CNBC-TV18’s Nisha Poddar recently delved into the implications of this delay and the anticipated rules while interacting with NS Nappinai, senior advocate and founder of Cyber Saathi; Nikhil Pahwa, editor of Medianama; and Rakesh Maheshwari, former senior director of MeitY.
Nikhil Pahwa expressed his deep disappointment over the delays in the implementation of the DPDP Act. According to Pahwa, the Act, despite being passed, remains largely ineffective without the necessary regulations. He criticised the government for its slow progress and pointed out that the provisions of the Act are not yet in force.
Pahwa noted that Srikrishna’s draft, the initial version of the bill, offered the most protections, but that it was significantly watered down in subsequent revisions. She stressed that the law fails to adequately balance protecting citizens’ privacy with the needs of the data economy.
“If you look at the various drafts of the bill, Srikrishna’s is the strongest of all. Little by little, the protections provided to citizens have been reduced. One of the things that this bill fought against from the beginning was the government’s intention not to have a privacy law.
They went to the Supreme Court and argued that privacy is not a fundamental right. The Court directed them to come up with a law to enforce the fundamental right to privacy through a law, especially when it comes to private companies.
Subsequently, even in Srikrishna’s draft, there was a debate between enabling a data economy and protecting rights. Therefore, the bill lacks balance in terms of protecting rights, especially as far as the government is concerned. For example, there has been no surveillance reform in this particular law. The government can still access citizens’ data held by private companies.
“Indeed, the apps and services we use are given a free pass for the government to access that data for national security purposes, and national security is not yet defined by law. So I don’t think it does enough to protect our rights, and in that sense, the bill or the law is already a failure from the start,” Pahwa said.
Senior advocate NS Nappinai also stressed the need for rules for the practical implementation of the DPDP Act. She explained that the Act, as it stands, is incomplete and needs rules to provide the necessary details and mechanisms for its implementation.
Read also: India is likely to release draft data protection rules in the next 20 days
Nappinai acknowledged the delay but remained hopeful that the upcoming rules would address the gaps and provide a robust framework for data protection. She stressed that the rules must balance individual privacy rights with industry needs to ensure both robust data protection and continued innovation.
Rakesh Maheshwari, former senior director at MeitY, stressed that the law was designed with the dual objective of protecting citizens’ privacy and enabling commercial operations. He acknowledged that while the DPDP law aims to be more comprehensive than the previous IT law, it still has limitations. The law’s consent requirement and its applicability to the government are advances, but Maheshwari agrees that the delay in finalising the rules could undermine their effectiveness.
Below are excerpts from the discussion.
Q: The fundamental right to privacy is what we have been granted. But how important are these rules for exercising that fundamental right?
Pahwa: As far as I am concerned, we still don’t have a privacy law because the law says that the various parts of that law will only be activated once these rules are issued. So I think it is quite shameful that a year after the law was passed, it has still not been put into practice and we have waited all this time for rules to be issued for it to be implemented. The government should have done it earlier, at least it should have activated some parts of the bill through the rules by now.
The other issue is that, “if you look at the various drafts of the bill, Srikrishna’s is the strongest of all. Gradually, the protections provided to citizens have been chipped away. One of the things that this bill fought against from the beginning was the government’s intention not to have a privacy law. They went to the Supreme Court and argued that privacy is not a fundamental right. The court directed them to come up with a law, to enforce the fundamental right to privacy through a law, especially when it comes to private companies. And subsequently, even in Srikrishna’s draft, there was a battle between enabling a data economy versus protecting rights. So the bill actually lacks balance in terms of protecting rights, especially with respect to the government. For example, there has been no surveillance reform in this particular bill. The government can still access citizens’ data held by private companies. So, in effect, the apps and services that we use, the government has a free hand in terms of accessing that data for national security purposes, and national security remains a very important issue. It’s not defined in the law, so I don’t think it does enough to protect our rights, and in that sense, the bill or the law is already a failure from the start.
The other case where it doesn’t protect our rights is that it doesn’t give us the right to go directly to a court. We have to lodge a complaint with the data protection board and go through a whole process, rather than trying to enforce a law by going to court. But the board itself can only decide on issues related to complaints and it doesn’t have powers to make rules. If you look at data protection authorities around the world, most liberal democracies do have that power, they have given independence and power to the board to protect the rights of citizens. In this case, the board doesn’t have those aspects. So, I don’t think that this data protection law, even after the rules are published, is sufficient. And it’s a failure on the part of the government from a citizens’ rights perspective. But I don’t think that was an intention from the beginning in terms of protecting citizens’ rights. If the rules don’t come out until a year from now, I wouldn’t be surprised, because I don’t think it’s the government’s intention to really restrict data collection and violation of our privacy, to be honest.
Q: What do you think of the rules and how important are they at this particular moment? The government has delayed implementing them for too long and things have changed. How important are they at this moment?
Nappinai: Right now, rules are needed for the law to be implemented. If you look at the way the law has evolved in India, the first draft was brought by the Srikrishna Committee, which had the responsibility of assessing the contours of a privacy law for India. Then, the 2019 law was brought, which was quite extensive. And then, a very basic draft was brought, which is what we have now. And rules are needed to supplement what is already in the law to be able to implement it. So that is a general input.
To be more specific, there is a privacy process that has been put in place under the DPDP Act. So there are data fiduciaries who will be collecting your data (the data processors), you are the data subject (i.e. the user sharing your data), there are consent frameworks and accountability frameworks. Now, these are just words. How are they enforced? How are they implemented? So that granularity always comes from the rules. So, when you ask about the time frame, it is true that the rules have been long overdue and we hope to have a fairly robust draft now, which will ensure a quick implementation.
So we will need something that will give substance to the basic draft, that will give strength to the system that is proposed to be put in place, that will ensure robust protection of people’s data and that will allow for a balance between industry activity, as any data protection law does. A law is not just about protecting users and stifling innovation or industry, but it is about achieving this balance, allowing industry activity without violating individual rights. So we have to wait and see whether the rules will be able to achieve this balance.
Q: What was the Government thinking when formulating this law? And how do you think this law can be achieved in the current circumstances?
Maheshwari: The law as it stands and the intention that has been there since 2017 when the expert committee was constituted was that the rights of citizens, the rights to privacy that the Supreme Court has granted, should be protected while trade should continue to be allowed. That was the fundamental principle – that both should continue to exist.
The current Information Technology Act, while covering privacy and the protection of sensitive personal data, is by no means a comprehensive law. Therefore, this DPDP Act to that extent incorporates comprehensiveness, including the protection of individuals’ data.
The law requires consent, so there has been talk of a consent framework that should be presented to the user in a language that he or she can understand. At the same time, the government has also been brought into the scope of the law.
Please watch the attached video for the full discussion.
Disclaimer:
The information contained in this post is for general information purposes only. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the post for any purpose.
We respect the intellectual property rights of content creators. If you are the owner of any material featured on our website and have concerns about its use, please contact us. We are committed to addressing any copyright issues promptly and will remove any material within 2 days of receiving a request from the rightful owner.