Business Spotlight

India’s Data Protection Bill – A Step Forward And What Next?

A pleasant surprise for the industry is that mandatory data localization gets a free pass. This now gives all entities, whether Indian or multinational, the ability to store critical user and personal data anywhere in the world and no longer restricted to India. 

Advertisement

Rupinder Malik, Partner, JSA, Advocates & Solicitors. Views are personal.
info_icon

The Digital Personal Data Protection Bill (DPDP), which has been recently released, is a new move with new energy and its succinct wording adheres to the salient features. While it claims to protect data, Initial reactions clearly show that liberal citizens are disturbed by the fact that data protection has taken the form of surveillance and, maybe, even become a powerful tool that gives the Government wide-ranging powers without the reassurance of safeguarding citizens’ privacy.

Even more concerning is the concept of ‘deemed consent’. This permits processing of personal data without the express consent of the Data Principal in cases where the ‘the larger public interest’ justifies such disclosure. 

Advertisement

Executive Authority Enhanced

A sour additive to the new anxieties is the discretionary powers that the Government has bestowed on the executive. This delegation of legislative authority could threaten the fundamental right to privacy, diluting the essence of data protection. So, while the new draft may have cheered the reviewers who are on the alert for Government control, the federal Government can also seek an exemption if this draft were to become a reality tomorrow. Further, the Government has the licence to question any personal data on the grounds of ‘sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognizable offence relating to any of these’. In such cases, the citizen’s ‘privacy’ could be compromised.

Advertisement

Data Localization – A Point of Relief?

A pleasant surprise for the industry is that mandatory data localization gets a free pass. This now gives all entities, whether Indian or multinational, the ability to store critical user and personal data anywhere in the world and no longer restricted to India. 

The deeper implications of this measure do not inspire absolute confidence, given that Government authorities are allowed the right, at any moment in time, to "notify such data jurisdictions outside India to which a data fiduciary may transfer personal data." Though such a list of countries/jurisdictions that can be notified is yet to be announced, the possibility of the concept becoming a reality in the future could make this restriction an incisive foreign policy tool.

The Judge’s Sentiments

Retired Supreme Court Judge B.N. Srikrishna, who spearheaded the committee that drafted the Bill in July 2018, opines that the current draft empowers the Government way beyond standard exemptions. In so doing, it creates a cloud of uncertainty around the citizens' privacy while, at the same time, giving Government access to any and every form of data points throughout the entire provisions of the Act.

Data Protection Board – Is it autonomous?

The Data Protection Board's responsibility to ensure DPDB compliance may curtail the independence with which the Board can operate. Further, the Board’s member constitution is yet another blind in the entire pack of cards!  With the selection of the Board members being entrusted to the Government, entities handling critical data can be controlled by the Government whereas such crucial work needs independent functioning. Good parallels in the composition of Board members are the regulators, such as the Securities and Exchange Board of India (SEBI) and the Reserve Bank of India (RBI).

Advertisement

Baits and Boons

The new bill opens an escape route for Offline Data, given that the law's applicability has been bypassed, remaining silent in respect of personal data stored offline.
While the new draft has cleansed the murky clouds looming over the industry's questions about the earlier draft, some gaps still remain in the implementation guidelines. 

The current draft has introduced refreshingly new concepts. These include voluntary undertaking, official recognition of consent managers, and India's Data Empowerment and Protection Architecture (DEPA) as platforms registered with the proposed Data Protection Board, enabling them to provide consent, and manage and review it. Further, the removal of criminal liabilities is a welcome forward-looking change.

Advertisement

But the flip side is that the critical motives of data protection are not addressed or mentioned throughout the new draft. For instance, the right to data portability and the right to be forgotten – concepts that are given serious respect in global data protection priorities -- have been completely ignored. Similarly, another surprise is the exclusion of ‘sensitive’ personal data, which always requires enhanced protection and careful handling.
Further, the draft makes no mention of a Data Protection Fund, which is meant to serve as the central repository for all penalties collected and utilized for the data protection interests of the citizens.

Advertisement

India’s Standing in the Global Data Protection Race

Around 137 of 194 countries worldwide have instituted data protection and privacy laws, according to the United Nations Conference on Trade and Development (UNCTAD). The European Union’s (E.U.) landmark law, General Data Protection Regulation (GDPR), which was released in 2018, was quickly followed by countries such as the U.S., China, Canada, the Philippines, and Brazil, providing the most comprehensive legislative framework in inspiring and guiding other countries while implementing their own data protection laws.

Moderating levers such as notifying other jurisdictions, cross-border data privacy, and transfer of personal data are critical for any country to participate and cooperate in enabling the implementation of data protection laws worldwide. However, only a reasonable amount of fairness and assistance simultaneously can make this a coherent approach across all jurisdictions. Else, data protection will gradually lose its essence and impact. Just as ESG – Environmental, Social, and Governance concerns - is today a global pledge-making platform, so too data protection is a concept that cannot be successful until nations realize how critical it is to protect the privacy and data points of their citizens across lands.

Advertisement

Given the ruling considerations in the global scenario, India faces several challenges in propelling its Data Protection legislation. It remains to be seen the choices it will eventually make.

Written by: Rupinder Malik, Partner, JSA, Advocates & Solicitors. Views are personal.

Tags

Advertisement

Advertisement

MOST POPULAR

Advertisement

WATCH

Advertisement

Advertisement

PHOTOS

Advertisement

Latest Stories
  1. Elections 2024 LIVE: SC To Give Verdict On Petitions Seeking Use Of 100% VVPAT-EVM Verification Tomorrow
  2. PAK Vs NZ, 4th T20I Live Updates: Tim Robinson Completes Fifty
  3. JEE Mains 2024 Result Out: Cut Off, Marking Scheme, How to Check - All You Need to Know
  4. Tamannah Bhatia To Ananya Panday To Kriti Sanon – 5 Actresses Who’re Fore Fronting The Brown-Beige Fashion Revolution
  5. 'King': Shah Rukh Khan And Suhana Khan Are Reportedly Set To Commence Filming In London This June
  6. Bihar: 6 Dead, Over 30 Injured In Massive Fire At Hotel Near Patna Railway Station; Cylinder Blast Suspected
  7. Arijit Singh Birthday Special: From 'Tum Hi Ho' To 'Satranga', 10 Songs By The Versatile Singer To Tune In To
  8. Biden Signs Law To Ban TikTok If ByteDance Fails To Divest: What You Need to Know