India’s data protection law needs refinement

Parliament is going to table the Digital Personal Data Protection (DPDP) Bill, 2022 in the monsoon session with some significant changes, including lowering the age of consent for data processing and providing exemptions for certain companies.

• Last year, the bill was released for public consultation.

What was is in the Bill?

• Aim: to enhance data protection and accountability for internet companies, mobile apps, and businesses handling citizens’ data.
• It prioritizes the “Right to Privacy” and includes provisions for explicit consent, data fiduciaries’ responsibilities, cross-border data transfers, and individual rights.
• Formation of Data Protection Board of India (DPB): The latest draft proposes a new regulatory framework that was present in previous versions, which now significantly limits the scope of the envisioned Data Protection Board of India (DPB) vested with significant regulatory-making, enforcement, and adjudication powers.
• Government’s procession of personal data and exemptions allocated: The present Bill also includes significant exemptions to the state's handling of personal data.
• First, as previously indicated, the Union government has the authority to establish "fair and reasonable" reasons for which personal data can be used without the consent of a data principal.
• Second, most data protection standards are waived off if the processing is done "in the interests of preventing, detecting, or investigating any offence or other violation of any law.”
• Lowering Age of Consent: The Bill had fixed the age of consent at 18 years, requiring parental consent for processing data of individuals below 18.
• Provisions for Data Fiduciaries’ (SDFs): DFs have to fulfil certain additional obligations for greater scrutiny by the government.
• Definition of a Child and Exemptions: In the 2022 draft, the definition of a child was an “individual who has not completed eighteen years of age”.
• Relaxations on Cross-Border Data Flows: The bill allows global data to flow by default to all jurisdictions other than a specified negative list of countries where such transfers would be restricted.
• Scope: The scope of the Bill encompasses digital personal data within India but also extends its jurisdiction to cover data processing activities outside the country. 

What is the need to strengthen data protection laws? 

• Ever-expanding data universe: India’s smartphone users are expected to touch a billion by 2026.
• Market for social media giants: India continues to be the key growth market for social media giants, who derive their value from the data they collect.
• Data, the innocuously basic (the new oil): If one download an app, data is required, if one plays a game, data is required. Data can then be used for profiling an individual, targeting ads, predicting behaviour and trends, and so on.
• Lack of legislation: At present, India lacks a comprehensive legislation specifically addressing the issue of data protection. The regulation of personal data usage falls under the purview of the Information Technology (IT) Act of 2000. 
• To arrest social harm: A digital economy has emerged as a social need where certain practices that may promote digitisation, are also harming society at large. It is these social harms that need to be arrested, while allowing safe practices to flourish.

Concerns associated:

• Limited in its scope and effect: The DPDP Bill only protects personal data that is any data that has the potential to directly or indirectly identify an individual.
• Limited reach of data protection board: The board can only institute a proceeding for adjudication if someone affected makes a complaint to it, or the government or a court directs it to do so.
• Limited knowledge of data transfers and exchanges: Due to the ever-evolving and complex nature of data processing, users will always be a step behind entities which make use of their data.
• Critics of the Bill raise concerns that it might weaken the Right to Information (RTI) Act.