Prime Minister Narendra Modi, while delivering the keynote address at the 2021 Sydney Dialogue, had remarked, ‘We use data as a source of empowerment of people. India has unmatched expertise in doing this in a democratic framework with strong guarantees of individual rights.’ The Digital Personal Data Protection (DPDP) bill, passed in the Lok Sabha on Monday, represents the fulfilment of this confidence and commitment.
The current age is often said to be the age of data, where it has become both the fuel and the driving force behind the digital economy. With the advent of 5G, the amount of data that would be produced is projected to increase multifold. The proliferation of smart devices, mobile internet and IoT devices would also exponentially increase data creation and data-producing sources. Massive volumes of data created are already being dissected and analysed by cutting-edge AI algorithms to make informed decisions across sectors and enhance the processes around them. Data-driven insights have become crucial for gaining a competitive edge, identifying patterns, predicting trends, and understanding customer behaviour.
As data became increasingly central to modern life, it also became a norm for various tech firms, governments, and corporations across the globe to gain access to unregulated databases containing public data, using it for their means without the knowledge or consent of the individuals involved. Cybercriminals and hackers also started gaining access to inadequately secured databases, harming users and organisations. It became a pressing need to establish robust frameworks for data-related activities.
The European Union (EU) took a pioneering step by introducing the General Data Protection Regulation (GDPR) in 2018. Subsequently, other major digital markets followed suit by enacting regulations in this domain. The EU’s GDPR and China’s Personal Information Protection Law (PIPL) share significant similarities. Both regulations grant the users the right to access, correct, and even delete their personal information held by business entities. Furthermore, the GDPR and PIPL impose substantial fines for non-compliance with the regulations. PIPL, however, gives enough leeway for the Chinese government and public sector to harvest the data of their billion-plus population, allowing them to train their already formidable AI algorithms, create next-generation technology solutions, and also gain insights into various aspects of society and individual behaviour. This also enables absolute state overreach.
The Data Privacy and Protection Act, introduced in the US Congress in 2021, has yet to be enacted as federal legislation due to resistance from various big tech companies. Some US states have taken matters into their own hands by enacting their own laws, primarily focusing on safeguarding individuals’ personal space from government intrusion. The EU’s GDPR, supported by the European Charter, grants jurisdiction over both governments and corporations. However, most entrepreneurs perceive these laws as overly restrictive, potentially impeding innovation.
India is the fastest-growing digital economy, with the world’s third-largest startup ecosystem. Additionally, we are the second largest producer of data globally. Leveraging non-invasive vast databases, coupled with the innovative India Stack architecture, India has successfully developed digital public goods that are now garnering widespread global adoption. The government is also actively encouraging non-personal data and anonymised datasets to be used as digital public goods.
The DPDP Bill clearly defines essential terms, including data, and the roles and responsibilities of key stakeholders. Data fiduciaries are identified as entities or individuals, including in the government and private sectors, who would store, collect, or use personal data for various purposes. Data principals refer to the individuals whose data is being processed by the data fiduciaries. Consent would become the standard practice now, where data fiduciaries can process personal data only after obtaining explicit approval from the data principal. This consent is limited to the specific purposes for which it was originally given. If and when the data principal chooses to withdraw their consent, the data fiduciary must stop further processing of the personal data and erase it within a reasonable timeframe.
Almost a third of India’s internet users are projected to be between 12 and 17 by 2025. Recognising the vulnerability of this demographic in the digital landscape and ensuring their protection, there are provisions including the need for verifiable consent from a lawful guardian before processing any of their data.
The Bill also prohibits data fiduciaries from processing any personal data that may harm the child’s well-being and strictly forbids data fiduciaries from engaging in behavioural monitoring or tracking of children. The Bill imposes restrictions on transferring personal data for processing to countries and territories outside India. There could be fines up to a massive `250 crore for lapses in compliance.
Even governments are not exempted from any of the clauses in the Bill except in situations necessary for national security purposes or to maintain public order. A Data Protection Board (DPB) would act as the regulator overseeing and ensuring compliance with the new laws and taking necessary actions against violations. There are clearly laid provisions for alternative dispute resolution via mediation. The Bill also provides the right to appeal against orders issued by the regulatory body. The passage of the DPDP Bill in the House of the People is a significant step that would lead to a secure and accountable yet thriving Indian digital ecosystem.
Anil K Antony
National Secretary of BJP, and a graduate of Stanford University
(Tweets@anilkantony)
Adarsh Kuniyillam
Parliament and policy analyst
(Tweets@authoradarsh)