What next on data protection?

Source: The post is based on the article “What next on data protection?” published in The Hindu on 22^nd August 2022.

Syllabus: GS 2: Government policies and interventions for development in various sectors and issues arising out of their design and implementation.

Relevance: To understand the issues associated with the withdrawal of the Personal Data Protection Bill.

News: Recently, the government has withdrawn the Personal Data Protection Bill. This increases uncertainty about the future of privacy regulation in India.

Why did the government introduce the data protection bill?

In Justice K.S. Puttaswamy v. Union of India case, the court held that the right to privacy had both positive and negative aspects. . The former implies the need for the state to actively take measures to protect an individual’s privacy.

Thus, the government was more or less forced to initiate the drafting of a data protection law.

What is the reason for withdrawal?

The growing importance of the digital economy and the broad scope of the proposed law raised contestations between stakeholders such as the state, industry, and advocacy groups. Each version of the law — the 2018 Bill of the Srikrishna Committee, the 2019 Bill introduced in Parliament, and the version of the Joint Parliamentary Committee(JPC) in 2021 — faced different types of critique from different stakeholders.

Data protection bill and stakeholders’ concern

a) Domestic industry felt that the law will create compliance hurdles for them, b) For state the law could limit intrusive data processing by state agencies, but it could also promote geopolitical, strategic or regulatory interests, c) For users poorly drafted law could legitimise certain intrusive practices, d) For advocacy groups the bill is a dilution of the focus on data privacy.

However, a law can also promote regulatory certainty, thereby opening up the possibility of increased data flows and the growth of the data processing business.

What are the recommendations of the Joint Parliamentary Committee(JPC)?

How to address the challenges in the new data protection law?

There are two challenges associated with the introduction of new data protection law. These are a) the form that a new law will take, and b) the nature of protections it will offer. These can be addressed by the following steps.

Form of the new law: The government has suggested that it will introduce multiple legislation comprising a new comprehensive legal framework. This is the right approach as it is healthy to maintain some multiplicity in the governance of a complex digital economy.

The effectiveness can be further enhanced if a) Different laws and agencies should co-exist, b) Each bill should address a single coherent set of objectives and avoid overlapping, c) Separate laws should deal with issues concerning state surveillance, or issues in the data economy.

Nature of privacy protection: The law should a) Build on a risk-based approach to data protection, so that the regulatory focus is directed towards addressing sources of potential harm, b) Based on risk assessments, the law could enable co-regulation and self-regulation. c) Include more provisions to ensure accountability of the regulator, d) Invest in building some administrative capacity to implement it, as it did with SEBI and PFRDA, for faster implementation of law once passed, e) Framed based on transparent and meaningful consultations with all stakeholders.