also has a censorship provision, as it empowers the Central government to block any platform that has violated its provisions on at least two different instances. This has also been a major criticism of the law as it is being seen as an extension of the online censorship powers the Centre already enjoys under Section 69 (A) of the Information Technology Act, 2000.
Asked when a start-up would be exempt from adhering to some parts of law, as prescribed in one of its provisions, Vaishnaw explained that the relaxation for such businesses will apply for the time “when they are in a regulatory sandbox and are developing a product”.
“For instance, if someone is building a digital credit platform, in the sandbox, they can collect data of a limited number of participants to ensure that their system works perfectly. But as soon as they launch their product commercially, they will come out of the regulatory sandbox and will no longer enjoy the start-up exemption,” Vaishnaw said.
The law allows significant concessions to small businesses and start-ups from some key provisions including exempting them from the requirement to maintain the accuracy of a user’s personal data which is to be used to make a decision that affects the user.