The first sentence of the Digital Personal Data Protection Bill 2023 (DPDP), which was approved by Parliament on August 9th, is “This Act’s aim is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to have their personal data protected and the necessity of processing personal data for lawful purposes and for matters connected therewith or incidental thereto.”
However, the measure “seeks to provide for the protection of digital personal data,” according to the “Objects & Reasons” statement.
Does this bill do enough to protect your privacy and the interests of the country?
Here is an evaluation.
-
Key Features Of The Bill DPDP 2023
The entire system is effectively a compliance framework, giving Big Tech, the Data Protection Board, and the government virtually limitless discretion.
The Data Protection Board (DPB), which will be established in accordance with the act, will have sole authority, civil court-like powers, and no proper accountability. For activities made in good faith, the central government and the DPB are both exempt from punishment.
Injunctions are not permitted by any court or other authority, and all civil courts lack jurisdiction.
Except for a meagre “grievance redressal” mechanism, the DPDP 2023 offers the data principal no rights or protection.
The “data principal” who has exclusive property rights, ownership, or other civil or human rights conferred to them is not recognised by the DPDP 2023 as the owner of the data.
This measure does not provide the data principal with any civil or criminal remedies that are consistent with the Constitution or the Universal Declaration of Human Rights (UDHR).
Additionally, there are no sections addressing violations, solutions, or financial compensation for the aggrieved person (data principal). The fine assessed simply goes to the Consolidated Fund of India; the data principal is not given compensation.
The DPDP does not contain any provisions for loss, harm, violation of the duties of the data fiduciary, children’s rights, or fundamental rights, including the right to privacy, that can compensate the data principal while abrogating the affected person’s right to compensation (u/Sec 48A of the IT Act, 2000) for wrongful loss or gain by a body corporate.
The law does not mention the privacy of the owner or data principal, which is the foundation of all data protection frameworks globally, including India (see the Puttaswamy ruling), at all. The only exception is when the right to disclosure under the RTI Act is excluded or abrogated due to the public official in question’s right to privacy.
The data fiduciary and the DPB jointly become the de facto lawmakers through the “voluntary undertaking”. This makes it possible for a personalised and personalised compliance system that essentially avoids Parliament and the rules set forth in this measure.
There is a restriction on actions being taken against corporations solely for adhering to their own voluntary commitment that was recognised by the DPB, regardless of the type of breach, the severity of the harm to the person or to their safety, or the harm to their enterprises or the nation.
In the event of a conflict, DPDP 2023 takes precedence. This will essentially prevent or abrogate the application and reliefs provided by other statutes, resulting in clickwrap licences with conflicting requirements.
A data fiduciary is not required to notify a breach within a certain amount of time. The form and method for reporting the breach will be as may be prescribed.
Without regard to everything already done in reliance on the aforementioned rule, the rules adopted under the act may only be changed or stopped with the consent of both houses of Parliament. Therefore, Parliament’s function as a legislator is circumvented.
Personal data might be transferred outside of the nation by default. At most, the government can inform specific nations that it cannot be transferred.
The Data Protection Board is only allowed to impose fines that are up to Rs 250 crore (about $30 million).
Contrast this with the $5 billion fine imposed on Facebook by the US regulator or the General Data Protection Regulations (GDPR) of the European Union, which represent a percentage of sales.
DPB won’t act or punish the offender unless the violation is “significant,” an ill-defined thing. The person, or data principal, is not particularly eligible for any kind of relief or compensation.
-
Personal Data And The Ecosystem
A person’s personal information, including their opinions, speech, transactions, health, usage of their rights and liberties, any activity, communication, etc., is their counterpart and digital imprint.
Any medium may be used to record it and store it. The UDHR states that human rights—including the rights to privacy, ownership and monetization, cultural expression, access to remedies, and local or national jurisdiction—exist and are unaffected by the nature of the medium.
Along with impinging on the person’s fundamental rights and liberties, access, influence, and control over personal data can jeopardise the person’s physical, financial, and other forms of security.
Big Tech and other organisations collect and process enormous amounts of personal data.
Through a series of revolving doors between the US federal government and various firms, Big Tech is incorporated into the US Deep State by employing hundreds of former employees of various agencies, such as the CIA, FBI, etc.
Whether overt, lawful, or covert, personal data can be used for good or bad purposes. Personal information is used for a variety of purposes, including profiling, targeting, setting narratives, deplatforming people or ideas, acting as a source of “truth”, forcing people to make decisions, producing deep fakes, deleting voter lists, inciting civil unrest, surveillance and control, blackmailing, etc.
Any entity, from the individual to the group, has been profiled and targeted, regardless of scale, including communities, classes, religions, electorates, social groups, civilisations, and geopolitical factors.
The US government has turned Big Tech into a weapon. Senior Big Tech executives are currently being questioned by the US Congress for using it as a weapon against US individuals, including Congress members.
At one point, the US President and our own Minister of IT and Law had their platforms taken down by Big Tech cartels.
C: Impact
Geopolitical: For the knowledge economy’s new economy, data is the new oil. Unrestricted data flow has a similar effect while losing the advantage, much like oil, which has costs and limitations on the flow and is also employed in the war economy.
On another level, the Hindenburg and Soros attacks demonstrate how potentially useful information, including personal data, may be exploited to destabilise governments, undermine economies, or damage the reputations of those engaged with far-reaching repercussions.
