By Rahul Sharma
The Supreme Court’s 2017 Puttaswamy judgment recommended the prompt enactment of a robust Data Protection (DP) law to the government. Every passing day without enforceable DP regulation and non-intervention by government and regulators catalyses data loot, unaccounted data breaches and processing abuse which normalizes harm. Recently introduced Digital Personal Data Protection (DPDP) Bill, 2022 has narrowed focus and deviates from its predecessors that went heavy on data sovereignty, localisation and compliance. What explains this change in trajectory from playing hardball to the mantra of keeping it ‘simple’?
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
The world post Covid & Russia-Ukraine armed conflict has accelerated trends set in motion following the global financial crisis. Big power contestation is creating a gulf in global governance where anything can be weaponised. Macroeconomic headwinds, inflation, food security, energy crisis, supply chain resilience, looming recession and job cuts are dominating the global political discourse. These shifts & turmoils are driving newer frameworks, engagements and partnerships.
India senses an opportunity to gain more ground in this window of change. It eyes itself as a natural leader of the global south. It’s exhibiting a willingness to shoulder greater responsibility as a force for good. India is now batting for more integration with the world while simultaneously pursuing the goal of Aatmanirbharta. It’s on an FTA signing spree with UAE, UK, Australia, Gulf etc.
After having missed making most out of the earlier tech revolutions, Cyber, Tech, & Data are seen as the biggest growth frontiers that’ll help India transition from a developing economy to a developed one. Market dynamics and techno-protocol solutions (like UPI, CoWIN, Aadhaar, ONDC) are serving as the foundation for future digital blocks. A revamped regulatory architecture with DPDP, Digital India Act, Data Governance framework, Telecommunications Act & sectoral protocols will serve short-medium term. India now has the G20 Presidency where it intends to showcase its digital transformation journey. It also assumed the Council Chair of Global Partnership on AI. But proposing progressive frameworks or entering into FTAs & multilateral arrangements with digital trade components predicate on having a functioning regulatory regime at home.
There’s a movement amongst the democracies of the world to find alignment on areas of common concerns including tech and data regulations, social media, crypto, ransomware, telecom standards, etc. There are more frank exchanges and feedback to identify areas of convergence and make frameworks interoperable. The West has expressed concerns on data localisation & heavy-handed compliance potentially impacting their firms serving in the Indian market. Similar concerns were echoed by few Indian firms and industry associations.
With subsequent drafts, there is a conscious effort to diverge from EU style data protection approach and structuring of regulations. MeitY Minister Rajeev Chandrashekhar highlighted that an “absolutist” approach of the GDPR won’t suit India given the momentum in start-ups & innovation ecosystem. Even within Europe, there are calls to drift away from more conservative data protection regulatory approaches to one that enables more value creation through use of data & facilitates the data ecosystem.
That’s the opportunity part dictating the draft. But how does it fare on data protection? Does the draft increase transparency and trust? Does the bill advance the design of privacy cognisant processes, systems and algorithms?
- The draft remarkably reduced the complexities while retaining the fundamentals. Easy-to-understand language sans legal verbiage is a welcome change. It’ll result in less legal work & paperwork to demonstrate compliance.
- It improves grievance redressal for data principals. The proposed Data Protection Board is set to be digital by design for ease. The draft incorporates alternative dispute resolution and dynamic concepts like voluntary undertaking.
- Deemed consent seems a practical substitute for select use cases. But more guardrails need to be erected for employer processing, measures during breakdown of public order & health emergencies and in ‘public interest’ scenarios like recovery of debt. There are instances of loan apps lifting phone contacts & gallery and harassing individuals resulting in suicides.
- Removal of criminal provisions that had both businesses and government officials worried.
- Linguistic diversity for convenience of Digital Nagriks finds more push. Sadly, the draft is released only in the English language.
What doesn’t cut any ice?
- The draft further skews the power balance with wider exemptions to government processing activities. JCP inserted ‘Just, fair, reasonable & proportionate’ procedure for exemption on case-to-case basis but draft provisions blanket exemption for certain fiduciaries including exempting data retention requirements.
- Right to data portability, Right to be forgotten, Right to object to unfair-unethical automated processing do not find any mention. With Sec 43A of the IT (Amendment) Act, 2008 gone, Right to obtain fair compensation is denied to data principals.
- Enforcement post enactment is targeted for 5-6 months as per MeitY’s Union Minister Ashwini Vaishnaw. Taking example of Sec 17, data flows—Unless India notifies countries basis assessment for transfers, all existing transfers by data fiduciaries will become non-compliant. Alternative transfer instruments like model contracts or certifications aren’t provisioned. It also removed safeguards proposed by JCP for data to not be shared with foreign governments or agencies without approval of the central government. EAM Dr. S Jaishankar recently said, “Where our data resides and who harvests it matters increasingly in era of artificial intelligence”.
- The draft doesn’t categorize sensitive personal data but it’s a criteria to notify significant data fiduciaries, decide penalties and to exempt fiduciaries.
- The attempt to make the bill modular with “as may be prescribed” repeated throughout the bill seems languid.
- Enforcement action for the private and public sector needs separate treatment. Exorbitant fines might act as deterrence against companies but would the ‘money go round’ in the form of government fines work? Either way, the focus should be on taking corrective actions & highlighting outcomes and learnings to improve culture, not filling government coffers.
- Promoting India as a trusted destination: Broad exemptions to government processing is possibly incompatible with becoming a data powerhouse as scepticism about government access grows. The draft should establish standards for Trusted Data Processors that should apply even when processing foreign national data.
The draft doesn’t reflect a decade-long discourse to formulate an appropriate data protection regime that matches India’s needs and aspirations. The equilibrium can still be achieved, but at a higher threshold.
Rahul Sharma is Founder, The Perspective & Director, Grade Ace. Views are personal.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Union Minister Ashwini Vaishnaw: Law Should Be Kept ‘Simple’, Subordinate Rules Won’t Exceed Act
- New Data Protection Law Captures Consumers’ Right To Data Protection: Rajeev Chandrasekhar
- How The Data Protection Bill Enables Govt Surveillance And Misuse Of Personal Data
- A Small Amendment May Impact Indians’ Rights To Information And Accountability
- State Surveillance, Reduced Obligations, And Eight Other Issues With The 2022 Data Protection Bill: IFF