[Answered] Neglecting existing regulations and establishing a new framework would undermine the considerable effort invested in their creation. Discuss the statement, with a special focus on data protection mechanisms in India.

India needs a proper data protection policy because India, with over 820 million internet users, soon to touch 1.2 billion. The Union Government has released the fourth iteration of a data protection law in India, now called the Digital Personal Data Protection Bill, 2022. The Personal Data Protection Bill, 2018, was proposed by the Justice Srikrishna Committee.

Significance:

• Cross border data flows: The DPDP Bill, 2022 allows for cross border data flow to “countries and territories” notified by the Central government.
• Regulatory framework: the current draft considerably reduces the scope of the proposed Data Protection Board of India (DPB). Out of the 22 clauses in the DPDP Bill, the Central government has been provided with rule making power in around 14 clauses.
• Disempowering the data principals:it does not allow them to seek compensation from data fiduciaries for harms they have suffered due to unlawful processing.
• Penalties:the quantum of penalties that can be imposed, with the cap being placed at ₹500 crore, are of a much higher magnitude than provided for under the PDP Bill, 2019. It places duties on data principals.
• The bill recognises the data principal’s right to postmortem privacy(Withdraw Consent) which was missing from the PDP Bill, 2019.

Concerns:

• Age of digital consentcontinues to be 18. It would result in unequal access to the internet and, finally, requiring consent from parents would hamper autonomous development of children.
• It does not provide for the right of data portability which empowered data principals and enhanced competition to increase consumer welfare.
• It subsumes the right to be forgotten under the right to erasure.This compromises on the right to freedom of speech and expression of other individuals.
• Moreover, the DPDP Bill, 2022 fails to provide adequate legislative guidancefor framing these rules. This leads to the concern of excessive delegation of legislation.
• Unlike previous drafts and most data protection legislation around the world, the Bill makes no mention of the time limit.
• The Central government exercises greater control over the proposed Data Protection Board of India (DPB) because it will appoint members of the DPB.
• The first part allows the Bill to fill in any regulatory gaps, but the second part raises concerns about sectoral regulations that may go beyond what the Bill provides.

The exemption provided under the Bill should be “just, fair, reasonable and proportionate procedure”. So, providing greater power to the government as opposed to an independent statutory authority, need to be re-examined.