DPDP Act: The Good, the Bad, and the Worrying

We used to say, “The walls have ears”. Today, all our devices do. Data collection is so robust that sometimes, even a thought in the mind, seems to pop up on our screens the moment we think about it. What may feel uncanny to the normal user reaps huge monetary benefits for companies that thrive, deal, and trade in this data. We are doing everything online — shopping, browsing, watching — and this heightened online activity has also given companies access to copious amounts of data that has been used to study consumer behaviour and habit. 900 million Indians are predicted to use the Internet by 2025, and a Data Protection Act was always the need of the hour. The intent to protect consumers’ data and more importantly, citizen’s privacy, had set the tone for its requirement. After years of deliberation, the Monsoon Session of the Parliament has passed the Digital Personal Data Protection (DPDP) Bill, and with President Droupadi Murmu’s assent, it has now become an Act. The freshly passed law has received accolades and brickbats, introduced at a time in our lives when data is currency.

The DPDP Act has garnered interest and praise from foreign data protection entities and governments in Norway, New Zealand, and South Africa, among others. Hailing it as a “landmark” regulation, news reports say that foreign officials will keenly track the law’s implementation and efficacy in days to come. Protecting data processing of children and making parental consent mandatory is a win in the current version of DPDP. The penalty of Rs 250 crore to Rs 500 crore for data breach and ultimately blocking of non-compliant companies, is also positive as it holds firms accountable for leaks. Stringent penal clauses would force businesses to tighten their systems and deploy necessary steps to protect data. We have witnessed rampant breach of data in the last few years; from bra sizes to medical and bank records, cyber leaks are only increasing. India is the second most-targetted nation after the US for cyber-attacks. The Indian government says that digital companies will be compelled to handle citizens’ data under “absolute legal obligation”, giving individuals a right to protect their data from misuse.

Some criticisms include that while there is clarity in the DPDP Act given to individuals and startups on how personal data will be utilised, there is no guidance on the ultimate implementation. The government has indicated 10 months for its implementation, while startups are urging for at least 2 years’ time. Also, contrary to what was expected earlier, early-stage startups may not be exempted, and if they are, what will be the nature of the exemptions. Startups would need time to review and reform their infrastructure, and maybe even rejig the collection and mapping of data while provisioning for data erasure as well.

Additionally, there are enough concerns being raised on the sweeping powers given to the government. The Data Protection Board (DPB) that is to be set up would have to be fiercely independent to ensure neutrality. It would consist of a Chairperson and members as notified and appointed by the central government. When the selection reins are in the government’s hands, how unbiased can the DPB actually be? And is a fair selection process even realistic in a politically charged environment? And who ensures the lack of prejudice of the DPB? The central government can also restrict transfer of data to certain countries, it can also collect data of individuals and companies at will. This is the biggest red flag because even though the DPDP Act puts the consent of data-sharing in the consumer’s hands, it gives infinite powers to the government to breach these statutes. The DPDP espouses a lack of privacy of the individual and corporates. The Act, in its current avatar, can retard the Right to Information (RTI), censor publishing platforms, perhaps even snoop on individuals. While the wiggle room of enterprises has been curbed to prevent exploitation of data, the government has awarded itself overreaching powers by citing the “interest of the general public”. Where are the checks and balances there?

The writer is an author and media entrepreneur. Views expressed are personal