Mint Explainer: Concerns around Digital Personal Data Protection law

The Digital Personal Data Protection Bill is currently pending presidential assent. (Photo: iStock)
The Digital Personal Data Protection Bill is currently pending presidential assent. (Photo: iStock)

Summary

  • Parliament on Wednesday passed the Digital Personal Data Protection Bill (DPDP), heralding what will become the country’s first law on protecting personal data

India will soon have its first law on protection of personal data belonging to users, treatments and processing of the data by entities, including the government, and a legislative framework aimed at making platforms, big and small, accountable for using the data which has to be used for the purpose it is taken. Yet, legal experts, Parliament members and policy consultants have flagged several concerns that the Digital Personal Data Protection (DPDP) Bill does not address.

Mint takes a look at some of the key concerns regarding the proposed law.

Enabling data processing by design, rather than data privacy

Privacy experts and policy consultants said that one key aspect about the DPDP Bill lies in its positioning as a regulation that enables data processing, rather than enabling data privacy while imposing specific restrictions on what kind of data processing can be allowed. 

Prateek Waghre, policy director at non-profit organization, Internet Freedom Foundation of India (IFF), said that a key concern is that the Bill is designed to enable processing of personal data, while laying down a few restrictions around how personal data flow is to be restricted. 

Some Parliament members have also flagged that the data privacy is missing from the intent of the bill and rather talks of data processing.

No appeal avenue for companies on State data demand

Lawyers say that the DPDP Bill’s provision to enable government agencies to ask companies to produce user data as required is extremely broad-brushed since it can allow government bodies to seek any personal data under mentioned clauses such as electoral procedures, or the protection of sovereignty of the State. This also does not offer any of the “significant" data fiduciaries with any appeal procedure that they may seek, in answer to the government’s demand for any user data at any point in time.

Left open for future rules

Policy and privacy advocates said that there are too many areas that the Bill has left open for future rules, and the legislative consultation process has not offered clarity in terms of how future sub-regulations with regard to the DPDP will be framed. Lawyers also said that in terms of retention of personal data for law enforcement purposes, the Bill states that a time frame as required by law is to be followed. However, most legislations in India do not specify such timelines, which leaves a lack of clarity in terms of how this regulatory procedure is to be followed.

RTI Act amendment could pose concerns

Privacy experts also said that the amendment to the RTI Act, proposed under the DPDP Bill in order to remove exemptions of furbishing personal information under Section 8(1)(j) of the RTI Act, 2005 could be detrimental to the use of Right to Information. The amendment offers a sweeping protection to all data — “the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual." 

IFF’s Waghre said that this amendment could be used to not disclose a wider range of information citing protection of personal data, essentially weakening the strength of the RTI Act.

Unclear on data scraping

Legal experts said that exempting information posted by a user on social media in favour of industries goes against leading examples of data privacy regulations around the world. While the Bill offers protection to data of a user that was not posted by the user themselves, experts said that such classification of data would not only be complicated operationally for companies, but leaves a lot of room for ambiguity in terms of how such personal data can be handled by companies. 

By design, social media data is posted by a user themselves, and restricting collection of re-posted data may not serve in any interest of personal data protection whatsoever.

Catch all the Politics News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.
more

topics

MINT SPECIALS