On the face of it, the Digital Personal Data Protection Act ticks all the right boxes. But from a citizen’s point of view, it has many missing links. For one, the Data Protection Board doesn’t have the power to initiate a suo motu enquiry in cases where individuals might be unaware of their rights or unable to file complaints.
The draft rules to supplement Índia’s Digital Personal Data Protection Act, 2023 is likely to be released soon. The Act provides statutory recognition to digital data privacy rights.
To be sure, India is among the early South Asian countries to have enacted a national data-protection law. Once effective, the Act will compel entities that gather and process digital data to collect personal data for legitimate purposes, based on informed consent of the data principal. The Act also places an obligation on data fiduciaries to implement reasonable data-security measures to safekeep the personal data they collect.
On the face of it, the Act ticks all the right boxes of being a robust data-privacy legislation. But it lacks teeth for implementation from a citizen-centric point of view. The main concern is that the Act places a disproportionate burden on citizens as data principals to bear the primary role of enforcing their rights, without creating suitable support mechanisms and institutional channels to enable the citizen to enforce their rights.
Here are some key missing links that the Act fails to connect.
Missing link #1: The obligation to promote awareness The Act does not vest the Data Protection Board with the duty to protect the interest of the data principals with respect to their data or with the obligation to conduct awareness campaigns on the rights of the data principals. This is a gross departure from international best practices (like the General Data Protection Regulation) that have explicitly vested the duty to implement the rights of a data principal on an identified nodal authority, such as supervisory authorities set up by the member states.
This is also a significant change from the prior drafts of India’s own data-protection bills, including the draft of the Joint Parliamentary Committee (in 2021) and the versions of the Bills released in 2018 and 2019 which endowed the Data Protection Authority with the “duty to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act.”
Thus, the duty to protect the interest of data principals and the obligation to promote awareness about data protection is entirely missing in the Act, leaving crucial roles of a data- protection authority in a state of limbo. This concern is even more poignant because of the digital divide in India, where only 38% of the households are digitally literate and among the poorest 20% households, only 2.7% have access to a computer and 8.9% have access to Internet facilities.
There is a need to build the culture of data privacy among India’s digital citizens to inform them of their rights and the processes pertaining to digital data privacy and other risks posed by emerging digital technologies. The failure to vest this role with an identified authority or institution under the Act might mean that the citizenry on whom the success of the law itself is hinged is left to navigate the new legislation without much support from the state.
Missing link #2: Lack of suo motu power
As it stands under the Act, the Data Protection Board can only act upon a complaint by a data principal or through reference by the central government. The power to initiate
a suo motu enquiry in cases where individuals might be unaware of their rights or unable to file complaints, is not explicitly provided to the board under the Act. This is particularly important for protecting vulnerable groups or individuals who may not be well-versed with data-protection laws or have the means to seek legal redressal.
This approach of vesting suo motu powers is taken in welfare legislations such as the Consumer Protection Act, 2019 and Competition Act, 2002, where Consumer Protection Board and the Competition Commission of India, respectively, have the power to take cognizance of a violation of the law and initiate an investigation or enquiry.
Amending the Act to permit the Data Protection Board to act suo motu would enable the boards to take proactive measures to ensure compliance, rather than relying on reactive responses to complaints.
Missing link #3: Compensation for data breaches
The Act does not provide pecuniary compensation to data principals whose right to data privacy has been breached. This is a significant shortcoming of the Act, as Section 43A of the Information Technology Act, 2000, which previously allowed compensation claims for data breaches, has been repealed by the Digital Personal Data Protection Act.
Compensation provides a means to make good various harms individuals suffer when their personal data is compromised, including financial losses, emotional distress, and privacy violations. While substantial penalties envisaged
under the Act would motivate data fiduciaries to implement measures for data protection, the erstwhile compensation incentivised individuals to report breaches and seek redress. With this avenue closed, there is now less motivation for the public to actively pursue accountability for data breaches. The absence of a compensation mechanism has shifted the burden of seeking justice onto individuals, making it more challenging for them to act when their data is mishandled, which ultimately undermines the overall accountability and security of personal data.
The final cut
The Digital Personal Data Protection Act has been acknowledged industry-friendly, as it considers the ease of doing business and prevents the law from creating barriers to entry or hurdles to innovation for market players.
Considering that the Data Protection Board under the Act is not vested with an explicit mission and suo motu powers, the successful implementation of the Act is heavily dependent on aware citizens demanding that their personal data is handled as per the letter of the law.
These shortcomings cannot be addressed except by an amendment to the Act. Until such time, research institutions and civil society actors will have to play an enhanced role to build data privacy awareness and ensure the implementation of rights under the Act.
Fonte: Economic Times