The vast Indian diversity necessitates a data protection law made to its specific needs, distinct from the European model. The General Data Protection Regulation (GDPR), a renowned European Union (EU) Data Protection Law, came into existence in the middle of 2018 and gained widespread popularity as the most comprehensive global data privacy law. Despite its commendable intentions, the GDPR’s complex implementation hurdles raise concerns about its effectiveness. While the EU’s legal structure undoubtedly plays a role in these challenges, India must prioritize crafting a data protection law that avoids such pitfalls and ensures robust protection for its citizens.
Data Privacy Concerns
As the Indian Government introduced the Digital Personal Data Protection (DPDP) Bill in July 20-August 11, it is essential to assess the proposed legislation with utmost diligence and sincerity. Followed by the release of the 2022 DPDP Bill for public consultation, this year marks the third iteration of India’s attempt to forge a robust data protection framework. Though the upcoming bill is likely to resemble its predecessor, a closer look at the gaps can help prevent impeding its effectiveness and safeguard the digital privacy of India’s vast population. It’s important to ensure that this pivotal legislation truly fulfills the intended purpose.
The current data economy is inclusive of both personal and non-personal data to target, profile, predict, and monitor users. The DPDP Act only protects personal data, which has the possibility to directly or indirectly create an individual’s identity. Whereas non-personal data is anonymous and does not include any individual directly. Non-personal data has the probability of being converted into personal data when combined with other datasets that identify individuals, hence, impacting their digital privacy.
Re-identification of non-personal data sets is likely to pose risks to data privacy. The earlier drafts of India’s data protection Bill, in 2018 and 2019, demonstrably recognized the potential risks associated with the re-identification of non-personal data. Unfortunately, these crucial safeguards are entirely absent from the latest iteration of the Bill. This omission significantly weakens its ability to comprehensively and effectively protect the privacy rights of Indian citizens. To rectify this critical gap, it is imperative to reinstate a provision within the Bill that mirrors the earlier approach, namely, imposing financial penalties on data processors who engage in the unauthorized re-identification of non-personal data. Such a measure would serve as a powerful deterrent and send a clear message that the privacy of Indian citizens is not and will not be taken lightly.
Restricted Jurisdiction of Data Protection Board
While the proposed data protection board is tasked with enforcing the law, its hands are tied when it comes to launching investigations on its own initiative. Instead, it relies solely on complaints from individuals, directives from the government or courts, or specific user-related duties outlined in the Bill. This passive stance hinders the board’s ability to proactively identify and address potential data rights violations beyond individual complaints.
In the global digital ecosystem, users are blindfolded and have restrictions in data transfers and exchanges. The complexities involved in the data economy and its ever-evolving nature allow the entities using it to be always a step ahead of the users. For instance, a food delivery app can sell an individual’s entire data to data brokers, whereas an individual approach is likely to limit the resources. For instance, a food delivery app can sell any individual’s data easily to data brokers. Individuals have fewer opportunities to approach the data protection board directly, whereas the board is in a better position to act against the food delivery app.
Imposition of India’s antitrust law is the responsibility of Competition Commission of India, which holds the power to initiate self-inquiries. A provision for the same in the DPDP Bill will allow the data protection board to commence complaints on their own.
Considering the need for future-proof legislation, it’s essential to identify solutions for the challenges in the DPDP Bill.