The recent passage of the Digital Personal Data Protection Bill (DPDP), 2023 by the Rajya Sabha on August 9, 2023, marked a significant milestone in a journey that commenced almost a decade ago. However, this legislative development has evoked a range of mixed reactions due to its implications and nuances. The overarching aim of this legislation, as stated by the government, is to strike a delicate balance between safeguarding personal data while facilitating its processing for lawful purposes, thereby fostering innovation and economic growth. In this process, it”s notable that the government has, in various aspects, exempted itself from the scope of this law.
A central facet of the Act pertains to the exclusion of the state from its jurisdiction when personal data processing pertains to “security of the state, maintenance of public order, or preventing incitement to any cognizable offence.” This leaves room for potential state-invoked actions justified under the umbrella of national security, which raises concerns about transparency and accountability.
Moreover, the Act introduces the concept of Significant Data Fiduciaries (SDFs) and their obligations, which include audits and data protection impact assessments. The government will identify SDFs based on considerations like personal data volume and sensitivity, risks to individual rights, potential impact on national sovereignty, and risks to electoral democracy, public order, and security. This introduces a potential for subjectivity and vagueness, as there are no concrete parameters or metrics to objectively designate SDFs.
The establishment of a Data Protection Board (DPB) with quasi-judicial powers and direct central government appointment raises concerns about independence and accountability. The spirit of the Act leans towards monitoring and regulating powerful platforms that possess significant market power, but it”s worth questioning why the government, rather than an independent body, would identify SDFs.
While the concept of ex ante regulation, focusing on potential harms posed by dominant digital entities, holds promise, the Indian approach could encounter obstacles. The inclusion of subjective criteria like “risk to electoral democracy” and “public order” lacks precision due to the absence of clear objective standards. Moreover, the requirement for market analysis for such determinations demands specialised expertise that may exceed the government”s capacity.
The Act also designates the Telecom Dispute Settlement and Appellate Tribunal (TDSAT) as the appellate tribunal for the DPB, which raises concerns about its appropriateness for handling complex data- disputes. Repurposing existing institutions for intricate technological matters may pose challenges to achieving effective data governance.
While the Digital Personal Data Protection Act aims to navigate the complexities of data privacy and processing, it faces hurdles stemming from vagueness, potential government involvement, and the selection of regulatory bodies. Striking the right balance between safeguarding privacy, promoting innovation, and ensuring accountability remains a critical challenge for India”s evolving data protection landscape.