New data protection law draws criticism 

The Digital Personal Data Protection (DPDP) Act, passed last week, has drawn the ire of data activists and experts in Bengaluru.

A large portion of the act is woefully inadequate, and it provides governments unlimited powers to use citizens’ data, they say. It is unclear when it will come into effect.

Some positives 

Provisions such as the requirement of consent for collection and sharing of data, high penalties for breach of data, and obligations on data fiduciaries (entities that collect and store data) are some of the positive aspects of the act.

“But if you take a closer look, you will realise that there are no specifics. There is no roadmap. In order for the law to be effective, it is necessary to be as specific as possible,” says Prateek Waghre, policy director at Internet Freedom Foundation. “Also the exemptions for government entities to access your information is a red flag. We will have to wait and watch how it plays out,” he adds. 

He states that the emphasis is on data processing rather than data privacy. “The word ‘privacy’ exists precisely in one location, where it is weaponised to amend the Right to Information (RTI) Act,” he observes. 

RTI amendment

Many experts are flagging the change in the RTI Act. “The new law exempts ‘personal information’ from being disclosed. Often, the information one seeks under this act involves some personal details. Now, appeals can be rejected easily,” says Pranesh Prakash, a law and policy consultant who has worked with the Centre for Internet and Society. 

Srinivas Kodali, an independent researcher of data and privacy, points to duties outlined in the law. “It says that it is the duty of people to give authentic information about themselves. So if I want to create an account under another name or with different details to protect my privacy, I will not be able to do so,” he says. Overall, the law gives people the ability to demand some accountability, but only from private companies at best, he says.  

Classification woes

Public interest technologist Anivar Aravind sees it as a way “to make it easier for government organisations to use our data as it gives blanket exceptions for the state”. Also, it does not address the right to privacy, which is a fundamental right, he says.

“The purpose of a data protection act is to empower the citizens. But does this act do so? It is doubtful. As it stands now, it is too weak,” he states.

However, Pranesh is hopeful that as we move forward, it will progressively become more defined. “It will probably take shape gradually on a case-to-case basis,” he says.

INDIA’S FIRST ATTEMPT TO PROTECT DATA

Prior to this, India did not have a law dedicated to protection of personal digital data. Globally, over 120 countries have legislation in place for data protection. In 2018, the General Data Protection Regulation (GDPR) made headlines. It was hailed for its extensive and progressive legal provisions to safeguard the data of EU citizens. While the DPDP Act is modelled on the GDPR, it is nowhere near as
exhaustive, experts say.

WHAT IS THE DPDP ACT?

The landmark law seeks to lay down the rights and duties of citizens and the obligations of the data fiduciaries when it comes to the use of collected personal data. It states that fiduciaries must have free, informed and unconditional consent from individuals before their data is processed. They are also responsible for protecting the data and avoiding data breaches. Exemptions are made when the
data is required to prevent and probe offences, for detecting financial frauds, and to enforce legal rights or claims. Government entities are exempted from the law if their purpose is to protect the sovereignty, integrity and security of the state.

The law also provides for the setting up of a Data Protection Board, which will keep a close watch on compliance and breaches, and decide on penalties.