The Digital Personal Data Protection Bill must serve as a basic layer of protection, with sectoral regulators having the ability to build on this.
Author: Sumeysh Srivastava
Published: March 29, 2023 in The Hindu
India’s digital economy is set to reach a whopping $1 trillion by 2026. People are going digital rapidly for everything — from shopping and socialising to education and government services. But, as we embrace convenience, we are also generating massive amounts of personal data. Understanding how this data is handled and protected is fast becoming critical.
The Digital Personal Data Protection (DPDP) Bill 2022, that was proposed recently, comes after five years of discussion and deliberation on a framework to safeguard citizens’ information from misuse and unauthorised access. Even as the Bill outlines citizens’ rights over their personal data and the responsibilities of data collectors, it lacks specificity in certain clauses such as the interaction with sectoral data protection regulations.
On sectoral regulation, global approaches
The current draft of the Bill tries to tackle the issue of conflicting sectoral regulations; in Section 29, it states that the provisions of the Bill will complement and not create exemptions from existing regulations, but in case of conflict, the Bill will take precedence. The first part allows the Bill to fill in any regulatory gaps, but the second part raises concerns about sectoral regulations that may go beyond what the Bill provides.
Data protection and privacy are highly dependent on context, including the type of data collected, how it is collected, the intended use and the associated risks. This makes sectoral expertise crucial to regulate effectively. Sectoral expertise offers a deep understanding of a particular sector, including its market dynamics, technologies, risks and business models. It also enables regulators to engage with stakeholders and industry experts in a well-informed and productive manner.
The global community has adopted two major approaches to regulate privacy and protect data: comprehensive legislation and sector-specific regulations. The European Union’s General Data Protection Regulation (GDPR) embodies the comprehensive approach, offering the strongest and most stringent framework to date. Meanwhile, the sectoral approach in the United States, as seen through laws such as the Health Insurance Portability and Accountability Act (HIPAA) in health care, and the Gramm-Leach-Bliley Act (GLBA) for financial institutions, is a patchwork of regulations tailored to specific industries.
The GDPR, despite being a comprehensive framework, has specific provisions for certain industries such as health care (Article 9). Additionally, GDPR also permits EU Member States to implement measures which go beyond the provisions given in the GDPR. For example, Germany also has Bundesdatenschutzgesetz (BDSG), which in some cases, has stricter provisions compared to the GDPR. The European Data Protection Board (EDPB), made up of representatives from each EU member state’s data protection authority, provides guidance on the implementation and interpretation of the GDPR, including sector-specific issues.
The American sectoral approach to data protection has been deemed flawed for various reasons, including inconsistent protection, problems in enforcement, overlapping and contradictory provisions, and a lack of federal regulation leaving certain sectors unprotected. This creates confusion and coverage gaps for businesses, and there is no centralised authority to enforce data protection laws, leading to a lack of standardisation. Calls for a federal framework have become increasingly common, even in the United States.
The GDPR model may not work for India as the Data Protection Board is designed as a grievance agency, and not as a regulator. The earlier version of the Bill with a Data Protection Authority of India may have been better suited as an independent regulator such as the EDPB.
Therefore, the current draft of the Bill, while a major step towards ensuring the protection of citizens’ personal data, needs greater clarity and specificity regarding the interaction with sectoral regulations; we need to draw from our experience to find the right balance
Finding the right space for the Bill
In India, for example, we already have sectoral regulations regarding data protection such as the Reserve Bank of India’s directive on storage of payment data and the National Health Authority’s Health Data Management Policy. These are the result of extensive industry consultations and expert input. Neglecting these regulations and establishing a new framework would undermine the considerable effort invested in their creation. Any deviation from existing regulations will further require the industry to readjust their operations again at considerable cost.
The DPDP Bill, therefore, must serve as the minimum layer of protection, with sectoral regulators having the ability to build on these protections. This framework will be especially useful in India where not all regulators may have the same capacity. Data protection is a complex subject and we must create room for sectoral experts to weigh in to safeguard the interests of citizens more effectively. This will ensure a safer, more secure, and dynamic digital landscape in the years to come.
Sumeysh Srivastava is Manager, Public Policy at The Quantum Hub.