India’s Digital Personal Data Protection Act, 2023, adopted in August, leaves a lot of room for criticism. Here are some key concerns
On 3 August, India noted a landmark moment in its regulatory history, with the Digital Personal Data Protection (DPDP) Bill (now Act) being introduced in Parliament for the very first time. The now-law was tabled at the final step of India’s judicial and regulatory process after five years of conversations, consultations and cancellations of the Bill, and finally adopted as a law.
However, despite the Act being okayed in Parliament quite promptly, and subsequently being adopted into law after President Draupadi Murmu gave her assent to it on 11 August, industry stakeholders and experts have highlighted several concerns and challenges. These relate to how the DPDP Act lays down regulations, and also how it defines personal data and its use. These concerns are unlikely to be alleviated any time soon but they bring forth several key points that may be important to know, from the standpoint of data owners in the country.
While the DPDP Act seeks to establish user data privacy, it is centred around what enterprises are allowed to do with the personal data that they collect.
PROCESSING, NOT PRIVACY
The first and foremost concern, as highlighted by numerous policy consultants, is how the Act is phrased. While the DPDP Act refers to the ‘protection’ of personal data, industry stakeholders were quick to highlight that the entire law is framed around enabling access to and processing of personal data by companies and not the other way round.
In simpler terms, while the DPDP Act seeks to establish user data privacy, it is centred around what enterprises are allowed to do with the personal data that they collect. This, as per experts, is the first step towards the fact that the DPDP Act reduces the role of data privacy to exemption-based outcomes while offering a broader regulatory structure under which companies can continue to draw personal data, based on their own business needs.
AMBIGUOUS SOCIAL MEDIA DATA SCRAPING
One major area of concern is Section 3(ii)(A), which states that data protection will not apply to “personal data that is made or caused to be made publicly available by the data principal to whom such personal data relates.”
In simpler words, if you put your personal data on any social media platform, India’s data protection safeguard will no longer apply to you, and companies will be free to scrape this data as public information. This particular clause falls under “legitimate usage”, an area of the law that was previously called “deemed consent”.
The new law allows companies to scrape social media data using automated algorithms to collect and store any information posted by users themselves.
The move has drawn criticism from various corners of the privacy community, with even its safeguard drawing criticism. The latter says that personal data privacy will only be honoured if the said information is being posted by a third party.
In simple terms, most social media content belonging to any user is typically generated by the users themselves, and any third-party post mostly always relates to making reposts of first-party posts — thereby making this safeguard questionable.
OPERATIONAL CHALLENGES FOR COMPANIES?
The above issue could also pose a major challenge for companies in terms of creating a mechanism to differentiate between first-party and third-party posts on social media. Industry stakeholders believe that companies, especially social media firms, may need to figure out a tech operations policy to segregate the types of data that they collect.
While companies will be required to establish a consent procurement mechanism, such a fine detail could pose a challenge, especially for the nascent field of generative AI. The latter is based on AI models that are based on data taken off public forums of the internet, wherein companies treat any data posted on any social media platform to be public information.
With the new DPDP Act, the process of collecting this data will change. As per the law, companies scraping social media data using automated algorithms will be able to collect and store any information posted by users themselves but will need to separately seek consent from the primary user for a post that may have been reposted by their acquaintance.
The Act exempts government bodies in terms of how they can ask companies to furbish user data but has no recourse mechanism for businesses.
Industry experts believe that such a process could make matters complicated for companies, although the government has not offered clarity in terms of how this may be implemented.
This factor, as a result, could lead to making generative AI operations more complex, especially for low-resource academic institutions working on research models.
LACK OF CLARITY SO FAR
Another key area of concern is the absence of intimations and clarifications in terms of how specific operations of the Data Protection Board will be carried out. While the latter is expected at an upcoming date, other key areas that have lacked clarity include the open clause that leaves the law ready to be amended and tweaked with future rules, without giving clarity on how and when may such changes be made.
Industry stakeholders have also added that in many cases, the DPDP Act specifies that the personal data of users can be retained for a length of time as specified by respective laws of a certain genre. However, lawyers point out that most regulations, including criminal and civil law, do not mention how long personal data should be stored. This may leave companies without a clear idea in terms of how long they may be required to store a certain piece of information.
BROAD-BRUSHED GOVERNMENT EXEMPTIONS
One of the biggest concerns of the Act has come in the form of exemptions that have been offered to government bodies in terms of how they can ask companies under this law to furbish user data. Privacy evangelists underlined that the lack of safeguards of what a company can do to furbish information about a specific user raises concerns about the DPDP Act’s ranking alongside top privacy regulations around the world, such as those in Europe and Singapore.
In simpler words, if the government, under Section 10, asks a company to furbish personal data citing a reason that includes “impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order”, companies do not have any mentioned recourse mechanism to seek under law.
By Vernika Awal