India’s DPDP safeguards but isn’t a surgical strike on data privacy

India’s DPDP

By Jayajit Dash

Bhubaneswar: Digital platforms are increasingly intertwining our lives, and protecting our personal data is essential. The frenzied pace at which technology has permeated our lives has increased our privacy risks, has made it essential for governments to put in place robust data protection policies. Recently, the Digital Personal Data Protection Bill (DPDP), a bill aimed at protecting our personal information was tabled in the Indian Parliament. Although the bill includes some promising provisions, it also carries some serious limitations.

A key strength of the DPDP Bill is its comprehensive framework for data protection. Among the provisions of the Bill are the definition of personal data, the rights of data subjects, and the establishment of a Data Protection Authority (DPA) to enforce the law. There are also provisions in the Bill regarding cross-border data transfers, data security, and notification of data breaches.

Its restriction on companies scraping social media data without consent is a notable feature. According to the Bill, firms can only access data that users have posted themselves, not data shared by third parties. The move ensures user consent and protects individual privacy. Additionally, the Bill limits the storage and processing of personal data beyond what users have explicitly consented to. By providing more control over their data, this provision seeks to address the intrusive practices of some companies.

Since India has drafted its first overarching Bill on data protection, comparisons with similar legislations, especially the EU’s General Data Protection Regulation (GDPR) are inevitable. It’s important to note here that the GDPR is an extraterritorial regulation with global reach, the DPDP Bill is designed to protect the personal data of Indian citizens and does not apply outside the county’s borders.

While the DPDP Bill aims to strike a balance between personal data usage and protection, it also has certain drawbacks that deserve serious consideration. The exemptions granted to companies regarding the withholding of personal data for law enforcement purposes are concerning. Even though the exemptions are intended to facilitate investigations, they must be carefully regulated to prevent misuse and infringement of citizens’ rights.

Moreover, under Section 10 (1) of the Bill, the Government can ask for personal data of companies on broad clauses related to security and integrity or threat to electoral democracy, posing risks to data principals. The lack of a review mechanism or appeal process for tech firms, classified as “significant data fiduciaries” in the Bill, further raises transparency and accountability concerns.

It is also important to consider how data transfers are handled. This Bill moves away from the ‘whitelisting’ approach, in which eligible countries were specified for hosting Indian users’ data, to the ‘blacklisting’ approach. In response to this shift, the government has gained significant authority to restrict data transfers to specific nations in accordance with geopolitical equations. India’s diplomatic relations could be adversely affected by such a move, which could raise eyebrows among international leaders.

Moreover, the Bill’s provisions regarding the handling of complaints have been questioned. A lack of a dedicated grievance authority raises questions about the ability of the Data Protection Board to assess and gauge the impact of breaches in consent or misuse of personal information. Developing a robust complaint resolution mechanism is essential to ensuring that citizens are confident that their data is secure and that their grievances will be addressed appropriately.

Regarding safeguarding children’s data, the DPDP Bill takes a commendable step in acknowledging modern-day internet usage by youngsters. There are, however, ambiguities concerning the definition of “verifiably safe” data processing for children, which could harm young internet users.

Despite this, there are many areas in which the DPDP Bill could be improved. The bill, for example, does not provide data subjects with the right to port their personal data. This means that data subjects cannot easily transfer their data from one company to another. Furthermore, the Bill lacks a strong enforcement mechanism. Companies that violate the law are not subject to fines by the DPA.

A right to data portability should be included in the Bill. Having the right to move data from one company to another would increase competition and give consumers a greater sense of control over their data. The Bill should empower the DPA to impose fines on companies that violate the law. In this manner, companies would have a greater incentive to comply with the law. To protect the data of children, the bill should be amended to include additional safeguards. Since children are particularly susceptible to violations of their privacy, this is a very important issue.

The Bill’s limitations must be addressed by policymakers through active collaboration with experts, civil society, and citizens. By adopting a transparent and consultative approach, a more comprehensive and effective data protection law will be drafted that truly reflects the aspirations and needs of the Indian population.

A time for dialogue and deliberation has arrived, as we strive to achieve a harmonious balance between technological progress and the preservation of our fundamental rights. Only then we can truly say that the bill adequately protects our personal data and fosters a digital ecosystem that respects individual privacy and dignity.