India has a data-rich economy thanks to its demographics, cultural variety, and rapidly expanding Internet adoption.
Unrestricted data flow from outside the nation is supplying the raw material, eliminating the nation’s competitive advantage, and subsidising the developed world at the same time.
Due to the goods equalisation policy that was in place prior to 1991, this is comparable to the deindustrialization of the states with abundant mineral resources.
Innovation, patenting, and the ecosystem: A country or jurisdiction may enforce a patent. The processing or application of the algorithms and patents in a foreign nation will involve data outside the nation.
This has an adverse effect on patenting, innovations, and the growth of the entire value chain, infrastructure, and ecosystem associated to it. It also results in Indian patents being infructuous, circumvented, and a waste of resources.
As a result, leadership, the development of core technology, and R&D will suffer.
Every person, nation, and civilization has its own distinctive set of rights and remedies, which must be localised and under the direct authority of the individual or group.
Local cause of action and remedies, such as those available for relatively “minor” patent or copyright infringements, can be used to enforce rights and remedies.
Individuals are also unable to bargain with foreign governments, licencing authorities, regulators, multilateral trade agreements, etc. In addition to a loss of sovereignty, depending on foreign organisations for routine administrative or executive operations by the government also prevents law enforcement from easily accessing real-time data.
Economy and Business: Big Tech has annual revenues in the billions of dollars each company and at least $1-5 trillion overall, with even higher market valuations.
The advertising income of the top three or four Indian tech companies, excluding some like Twitter that do not break out their sales by country, is more than Rs 50,000 crore.
Personal data is also commercialised and utilised to provide a range of goods, services, or analyses. The product, or personal data, is frequently the person themselves.
The financial impact of unchecked data flow is easily in the tens of billions, most likely in the neighbourhood of $100 billion. Include the opportunity cost and strategic cost brought on by the aforementioned elements.
Individuals’ rights and ownership over monetary recompense for content creation should be added, not only acknowledged. In the trinity of code, algorithms, and personal data—the other two of which are acknowledged as property—data is a strategic asset.
D: Recommendations
First, the legislation needs to be changed to explicitly define and re-legislate personal data as the exclusive property of the person in question, with the following rights and characteristics.
Individuals must have the right to information, edit, erase, forget, de-identify, anonymize, and insist on (no) collection, (no) storage (where “no” means do not store, etc.), (no) collection, and (no) storage (where “no” means do not store, etc.). The law must post the rights of individuals online. The terms “data principal” and “data owner” must be replaced. Personal data should be non-assignable.
The rights should include the ability to give permission, receive compensation, use local courts for civil or criminal proceedings, and designate legal heirs.
The person has the right to be informed of a data breach, say, within a week of the data fiduciary or other processor becoming aware of the breach.
Every company, website, and app must pay a reasonable sum to every citizen (let’s say, Rs. 1 per company, website, or app per year, or nothing for start-ups), which will be held by the Indian government and used for a fund or organisation that will help citizens implement their rights under this bill.
Additionally, pre-online rights and posting quantum must be permitted by law. We require the additional rights listed below because quantum computing has the potential to undermine the entire cybersecurity infrastructure:
The freedom of expression and the ability of an individual to not use the internet at all
A person cannot be denied a right, good, or service (by the government) only because they choose not to use the internet or conduct an online transaction. Additionally, this right shall apply to necessary services.
Data held by the government, such as Aadhaar, or preserved for the sake of national security, or as required by law, could be an exception. The government should maintain extra security for this data.
The Data Protection Board should be accountable to Parliament:
- Officials of the DPB should have a non-compete clause or cooling-off period of at least a few years between employment with the DPB and corporations or foreign entities;
- Â Injunctions might be allowed;
- DPB may help with or enforce any legal process, including search and discovery;
- Data owners, or the person who owns the data, must be made aware of it;
Localization of personal data ought to be standard practise. After taking into account the impact on national and personal security, fundamental rights, justiciability, impact on innovations and patenting, SMEs, or other relevant concerns, exceptions, including copies, should be laid out in detail in the bill (or in rules made under the act).
This measure calls for processing to be done by a “Data Fiduciary,” which suggests that trust is the foundation of all activity. Trust is fundamentally a human quality that pertains to someone, i.e., the person or data fiduciary, and is not, in the first place, a territorial quality.
Furthermore, there is no such thing as “trusted” geography under the zero-trust cybersecurity paradigm.
Additionally, the freedom of speech and expression implies that democracy is a reflection of itself.
It’s crucial to remember that the US government has weaponized Big Tech and integrated it into its operations.
The punishment must be appropriate for the offence, the harm it caused, and other criteria. It cannot be preemptively capped.
Contrary to what should happen, when there is a conflict, the DPDP takes precedence over other acts. As an alternative, the harmonious building of laws principle should be applied.
The term “digital” is not defined in the proposed legislation, and Article 18 of the UDHR also states that the right to freedom of expression is unaffected by the medium (whether it be digital or analogue). Therefore, it is appropriate to remove the word “digital” from the bill.
Only after notification may rules be put in place and approved by both chambers of Parliament.
There may be additional factors or nuanced considerations beyond those mentioned above.
This will allow for increased patenting and innovation ecosystem growth, revenue generation for the government of India, creation and leadership in core technology, R&D, and related infrastructure, leveraging competitive advantage, demography, and talent, and control of a strategic asset. It will also enable security, inclusivity, democratisation, and monetisation by the owners of personal data and content creators.