Prof. D. Mukhopadhyay
In an age of technological advancements and the proliferation of digital services, the protection of personal data has emerged as a critical concern worldwide. As of now, India does not have a standalone law on data protection except the Information Technology Act, 2000. In 2017, the central government constituted a Committee of Experts on Data Protection, chaired by Justice B. N. Srikrishna, to examine issues relating to data protection in the country. The Committee submitted its report in July 2018. Based on the recommendations of the Committee, the Personal Data Protection Bill, 2019 was introduced in the Lok Sabha in December 2019. The Bill was referred to a Joint Parliamentary Committee (JPC) which submitted its report in December 2021. In August 2022, the Bill was withdrawn from Parliament and in November 2022, a Draft Bill was released for public consultation. In August 2023, the Digital Personal Data Protection(DPDP) Bill, 2023 (herein after the Bill) was introduced in Parliament and the same has been passed by the Lok Sabha and Rajya Sabha on 7th August, 2023 and 9th August 2023 respectively, garnering both criticism and appreciation, reflecting the complex balance between privacy concerns and the need for a robust data-driven economy. The Bill’s provisions address emerging challenges in protection of privacy and security of personal data. The Bill has ambitious objectives aimed at striking a delicate balance between safeguarding data privacy and fostering a data-driven economy. While the legislative intent is commendable, there are both opportunities and challenges associated with achieving these goals and overcoming implementation hurdles. This legislative journey of the Bill over a period of six years signifies a democratic and consultative approach, reflecting the government’s commitment to enacting a balanced and effective law. The driving force behind the Bill is to establish a comprehensive legal framework that ensures the responsible use of personal data while facilitating data-driven innovation and smooth economic activities.
The primary objectives of the Bill include data privacy protection by providing individuals with greater control over their personal data and empowering them to make informed decisions about its collection, processing, and sharing. While emphasizing privacy, the Bill also aims to foster an environment conducive to innovation and economic development, allowing data to be harnessed for national benefits. The Bill boasts of several strengths that contribute to its potential to bring about a positive transformation in the data landscape of India. It outlines robust data protection principles, ensuring the responsible handling of personal data and enhancing individuals’ rights over their data. By mandating certain categories of sensitive data to be stored within the country, the Bill enhances the security and control of personal data, bolstering national data sovereignty. The establishment of the Data Protection Board of India( herein after DPBI) under clause 19 of the Bill reinforces accountability, enabling efficient enforcement of regulations and swift response to data breaches. The fundamental rights enshrined in Part III of the Constitution, particularly Articles 19 and 21, have been interpreted by the judiciary to include the right to privacy. The Bill aims to protect this right by establishing comprehensive safeguards. It emphasizes obtaining informed and explicit consent from individuals before collecting and processing their personal data. This aligns with the idea of protecting an individual’s autonomy and ensuring their control over their personal information. For the purpose of limitations, the Bill restricts data usage to the purpose for which it would be collected. This limitation prevents misuse of personal data and ensures respect of individuals’ privacy . Further, by mandating the collection of only necessary data, the Bill prevents excessive intrusion into individuals’ privacy, in line with the principle of minimal interference. In respect of data localization, certain categories of sensitive personal data are required to be stored within the country, enhancing control over individuals’ data and safeguarding their privacy from foreign jurisdictions. This provision supports national security and accountability. The establishment of a DPBI reinforces the protection of individuals’ privacy by enforcing regulations, handling breaches, and overseeing the implementation of the law. The Bill grants individuals the right to access their data, correct inaccuracies, and even request erasure in certain cases, allowing them to exercise greater control over their personal information. Further, organizations shall be held accountable for breaches and violations, ensuring that individuals’ privacy is safeguarded and that responsible parties are held liable. The creation of a DPBI is a pivotal aspect of the Bill, responsible for enforcing regulations, handling data breach incidents, and promoting awareness. The imposition of a maximum penalty specified in the schedule to the Bill and minimum penalty for various offences such as up to: (i) Rs 200 Cr. for non-fulfilment of obligations for children, and (ii) Rs 250 Cr. for failure to take security measures to prevent data breaches. Penalties will be imposed by the DPBI after conducting an inquiry as mentioned above and INR 50 Cr. is a minimum penalty for violations of the provisions of the Bill signifies the seriousness with which the government aims to deter data breaches and privacy infringements. However, while a significant penalty can serve as a deterrent, the wider gap between the minimum and maximum penalties may lead to inconsistent enforcement of the law.
A more nuanced approach that considers the severity of the violation and the resources of the violator could ensure a fair and proportionate system. Imposing a minimum penalty of INR 50 crore could disproportionately burden smaller businesses, startups, and non-profit organizations, potentially stifling innovation and hindering their ability to comply with the law. Moreover, it’s important to question whether a monetary penalty alone is sufficient to deter large corporations and entities with substantial financial resources. Additional measures, such as reputational damage, regulatory action, or even criminal liability for egregious violations, could enhance the deterrent effect. Striking a balance between promoting data-driven innovation and ensuring strict compliance with data protection regulations is a delicate task. The penalty provisions should not inadvertently discourage legitimate data-driven initiatives that could benefit society. One significant challenge lies in raising public awareness about data protection rights and obligations. To overcome this, comprehensive awareness campaigns and educational programs must be launched to inform individuals, businesses, and regulatory bodies about the law’s nuances. The DPDP Act may impose a substantial compliance burden, particularly on small and medium-sized enterprises (SMEs). To mitigate this, the government should provide easily accessible guidelines and support to assist these entities in navigating the regulatory landscape. The success of the law hinges on the efficacy of enforcement.
The DPBI must be equipped with sufficient resources, expertise, and authority to handle complaints, investigate breaches, and enforce penalties promptly. As technology evolves, new challenges may arise that the law may not anticipate right now. Regular reviews and updates to the legislation can help address emerging concerns and ensure its relevance over time. Building a culture of data protection and privacy within organizations and society is crucial. Encouraging businesses to adopt privacy-by-design principles and fostering a sense of responsibility towards data protection will contribute to long-term compliance. To ensure that the nation maximizes the benefits of the DPDP (after the Parliament approved Bill receives the assent of the Hon’ble President of India) Act, 2023, while addressing its implementing challenges, several measures are recommended for the government to issue relevant clarification and guidelines. For instance, government may clarify the ambiguous provisions and offer practical insights into compliance for businesses. Besides, initiatives to educate businesses, individuals, and regulatory bodies about the legal implications of the proposed Act’s provisions are essential to smoothing the transition. Continuously engaging with industry stakeholders can help strike a balance between privacy protection and fostering a data-driven innovation ecosystem.
This Referred Bill heralds a significant step towards enhancing data privacy and security in India. While it presents strengths that ensure comprehensive data protection and accountability, addressing its shortcomings through strategic measures is crucial. By focusing on clarity, capacity building, and striking a balance between privacy and innovation, the nation can navigate the data landscape with confidence, ensuring both individuals’ rights and economic growth are well-served. As the Bill gets transformed into an Act, it stands as a testament to India’s commitment to safeguarding privacy and promoting progress in the digital age. Privacy protection can be effected through framed rules for data collection, storage and and deletion of individuals’ data. Further, it is to ensure that data is not used to undermine individuals’ choices, which warrants the need to ensure access , transparency and, of course, accountability for action of the Machine Learning Systems. Besides, in order to smoothly implement and subsequently reap the benefits of the DPDP Act, (assuming it will be assented by the Hon’ble President of India soon), 2023, it is essential to intensify digital and financial literacy programs for the nation at large.
(The author is a Bangalore-based Educationist & Management Scientist)
Follow our WhatsApp channel
