Whatsapp 93125-11015 For Details

Important Editorial Summary for UPSC Exam

21Jul
2023

India’s data protection law needs refinement (GS Paper 3, Governance)

India’s data protection law needs refinement (GS Paper 3, Governance)

Context:

  • The government is likely to table India’s fresh data protection law in the ongoing monsoon session of Parliament (July 20-August 11).
  • In 2022, the government released the Digital Personal Data Protection (DPDP) Bill, 2022 for public consultation. This is its third recent attempt at drafting a data protection law.

 

Why it matters?

  • At present, India lacks a comprehensive legislation specifically addressing the issue of data protection. The regulation of personal data usage falls under the purview of the Information Technology (IT) Act of 2000.
  • While the draft released for public comments was not as comprehensive as its previous versions, news reports suggest that the government may present a Bill that is largely similar.
  • Considering this, critical gaps remain in the DPDP Bill that would affect its implementation and overall success.

 

Scope:

  • In its scope and definition, the DPDP Bill only protects personal data, that is any data that has the potential to directly or indirectly identify an individual.
  • In the modern data economy, entities use various types of data, including both personal and non-personal data to target, profile, predict, and monitor users.

 

Non-personal data & issue of privacy:

  • The non-personal data is typically anonymous data that does not relate to a particular individual — for example, aggregate data on products which numerous users look at between 9 p.m. and 11 p.m. on Amazon.
  • Often, this non-personal data when combined with other datasets can help identify individuals, and in this way become personal data, impacting user privacy.
  • For instance, anonymous datasets about individual Uber rides in New Delhi can be combined with prayer timings to identify members who belong to a certain community, which could include their home addresses.
  • This process of re-identification of non-personal data poses significant risks to privacy. Such risks were accounted for in previous versions of India’s draft data protection Bill, in 2018 and 2019, but do not find a place in the latest draft.
  • A simple and effective solution would be to add a penal provision in the Bill that provides for financial penalties on data-processing entities for the re-identification of non-personal data into personal data.

 

Limited reach of data protection board:

  • Another gap is the inability of the proposed data protection board to initiate a proceeding of its own accord. Under the Bill, the board is the authority that is entrusted with enforcing the law.
  • The board can only institute a proceeding for adjudication if someone affected makes a complaint to it, or the government or a court directs it to do so.
  • The only exception to this rule is when the board can take action on its own to enforce certain duties listed by the Bill for users.
  • This is for the adjudication of disputes between the law and users.
  • In the data economy, users have diminished control and limited knowledge of data transfers and exchanges. Due to the ever-evolving and complex nature of data processing, users will always be a step behind entities which make use of their data.
  • For example, a food delivery app can take all data of user and sell it to data brokers in violation of contractual relationship with user.
  • The board, on the other hand, may be in a better position to proceed against the food delivery app on its own, on behalf of all such affected users.

 

Empowering the board:

  • The Competition Commission of India, which is responsible for the enforcement of India’s antitrust law, has the power to initiate inquiries on its own (and utilises it frequently).
  • Again, a simple way to do this would be to have a provision in the DPDP Bill that allows the data protection board to initiate complaints on its own.

 

Way Forward:

  • These are not the only gaps in the DPDP Bill, but finding solutions to them would help address challenges in implementation in a significant way and make for a more future-proof legislation.