Delays in DPDP rules could undermine privacy and business objectives of the act, say experts

It has been over a year since India passed its first Privacy Act, the Digital Personal Data Protection (DPDP) Act. Yet, crucial rules needed to enforce this landmark legislation remain pending.

CNBC-TV18’s Nisha Poddar recently delved into the implications of this delay and the anticipated rules by engaging with NS Nappinai, Senior Advocate and Founder of Cyber Saathi; Nikhil Pahwa, Editor of Medianama; and Rakesh Maheshwari, Former Senior Director of MeitY.

Nikhil Pahwa, expressed profound disappointment with the ongoing delays in implementing the DPDP Act. According to Pahwa, the Act, despite being passed, remains largely ineffective without the necessary rules. He criticised the government for its slow progress, noting that the act’s provisions are still inactive.

Pahwa highlighted that the Srikrishna draft, the initial version of the bill, offered the strongest protections but was significantly diluted in subsequent revisions. He emphasised that the law fails to adequately balance the protection of citizen’s privacy with the needs of the data economy.

“If you look at the various drafts of the bill, it was the Srikrishna draft which was the strongest of them all. Bit by bit, the protections provided to citizens have actually been whittled down. One of the things that this law battled against from the very beginning was the intention of the government to not have a privacy law.

They went to the Supreme Court and argued that privacy isn’t a fundamental right. They were directed by the court to put together a law, to enforce the fundamental right to privacy through a law, especially when it comes to private companies.

Subsequently, even in the Srikrishna draft, there was a battle between enabling a data economy versus protecting rights. So the bill actually lacks balance in terms of protecting rights, especially with respect to the government. For example, there is no surveillance reform that’s happened to this particular law. The government can still access citizens’ data held by private companies.

So in effect, the apps and the services that we use, the government has a free reign in terms of accessing that data for purposes of national security, and national security is still not defined under law. So I don’t think it does enough to protect our rights, and in that sense, the bill already, or the law already is a failure to begin with,” Pahwa stated.

Senior Advocate NS Nappinai also underscored the necessity of the rules for the practical implementation of the DPDP Act. She explained that the law, as it stands, is incomplete and needs the rules to provide the necessary details and mechanisms for enforcement.

Also Read: India likely to release Draft Data protection rules in the next 20 days

Nappinai acknowledged the delay but remained hopeful that the forthcoming rules will address the gaps and provide a robust framework for data protection. She stressed that the rules must balance individual privacy rights with the needs of the industry to ensure both strong data protection and continued innovation.

Rakesh Maheshwari, Former Senior Director of MeitY, highlighted that the Act was designed with the dual objectives of protecting citizen privacy and enabling business operations. He acknowledged that while the DPDP Act aims to be more comprehensive than the previous IT Act, it still has limitations. The Act’s requirement for consent and its applicability to the government are steps forward, but Maheshwari agrees that the delay in finalising the rules could undermine its effectiveness.

Below are the excerpts of the discussion.

Q: Fundamental right of privacy, that’s what we are granted. But how critical are these rules in exercising that fundamental right?

Pahwa: As far as I’m concerned, we actually don’t have a privacy law yet because the law said that different parts of that law will only be activated once these rules come out. So I think it’s fairly shameful that a year after the act was passed, it still hasn’t been actioned, and we’ve waited all this while for rules to make it active. The government should have done this sooner, it should have at least had some parts of the bill activated through the rules till now.

The other thing is, “If you look at the various drafts of the bill, it was the Srikrishna draft which was the strongest of them all. Bit by bit, the protections provided to citizens have actually been whittled down. One of the things that this law battled against from the very beginning was the intention of the government to not have a privacy law. They went to the Supreme Court and argued that privacy isn’t a fundamental right. They were directed by the court to put together a law, to enforce the fundamental right to privacy through a law, especially when it comes to private companies. And subsequently, even in the Srikrishna draft, there was a battle between enabling a data economy versus protecting rights. So the bill actually lacks balance in terms of protecting rights, especially with respect to the government. For example, there is no surveillance reform that’s happened to this particular law. The government can still access citizens’ data held by private companies. So in effect, the apps and the services that we use, the government has a free reign in terms of accessing that data for purposes of national security, and national security is still not defined under law. So I don’t think it does enough to protect our rights, and in that sense, the bill already, or the law already is a failure to begin with.

The other instance where it does not protect our rights is, it doesn’t give us the right to go to a court directly. We have to actually file a complaint with the data protection board, and go through an entire process, instead of trying to enforce a law by going to court. But the board itself can only adjudicate on matters of complaints, and it doesn’t have any rulemaking powers. If you look at data protection authorities across the world, a majority of liberal democracies actually have that power, have given independence and power to the board to protect citizens’ rights. In this case, the board doesn’t have these aspects. So I don’t think this data protection law, even after the rules come out, will do enough. And it’s a failure on the part of the government from a citizen’s rights perspective. But I don’t think that was an intent from the very beginning in terms of protecting citizens’ rights. If the rules don’t come out for another year, I would not be surprised, because I don’t think it’s the intention of the government to really restrict data collection and violation of our privacy, to be honest.

Q: What do you think of the rules and how important are they at this particular point? The government has procrastinated for too long and things have changed. How critical is it at the current moment?

Nappinai: You need the rules for the act to be implemented at this juncture. If you see the way the law has evolved in India, the first draft was submitted by the Srikrishna Committee, which was vested with the scope of engagement to evaluate the contours of a privacy law for India. Then you had the 2019 Act, which was fairly lengthy. And then you had a very bare-bones kind of draft, which you have now. And you need the rules to actually supplement what you have in the law to be able to enforce it. So that’s a general input.

To get more specific, you have a privacy process that has been established under the DPDP Act. So you have data fiduciaries who are going to be collecting your data- data processors, you are the data principal- that’s the user who’s sharing their data, you have consent frameworks and accountability frameworks. Now, these are just words. How do you enforce them? How do you implement them? So that granularity always comes from rules. So when you’re asked about the timeframe, it is true that the rules are much delayed and we are hoping that we would get a fairly robust draft now, which will ensure a speedy implementation.

So we will need something that would give flesh to the bare bones draft, will give strength to the system that is proposed to be established, will ensure strong data protection of individuals and the balancing act here, which is what every data protection law brings in, is enabling industry. A law is not meant only to protect users and to stifle innovation or industry, it is meant to bring about this balance of enabling industry without violating individual rights. So we have to wait and see whether the rules are going to be able to play out this balancing act.

Q: What was the government’s thinking during the formulation of this act? And how do you think this particular act stands in the current circumstances in achieving its goals?

Maheshwari: The act in the present form and the intent as it was all throughout since 2017 when the expert committee was constituted, was that the rights of the citizens have to be protected, the privacy rights which have been granted by the Supreme Court, while also the business must continue to be enabled. That was the founding principle that both these things should continue to be there.

The present IT Act, though it does cover privacy, the protection of sensitive personal data, is in no way a comprehensive act. So this DPDP act to that extent, brings in comprehensiveness, including the protection of the data of the individual.

The act requires consent to be there and so a consent framework has been talked about, which should be presented to the user in a language which the user understands. Simultaneously, the government has also been brought into the purview of the Act.

Watch the accompanying video for the entire discussion.