The data protection law in India has to be improved
Introduction:
- It is obvious that India is not Europe when faced with a task like creating and conceptualising a data protection law for more than 1.4 billion Indians. The European Union’s (EU) General Data Protection Regulation (GDPR), which became operative in the middle of 2018, is widely regarded as the most comprehensive data privacy regulation in the world. Even while the EU’s problems may be connected to its unique legal system, India must be careful to avoid the risks of passing a law that is essentially useless.
Issues with the use of data:
- This topic is becoming more and more crucial as the Indian government is set to introduce a new data privacy law during the current monsoon session of Parliament (July 20–August 11).
- The government released the Digital Personal Data Protection (DPDP) Bill, 2022 for public consultation in late 2017.
- Given this, the DPDP Bill still has substantial gaps that could jeopardise both its implementation and its success.
- The DPDP Bill only safeguards personal data within the bounds of its use and definition, that is, data that could be used to directly or indirectly identify a particular person.
- In the contemporary data economy, businesses target, profile, anticipate, and monitor consumers using a variety of data types, including both personal and non-personal data.
- When combined with other data, this non-personal data commonly turns into personal data, which affects user privacy.
- Reidentification of anonymous data poses serious privacy risks.
- These risks were taken into account in the 2018 and 2019 draughts of India’s data protection bill, but not in the most recent draughts.
- Since it disregards these issues, the DPDP Bill’s scope and effectiveness in providing Indians with meaningful privacy are severely limited.
The limited purview of the data protection board:
- The proposed data protection board’s inability to initiate a lawsuit on its own is another drawback.
- According to the Bill, the board is the organisation in charge of upholding the legislation.
- The board may not commence an adjudication procedure unless a party who is affected files a complaint with it, the government or a court directs it to do so.
- Only in cases where the board has the power to enforce particular requirements outlined in the Bill for users does this regulation deviate.
- This isn’t for conflicts between users and data processors; rather, it’s for issues when the law and users are at odds, including when the law forbids users from filing false or baseless complaints with the board.
Moving forward:
- In the data economy, users have minimal control over and awareness of data exchanges and transfers.
- The complex and ever-evolving nature of data processing means that users will never be able to keep up with the entities that use their data.
- The authority to launch independent investigations rests with the Competition Commission of India, which is in charge of preserving India’s antitrust rules. This is something they frequently do.
- Even while these are not the DPDP Bill’s only shortcomings, fixing them will strengthen the law and considerably help with implementation problems.