The first sentence of the Digital Personal Data Protection Bill 2023 (DPDP), which was approved by Parliament on August 9th, is “This Act’s aim is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to have their personal data protected and the necessity of processing personal data for lawful purposes and for matters connected therewith or incidental thereto.”
However, the measure “seeks to provide for the protection of digital personal data,” according to the “Objects & Reasons” statement.
Does this bill do enough to protect your privacy and the interests of the country?
Here is an evaluation.
-
Key Features Of The Bill DPDP 2023
The entire system is effectively a compliance framework, giving Big Tech, the Data Protection Board, and the government virtually limitless discretion.
The Data Protection Board (DPB), which will be established in accordance with the act, will have sole authority, civil court-like powers, and no proper accountability. For activities made in good faith, the central government and the DPB are both exempt from punishment.
Injunctions are not permitted by any court or other authority, and all civil courts lack jurisdiction.
Except for a meagre “grievance redressal” mechanism, the DPDP 2023 offers the data principal no rights or protection.
The “data principal” who has exclusive property rights, ownership, or other civil or human rights conferred to them is not recognised by the DPDP 2023 as the owner of the data.
This measure does not provide the data principal with any civil or criminal remedies that are consistent with the Constitution or the Universal Declaration of Human Rights (UDHR).
Additionally, there are no sections addressing violations, solutions, or financial compensation for the aggrieved person (data principal). The fine assessed simply goes to the Consolidated Fund of India; the data principal is not given compensation.
The DPDP does not contain any provisions for loss, harm, violation of the duties of the data fiduciary, children’s rights, or fundamental rights, including the right to privacy, that can compensate the data principal while abrogating the affected person’s right to compensation (u/Sec 48A of the IT Act, 2000) for wrongful loss or gain by a body corporate.
The law does not mention the privacy of the owner or data principal, which is the foundation of all data protection frameworks globally, including India (see the Puttaswamy ruling), at all. The only exception is when the right to disclosure under the RTI Act is excluded or abrogated due to the public official in question’s right to privacy.
The data fiduciary and the DPB jointly become the de facto lawmakers through the “voluntary undertaking”. This makes it possible for a personalised and personalised compliance system that essentially avoids Parliament and the rules set forth in this measure.
There is a restriction on actions being taken against corporations solely for adhering to their own voluntary commitment that was recognised by the DPB, regardless of the type of breach, the severity of the harm to the person or to their safety, or the harm to their enterprises or the nation.
In the event of a conflict, DPDP 2023 takes precedence. This will essentially prevent or abrogate the application and reliefs provided by other statutes, resulting in clickwrap licences with conflicting requirements.
A data fiduciary is not required to notify a breach within a certain amount of time. The form and method for reporting the breach will be as may be prescribed.
Without regard to everything already done in reliance on the aforementioned rule, the rules adopted under the act may only be changed or stopped with the consent of both houses of Parliament. Therefore, Parliament’s function as a legislator is circumvented.
Personal data might be transferred outside of the nation by default. At most, the government can inform specific nations that it cannot be transferred.
The Data Protection Board is only allowed to impose fines that are up to Rs 250 crore (about $30 million).
Contrast this with the $5 billion fine imposed on Facebook by the US regulator or the General Data Protection Regulations (GDPR) of the European Union, which represent a percentage of sales.
DPB won’t act or punish the offender unless the violation is “significant,” an ill-defined thing. The person, or data principal, is not particularly eligible for any kind of relief or compensation.
-
Personal Data And The Ecosystem
A person’s personal information, including their opinions, speech, transactions, health, usage of their rights and liberties, any activity, communication, etc., is their counterpart and digital imprint.
Any medium may be used to record it and store it. The UDHR states that human rights—including the rights to privacy, ownership and monetization, cultural expression, access to remedies, and local or national jurisdiction—exist and are unaffected by the nature of the medium.
Along with impinging on the person’s fundamental rights and liberties, access, influence, and control over personal data can jeopardise the person’s physical, financial, and other forms of security.
Big Tech and other organisations collect and process enormous amounts of personal data.
Through a series of revolving doors between the US federal government and various firms, Big Tech is incorporated into the US Deep State by employing hundreds of former employees of various agencies, such as the CIA, FBI, etc.
Whether overt, lawful, or covert, personal data can be used for good or bad purposes. Personal information is used for a variety of purposes, including profiling, targeting, setting narratives, deplatforming people or ideas, acting as a source of “truth”, forcing people to make decisions, producing deep fakes, deleting voter lists, inciting civil unrest, surveillance and control, blackmailing, etc.
Any entity, from the individual to the group, has been profiled and targeted, regardless of scale, including communities, classes, religions, electorates, social groups, civilisations, and geopolitical factors.
The US government has turned Big Tech into a weapon. Senior Big Tech executives are currently being questioned by the US Congress for using it as a weapon against US individuals, including Congress members.
At one point, the US President and our own Minister of IT and Law had their platforms taken down by Big Tech cartels.
C: Impact
Geopolitical: For the knowledge economy’s new economy, data is the new oil. Unrestricted data flow has a similar effect while losing the advantage, much like oil, which has costs and limitations on the flow and is also employed in the war economy.
On another level, the Hindenburg and Soros attacks demonstrate how potentially useful information, including personal data, may be exploited to destabilise governments, undermine economies, or damage the reputations of those engaged with far-reaching repercussions.
India has a data-rich economy thanks to its demographics, cultural variety, and rapidly expanding Internet adoption.
Unrestricted data flow from outside the nation is supplying the raw material, eliminating the nation’s competitive advantage, and subsidising the developed world at the same time.
Due to the goods equalisation policy that was in place prior to 1991, this is comparable to the deindustrialization of the states with abundant mineral resources.
Innovation, patenting, and the ecosystem: A country or jurisdiction may enforce a patent. The processing or application of the algorithms and patents in a foreign nation will involve data outside the nation.
This has an adverse effect on patenting, innovations, and the growth of the entire value chain, infrastructure, and ecosystem associated to it. It also results in Indian patents being infructuous, circumvented, and a waste of resources.
As a result, leadership, the development of core technology, and R&D will suffer.
Every person, nation, and civilization has its own distinctive set of rights and remedies, which must be localised and under the direct authority of the individual or group.
Local cause of action and remedies, such as those available for relatively “minor” patent or copyright infringements, can be used to enforce rights and remedies.
Individuals are also unable to bargain with foreign governments, licencing authorities, regulators, multilateral trade agreements, etc. In addition to a loss of sovereignty, depending on foreign organisations for routine administrative or executive operations by the government also prevents law enforcement from easily accessing real-time data.
Economy and Business: Big Tech has annual revenues in the billions of dollars each company and at least $1-5 trillion overall, with even higher market valuations.
The advertising income of the top three or f