After four years of wrangling amid massive public interest, a draft bill that had to be withdrawn after a national hue and cry, stakeholders meetings, parliamentary committees and months of intense lobbying, the Digital Personal Data Protection Bill (DPDP) has finally been tabled in Parliament.
It is perhaps the single most important piece of legislation that will govern the life of all of us in the online world that we increasingly spend time in, working, playing and everything in between.
“This landmark legislation serves as a robust shield against unauthorised access, data breaches and misuse, instilling greater confidence in individuals and bolstering trust in digital transactions,” said Trishneet Arora, noted ethical hacker and founder & CEO of TAC Security.
But hold on, before you raise a toast to the new stability, privacy and responsibility that the new law will ostensibly guarantee our digital lives. Is it as hunky dory as Electronics & IT minister Rajeev Chandrasekhar and the government is trying to convince you?
Spurred by the Supreme Court’s landmark right to privacy judgment of 2017 and the Srikrishna Committee which made an initial draft, the original ‘Personal Data Protection Bill 2019’ which was tabled in Parliament itself had shown which way the wind was blowing — intense backroom pressure from Big Tech and the likes led to many stringent privacy provisions being watered down, with bureaucrats sneaking in many clauses which gave the powers-that-be blanket control over anything from snooping on individuals to internet blocking. An outcry led to the bill being sent to a Parliamentary committee that examined provisions and met stakeholders, leading to the new DPDP Bill finally making it back to the well of the House on Thursday.
While headlines scream of Rs 250 crore fine on data fiduciaries (ostensibly the internet intermediaries who hold a vast amount of private data of Indians) and even an outright blocking of the platform for more than one omission, what has been lost between the lines is that the watering down of stringent privacy safeguards that were modelled on the similar GDPR of European Union, still remains.
What has changed? Oh, lot of protection for big businesses. The multinationals had two primary asks for which they had lobbied intensely—one, the permission to transfer data abroad, and the other, removing criminal punishment for breaking the data laws once they come into effect.
“The removal of criminal penalties and restrictions on cross-border data flows are a few prime illustrations of the Ministry of IT & Electronics addressing (industry) concerns on key issues under the earlier versions of the DPDP Bill,” said Kirti Mahapatra, partner with leading law firm Shardul Amarchand Mangaldas, adding, “Such a business-friendly regulatory approach is further geared towards the promotion of ease of doing business in India.”
Worse, the new Bill also casts an eagle eye on how citizens behave online, and it is not just about privacy of data. Calling the bill “a big win for the industry”, Apart Gaur, leader at Nishith Desai Associates said, “The Bill also protects interests of businesses by imposing certain duties on the data subjects such as duty to not impersonate; not file frivolous complaints; not suppress material information, among others.”
What makes 'Big Brother’ even more of a reality is that in its current form, the Bill only provides for a skeletal framework and bestows rule-making powers on the Government on various aspects as one goes along — meaning it can be adapted and modified (read: draconian provisions added as per the wants of authorities at any point of time) without a specific Parliamentary amendment or clearance.
While the Bill has provisions which will enable individuals to govern their own personal (digital) data and drive businesses to ask for permission and process personal data of individuals in a lawful manner and for specific purposes only, how it will be enacted remains to be seen — presently, we have all seen how apps and social media companies give users a long and convoluted user agreement and update to rules with the only option being either ‘agree’ or stop using the said service. Will things improve or remain the same?
Whether it will overlap with other areas of law also remain to be seen. For example, the Competition Commission of India has been handling cases related to Google, WhatsApp and Amazon in recent times.
“Once passed, DPDP will create a new and distinct set of disciplines for data fiduciaries and a new data protection board (which may lead to) jurisdictional conflicts (that can) often delay effective implementation of law,” pointed out Rahul Rai, co-founder, Axiom 5, law chambers.