Weigh security risks before enforcing data protection act
Digital data protection legislation has had a bumpy ride so far. The first draft of the Data Protection Bill was introduced in 2018, but was withdrawn after multiple amendments and critical responses. Then the 2023 version was pushed through both houses of parliament without much discussion, and received presidential assent a little over a month ago. The Act that was hurried through is replete with the phrase “yet to be prescribed”—and therein lies the red herring. The Digital Personal Data Protection Act 2023 is still too premature for implementation, as it would rely heavily on a slew of rules that are yet to be formulated and notified. The Union government’s informal assurance that it would take another six to twelve months to formulate the rules is welcome. The timeframe makes sense because, meanwhile, the IT ministry has invited Big Tech companies like Google, Apple and Meta to share their views.
The Act’s object—to provide for a system that protects the personal data of individuals and allows it to be processed for lawful purposes—is indeed necessary. However, regulating digitised data is a new frontier and there are many imponderables to be settled. Hopefully, the interaction with Big Tech outfits would help frame the debate. The issues include the timeline of implementation and whether all entities would go for it at the same time, or giants such as Google would do it differently than smaller companies. For one, Big Tech is concerned about blocking out those below 18 years of age from accessing some apps.
It is estimated that the rules for implementing the Act would require action in as many as 26 sectors. The government should use this time to ensure that the data protection machinery being set up is a strong deterrent to hackers. Not long ago, we were treated to the spectacle of masses of Aadhaar data being compromised despite the government’s assurances on security. The high deterrence prescribed by way of fines—of as much as Rs 250 crore for breach of security—is commendable. There are shortcomings, too. Critics point out that the Act allows a limitless process of delegated legislation to make subsidiary rules. This can be misused and lead to a vague and onerous implementation machinery. The Data Protection Board is without an independent selection process and could be packed with government nominees. These concerns deserve serious thought.