The President last week gave her approval to the Digital Personal Data Protection Act (DPDPA), almost six years after the government had constituted an expert committee chaired by Justice BN Srikrishna for this purpose and the Supreme Court’s landmark 2017 judgment affirming privacy as a fundamental right. However, this endeavour had begun in the 20th century!

25 years in the making

On July 25, 1998, the government had notified the ‘Information Technology Action Plan’ three weeks after the Prime Minister’s Task Force on IT and Software Development submitted 108 recommendations submitted on July 4, 1998.

One of these averred that National Policy on Information Security, Privacy and Data Protection Act for handling of computerised data shall be framed by the government within six months.

This was barely three years after the European Data Protection Directive (95/48) of the European Union. Of course, OECD principles of data privacy as well as Council of Europe’s Convention 108 preceded these.

The Information Technology Act (IT Act) became a reality in 2000. The 2008 amendments included certain provisions for data protection. In 2009, the government set up Unique Identification Authority of India (UIDAI) as an attached office to the then Planning Commission. In 2012, a set of nine foundational principles for the privacy law were recommended by an experts group set up by the latter and chaired by Justice AP Shah.

It is pertinent to note that the government had initiated consultations for a privacy law in July 2010, couple of months before the first Aadhaar enrolment in September 2010. Interestingly, this was led by the Department of Personnel and Training (DoPT), that also administers the Right to Information Act, 2005.

The Parliamentary Standing Committee on IT has been repeatedly urging for a robust legal framework for data protection. However, as recently as in 2014, the government’s stance was that post the 2008 Amendments, the IT Act contained adequate provisions to deal with the aspects of data security as well as for the protection of sensitive personal information.

Is privacy ensured now? In its 2012 report, the experts group chaired by Justice Shah had mentioned that at least 50 different legislations in the country already had some provisions pertaining to privacy. However, the DPDPA deals with ‘digital personal data protection’ only, a subset within the broader realm of ‘privacy’, as also dealt by the Supreme Court.

Legislative Intent

Litigation often entails discerning the ‘legislative intent’ behind a law, its specific provisions or even the delegated legislations with respect to the specific context and contours of a case. In the case of DPDPA, this would be largely limited to the ‘Statement of Object and Reasons’ accompanying the Bill.

Legislation in a Parliamentary democracy is a long and arduous process. However, once enacted, it tends to have a long shelf life even as the underlying social, economic, and political context changes significantly. Accordingly, the legislature vests certain rule-making powers with the executive as well as with the statutory authorities, albeit circumscribed by the principal legislation.

However, in the DPDPA, even the number of members of the Data Protection Board of India (DPBI) has been left to the discretion of the Central Government whereas specific numbers have been codified in laws like TRAI Act and SEBI Act.

Moreover, notwithstanding the option of being reappointed, two-years tenure may be too short to be effective.

Appeals with TDSAT

Considering that the Cyber Appellate Tribunal, the appellate body under the IT Act, had been merged with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) in 2017, it is only logical that the appeals against the Data Protection Board of India (DPBI) decisions should also lie there.

All the same, structure and resourcing of the three-member (including the chairperson) TDSAT deserves a careful review.

After all, it would continue to be the appellate body for telecom and broadcasting sectors besides those arising from the decisions by the Airport Economic Regulatory Authority of India.

Act is Done, Action Ahead

There is a lot of administrative and procedural notifications to be done by the government. These include, but are not limited to, notifying the date of commencement of DPDPA itself, the various procedures under the Act, the norms for selection of the DPBI Board members, their selection and appointment. A roadmap would help everyone.

The day General Data Protection Regulation (GDPR) became a reality in 2016, it was known that it would become enforceable exactly two years later, effective May 25, 2018. This is an unknown aspect of the DPDPA. Concerns have also been raised about certain legitimate uses without the individual’s consent as well as the powers for exemptions.

Accordingly, the government should become role models for other data fiduciaries and data processors even as all data fiduciaries need to buckle up.

By 2030, the Indian economy would have grown way beyond $5 trillion and 6G networks would be rolling out.

At that time, if we, the people can discretely and securely control and access our personal data — stored across trusted federated goods and services and determine; if, what and how much information we would like to share with whom and when; with assurance that they would use such information only for the purpose that we have consented to and authorised, that should be evidence enough about the robustness, relevance and resilience of the DPDPA.

The Way Forward

Data Protection law is a necessary enabler for the growth, adoption, and acceptance of an inclusive and resilient digital ecosystem. However, it is insufficient by itself. This must be accompanied by National Cyber Security Strategy and Surveillance Reforms as well as the framework for Non-Personal Data.

The writer is a public policy professional. Views are personal

Related Topics