‘Ignoring existing regulations and setting up a new framework would undermine the considerable effort invested in their creation’. Photo credit: Getty Images/iStockphoto
India’s digital economy is set to reach $1 trillion by 2026. People are increasingly going digital for everything from shopping and socializing to education and government services. But, as we embrace convenience, we are also generating vast amounts of personal data. Understanding how this data is managed and protected is becoming increasingly important.
The Digital Personal Data Protection (DPDP) Bill 2022, which was recently proposed, comes after five years of discussion and deliberations to protect citizens’ information from misuse and unauthorized access. Even though the bill outlines the rights of citizens on their personal data and the responsibilities of data collectors, it lacks specificity in some clauses, such as interactions with regional data protection rules.
Global perspective on regional regulation
The current draft of the Bill seeks to address the issue of conflicting sectoral regulations; In section 29, it is stated that the provisions of the Bill shall be supplementary to and shall not supersede the existing rules, but in case of conflict, the Bill shall take precedence. The first part allows the bill to fill any regulatory gaps, but the second part raises concerns about regional regulations that may go beyond what the bill provides. Data protection and privacy are highly dependent on the context, including the type of data collected, how it is collected, its use, and the associated risks. This makes regional expertise important in order to regulate effectively. Sectoral expertise provides a deep understanding of a particular sector, including its market dynamics, technologies, risks and business models. It also enables regulators to engage with stakeholders and industry experts in a well-informed and productive manner.
Read this also | Stage set for sustainable development
The global community has taken two major approaches to regulating privacy and protecting data: broad laws and sector-specific rules. The EU’s General Data Protection Regulation (GDPR) embodies a comprehensive approach, offering the strongest and most stringent framework to date. Meanwhile, the regional approach in the United States, as seen through laws such as the Health Insurance Portability and Accountability Act (HIPAA) in health care and the Gramm-Leach-Bliley Act (GLBA) for financial institutions, is a set of regulations. Patchwork is tailored to specific industries.
The GDPR, despite being a broad framework, has specific provisions for certain industries such as healthcare (Article 9). Additionally, the GDPR also allows EU member states to implement measures that go beyond the provisions laid down in the GDPR. For example, Germany also has the Bundesdatenschutzgesetz (BDSG), which in some cases has stricter provisions than the GDPR. The European Data Protection Board (EDPB), made up of representatives from each EU member state’s data protection authority, provides guidance on the implementation and interpretation of the GDPR, including sector-specific issues.
The US regional approach to data protection has been criticized for a variety of reasons, including inconsistent protection, problems with enforcement, overlapping and conflicting provisions, and a lack of federal regulation leaving some regions unprotected. This creates confusion and coverage gaps for businesses, and there is no centralized authority to enforce data protection laws, leading to a lack of standardisation. Calls for a federal structure have become increasingly common in the United States as well.
The GDPR model may not work for India as the Data Protection Board is designed as a complaints agency and not a regulator. The earlier version of the bill with the Data Protection Authority of India as an independent regulator like the EDPB might have been better off.
Therefore, the current draft of the Bill, while a major step towards ensuring the protection of personal data of citizens, requires greater clarity and specificity with regard to its interaction with sectoral regulations; We need to learn from our experience to find the right balance
Finding the Right Spot for the Bill
In India, for example, we already have sectoral regulations regarding data protection such as the Reserve Bank of India’s directive on the storage of payment data and the National Health Authority’s health data management policy. These are the result of extensive industry consultation and expert input. Ignoring these rules and setting up a new framework will undermine the considerable effort invested in their creation. Any deviation from the existing regulations would require the industry to readjust its operations at a considerable cost.
Read this also | Revised Personal Data Protection Bill proposes hefty fines, eases cross-border data flow
Therefore, the DPDP Bill should act as a minimum layer of protection, with regional regulators having the ability to build on these protections. This framework will be particularly useful in India where all regulators may not have the same competence. Data protection is a complex subject and we must make room for domain experts to protect the interests of citizens more effectively. This will ensure a safer, more secure and dynamic digital landscape in the years to come.
Sumesh Srivastava is Manager, Public Policy at The Quantum Hub (TQH Consulting)