Data Protection Bill Passed in Parliament with Opt-Out Clauses: Between Progress and Privacy Concerns
- ByAdmin --
- 14 Apr 2025 --
- 0 Comments
In a landmark development, the Digital Personal Data Protection Bill, 2024, was passed by both Houses of Parliament, establishing India’s first comprehensive law to regulate the collection, storage, processing, and transfer of personal data. While the bill brings long-awaited structure to digital privacy governance in India, it has also drawn criticism for allowing broad exemptions to the government, potentially undermining the very rights it seeks to protect.
The law is seen as a response to years of legal uncertainty following the Supreme Court’s 2017 Puttaswamy judgment, which recognized the right to privacy as a fundamental right. However, experts say the inclusion of “opt-out” clauses for the state may weaken its ability to offer full protection to citizens.
What the Bill Promises
The 2024 law aims to empower individuals, modernize governance, and create accountability in the data economy. Among its most notable provisions:
- Consent-based data processing: Personal data can only be processed after clear, specific, and informed consent from the user.
- User rights: Individuals have the right to access, correct, delete, and withdraw consent over their personal data.
- Data fiduciary obligations: Companies processing personal data must ensure transparency, data minimization, purpose limitation, and security safeguards.
- Creation of a regulatory body: A new Data Protection Board of India will be tasked with enforcing compliance, handling complaints, and imposing penalties for data breaches or misuse.
- Cross-border data transfer: Allowed to specific countries to be notified by the Central Government, enabling international data flow with regulatory oversight.
The Opt-Out Clause: What’s the Controversy?
One of the most debated aspects of the bill is its provision allowing the Central Government to exempt any agency or department from its purview. These exemptions may be granted for reasons such as:
- National security
- Sovereignty and integrity of India
- Public order
- Crime prevention
- Research and statistical purposes
Under this clause, government departments can process personal data without consent, without notifying individuals, and without allowing access or correction rights. Critics argue that such sweeping powers can easily lead to state surveillance, profiling, or suppression of dissent.
Moreover, the law does not mandate prior judicial or independent oversight before these exemptions are granted — a point flagged by numerous civil society groups as a serious erosion of checks and balances.
Support and Criticism
The government maintains that the bill is balanced, business-friendly, and security-conscious, enabling India to become a global digital hub. Introducing the bill, Union IT Minister Ashwini Vaishnaw said:
“This legislation balances user privacy with the practical needs of a modern digital government and the innovation economy.”
On the other hand, privacy advocates, digital rights organizations, and constitutional lawyers have expressed deep reservations. According to the Internet Freedom Foundation:
“The bill creates a façade of protection while embedding the possibility of unchecked state access.”
They argue that while companies are burdened with compliance, the government, which handles vast volumes of citizen data through welfare programs, Aadhaar, and law enforcement, is left largely unaccountable under the law’s exemption structure.
What This Means for Citizens
For everyday users, the bill brings both opportunities and uncertainties. On one hand, individuals now have:
- The legal right to know how their data is being used
- The power to revoke consent
- The ability to correct or delete personal data held by private entities
However, in any interaction involving public institutions — such as applying for government benefits, healthcare schemes, or even appearing in police records — these rights may be severely limited if the institution has been exempted under the law.
What Comes Next
The government has stated that the law will be implemented in phases. In the coming months:
- The Data Protection Board of India will be established
- Rules for data transfer, fiduciary categorization, and grievance redressal will be notified
- Companies, especially those in fintech, healthcare, education, and e-commerce, will need to overhaul their data governance frameworks
Meanwhile, legal challenges are expected, particularly to the constitutionality of the government exemption clause. Several petitions are reportedly being drafted by privacy coalitions and opposition leaders who argue that any law impacting the fundamental right to privacy must ensure proportionality, necessity, and transparency — all of which are called into question by the bill’s opt-out provisions.
A Step Forward, but Not Without Stumbles
The Digital Personal Data Protection Bill, 2024 is undeniably a watershed moment for India’s data governance. It sets the stage for long-needed safeguards and brings India closer to global data protection standards. But the strength of a privacy law lies not only in what it restricts corporations from doing — but also in how it holds the state accountable.
Until the government clarifies and limits its own powers under this law, the fundamental right to privacy in India may remain vulnerable, especially where it’s needed most — against those in power.
RELATED Blog
0 comments