India’s data protection law needs refinement (GS Paper 3, Governance)
Context:
- The government is likely to table India’s fresh data protection law in the ongoing monsoon session of Parliament (July 20-August 11).
- In 2022, the government released the Digital Personal Data Protection (DPDP) Bill, 2022 for public consultation. This is its third recent attempt at drafting a data protection law.
Why it matters?
- At present, India lacks a comprehensive legislation specifically addressing the issue of data protection. The regulation of personal data usage falls under the purview of the Information Technology (IT) Act of 2000.
- While the draft released for public comments was not as comprehensive as its previous versions, news reports suggest that the government may present a Bill that is largely similar.
- Considering this, critical gaps remain in the DPDP Bill that would affect its implementation and overall success.
Scope:
- In its scope and definition, the DPDP Bill only protects personal data, that is any data that has the potential to directly or indirectly identify an individual.
- In the modern data economy, entities use various types of data, including both personal and non-personal data to target, profile, predict, and monitor users.
Non-personal data & issue of privacy:
- The non-personal data is typically anonymous data that does not relate to a particular individual — for example, aggregate data on products which numerous users look at between 9 p.m. and 11 p.m. on Amazon.
- Often, this non-personal data when combined with other datasets can help identify individuals, and in this way become personal data, impacting user privacy.
- For instance, anonymous datasets about individual Uber rides in New Delhi can be combined with prayer timings to identify members who belong to a certain community, which could include their home addresses.
- This process of re-identification of non-personal data poses significant risks to privacy. Such risks were accounted for in previous versions of India’s draft data protection Bill, in 2018 and 2019, but do not find a place in the latest draft.
- A simple and effective solution would be to add a penal provision in the Bill that provides for financial penalties on data-processing entities for the re-identification of non-personal data into personal data.
Limited reach of data protection board:
- Another gap is the inability of the proposed data protection board to initiate a proceeding of its own accord. Under the Bill, the board is the authority that is entrusted with enforcing the law.
- The board can only institute a proceeding for adjudication if someone affected makes a complaint to it, or the government or a court directs it to do so.
- The only exception to this rule is when the board can take action on its own to enforce certain duties listed by the Bill for users.
- This is for the adjudication of disputes between the law and users.
- In the data economy, users have diminished control and limited knowledge of data transfers and exchanges. Due to the ever-evolving and complex nature of data processing, users will always be a step behind entities which make use of their data.
- For example, a food delivery app can take all data of user and sell it to data brokers in violation of contractual relationship with user.
- The board, on the other hand, may be in a better position to proceed against the food delivery app on its own, on behalf of all such affected users.
Empowering the board:
- The Competition Commission of India, which is responsible for the enforcement of India’s antitrust law, has the power to initiate inquiries on its own (and utilises it frequently).
- Again, a simple way to do this would be to have a provision in the DPDP Bill that allows the data protection board to initiate complaints on its own.
Way Forward:
- These are not the only gaps in the DPDP Bill, but finding solutions to them would help address challenges in implementation in a significant way and make for a more future-proof legislation.
