The recently released Digital Personal Data Protection Bill is a novel legislation which has incorporated multiple comments and suggestions made by industry stakeholders on the Personal Data Protection Bill. The Bill is relatively more industry-friendly in comparison to previous iterations in its efforts to regulate digital data. Unlike PDP Bill, the new legislation has a narrower approach and looks to only regulate data protection practices of digital data that qualifies to be personal data. This is in line with the context given behind the withdrawal of the PDP Bill by the government. The PDP Bill had tried to regulate a larger section, even those aspects which wouldn’t necessarily come under the realm of personal data protection.
This is why the decision of the government to go back to the drawing board and present regulation which works in dealing with only Personal Digital Data rather than including non-personal data is the sort of foresight that is helping the country realise its potential. The Bill takes several commendable steps to ensure that it complies with international standards of data protection such as the General Data Protection Regulation (GDPR) by enacting a strong consent-based regime of data privacy. This puts the regulation on par with international standards. The government has also at the same time tried to not fall prey to the “Brussels Effect” by attempting a simple copy-paste of the GDPR. Rather, the Bill is a more nuanced approach taking into account both the nascent stage of the digital ecosystem of the country as well as the fact that a majority of people in our country are newly minted digital naagriks.
However, the balancing act that the Bill needs to achieve is no easy task. It needs to ensure that it safeguards the privacy of the people while at the same time doesn’t stymie the growth of the digital ecosystem of the country which is at the centre of making the $5 trillion economy a reality. The balancing act is only possible where the nuances of the ground reality are noted, more than the popular narrative that all things big are bad. There should be a check on ensuring no monopolistic practices are happening without stifling digital and financial growth. This is important from the point where the Bill presents differentiating data fiduciaries into significant data fiduciaries on the basis of the volume and sensitivity of the data processed. A data fiduciary is required to carry out certain compliances in addition to compliances if it classifies as a ‘Significant Data Fiduciary’ under the DPDP Bill. Notably, such obligations include the requirement to appoint a Data Protection Officer (necessarily a resident of India); the appointment of an auditor for evaluation of compliance under the DPDP Bill; and the requirement to undertake a mandatory ‘Data Protection Impact Assessment process. While it is important to safeguard the data of the people, the volume shouldn’t be the only qualifier since a quantitative benchmark would miss a lot of relevant contexts. So instead of just volume parameters, the type of data and its impact should also be taken into account. Entities which process large volumes of data and whose processing of the data may lead to harm to data principals, risk electoral democracy, and have potential impacts on the sovereignty and democracy of India, should be classified as significant. This is important to promote growth in the country and not let entities be bogged down by compliance burdens and costs given the fact that the country has become a global hub for start-ups.
Similarly, the bill proposes that “A Data Principal who is not satisfied with the response of a Data Fiduciary to a grievance or receives no response within seven days or such shorter period as may be prescribed, may register a complaint with the Board in such manner as may be prescribed.” The time period of 7 days given to data principals to respond to a complaint may not be practically feasible given the volume of data principals and the fact that additional resources would be needed to be deployed which would put additional compliance burden and cost on entities.
While the draft presents a great opportunity for the realization of the digital potential of the country, it also needs to take into account the nascent stage of the tech stack of the country.
Disclaimer
Views expressed above are the author's own.
Top Comment
{{A_D_N}}
{{C_D}}
{{{short}}} {{#more}} {{{long}}}... Read More {{/more}}
{{/totalcount}} {{^totalcount}}Start a Conversation