Big Misses In Data Protection Law: Identifying Gaps & Challenges In Safeguarding Information Privacy

By Siddhant Jain

India has seen multiple iterations of a data protection law over the past few years as policymakers have strived to formulate comprehensive legislation regulating the usage of personal data of citizens. With the rapid adoption of digital technologies and online platforms across sectors, safeguarding privacy has become a key priority. 

The Digital Personal Data Protection (DPDP) Bill introduced in 2023 is the latest such effort to regulate the processing of personal information and uphold the fundamental right to privacy provided by the Indian constitution. While the Bill aims to check misuse, some provisions may need further strengthening to provide robust safeguards.

Expansion in Government Access To Personal Data

The DPDP Bill allows government agencies to be exempted from obligations of the privacy law if needed for activities like national security, public order maintenance etc. Additionally, it also provides the government powers to access personal data from private companies through a notification for unspecified purposes.

While exemptions and data-sharing provisions for government bodies are not uncommon in privacy legislation globally, several experts have suggested building more safeguards around the same. These can prevent possible overreach and ensure such provisions are not misused or exploited beyond genuine requirements.

Additional scrutiny during the passage of the Bill may be merited to formulate checks and balances around expanded data access. Amongst measures suggested by observers include defining the scope of public order and data sharing needs more precisely. Having an independent body evaluate exemption and data-sharing requests before approvals is another recommendation made for incorporation.

Personal Data In The Public Domain Left Unregulated

A key tenet of data protection laws worldwide is requiring consent for the collection and use of personal information. However, the DPDP Bill excludes publicly available personal data from consent requirements and other compliance needs mandated under the legislation.

As an example, if users voluntarily share personal data on public social media platforms, the same can be processed by private or government entities without consent under the Bill. This relaxation poses risks of large-scale data scraping and analytics by various parties for multiple purposes without checks against reasonable privacy expectations of users.

Parental Consent Requirement For All Teenagers

A key aspect of the Bill is defining children as anyone under 18 years and requiring parental consent for online services offered to them. This blanket provision mandating parental permissions for teenagers accessing platforms widely used by youth poses risks of access denial and stifling agency.

Having graded norms depending on age groups rather than a one-size-fits-all regulation has been suggested by child rights bodies. For instance, mandating verifiable parental consent for users below 16 years for certain categories of high-risk services. Allowing self-consent above this threshold with residual checks can safeguard the interests of younger teenagers while not impacting the independence of older youth unduly according to stakeholders.

Inadequate Security Safeguards Against Data Breaches

While the DPDP Bill requires entities to take reasonable security safeguards, it does not define adequacy benchmarks associated with the storage and processing of personal data. This aspect may require further strengthening given rising data breaches globally including frequent incidents in India.

DRM video security focuses on preventing unauthorised use and distribution of digital media content. DRM technologies control access to copyrighted video content, limiting how it can be viewed, copied, or shared. This is crucial for content creators and distributors to protect their intellectual property and revenue streams.

The inclusion of clear data security expectations along with breach disclosure and compensation mechanisms can help reinforce privacy protections as per technology practitioners. Defining such safeguards aligned to global protocols and having graded requirements depending on data sensitivity allows balancing priorities. Other suggestions include self-regulation models whereby sectoral industry bodies can define security standards that can be periodically audited by independent authorities.

The connection between data privacy laws and DRM lies in the broader theme of digital rights and security. While data privacy laws protect individuals’ personal data, DRM safeguards the rights of content creators. Both aim to establish a secure and controlled environment in the digital space, where personal and intellectual property rights are respected. However, this intersection can also raise concerns. For example, overly restrictive DRM might impede legitimate uses of digital content, and in the process of enforcing DRM, companies might collect user data, potentially conflicting with privacy regulations. Balancing these two aspects is a challenge in the ongoing development of digital policy and technology.

Limitations In Consent Frameworks For Data Sharing

When taking consent from data subjects, companies are not currently required under the Bill to disclose details regarding third-party data transfers or retention timeframes. Limiting consent requirements to the purpose of collection dilutes oversight of downstream usage once access has been granted to an entity. 

Having expanded consent disclosure norms covering critical aspects like data retention, overseas transfers and third-party sharing details allows users more informed privacy choices as per civil society recommendations. Enabling consent portability via withdrawal and data erasure options also merits consideration by policymakers to strengthen user rights over personal information.

The Road Ahead For India’s Privacy Regime

While India undoubtedly needs a comprehensive data protection law covering the usage of personal data in the digital economy, experts have suggested further fine-tuning of certain aspects is merited. Strengthening safeguards around government exemptions, public data scraping, children’s agency, security breach accountability and consent limitations can assist in reinforcing privacy protections.

Getting these nuances right by addressing gaps allows the creation of a globally leading rights-based legislation attuned to the realities of the modern digital economy. It enables realising the objective of checking misuse of personal data while allowing innovation in various sectors that rely on data-driven technologies.

The Way Forward

In its current form, specific provisions within the DPDP Bill pose risks of undermining data privacy protections if enacted unchanged as per stakeholders. While the Bill aims to check misuse of personal data, further strengthening safeguards by taking a comprehensive view of privacy implications merits consideration during finalisation.

Allowing sufficient debate and diligence while formulating such an important regulation will pave the way for India to be at the forefront of progressive privacy regimes. With some of the gaps plugged, the DPDP Bill can be a landmark legislation upholding the right to data protection for 1.3 billion citizens while powering the country’s digital growth story.

(The author is the CEO and Co-founder of Vdocipher)

Disclaimer: The opinions, beliefs, and views expressed by the various authors and forum participants on this website are personal and do not reflect the opinions, beliefs, and views of ABP Network Pvt. Ltd.