There has been a lot of talk about data protection and user privacy lately, and for good reason. From the selling of Facebook data by Cambridge Analytica to concerns about shadow banning on Twitter and other social media sites, concerns about data and its usage are everywhere. Now India’s data protection law is taking that concern to the next level, providing citizens of the populous country with additional protections and giving them the tools they need to fight back. Prior to the proposed law, India did not have specific data protection legislations although Section 43A of the Information Technology Act (2000) provides for the right to compensation for the improper disclosure of personal information.
At the same time, India’s data protection law is already being criticized, with some claiming it does too little and others fearing it goes too far. Already privacy advocates are expressing concerns that the proposed new personal data protection bill has the potential to lead to mass surveillance, something that has already been seen in totalitarian countries around the globe.
Does India’s data protection law go too far – Or not far enough?
Others worry about India’s data protection law for other reasons. Some in the data security industry have expressed real concerns that India’s data protection bill is inadequate, and that the August 2018 proposal does not give the data protection authority sufficient power to bring violators to justice.
So which set of concerns are valid, and what are Indian citizens, and privacy and data protection advocates around the world, to do? As with so much in the world of personal data or information protection, the waters surrounding India’s data protection law are somewhat muddied, and the competing opinions surrounding its policies and protections are not making things any easier. Only time will tell how the data protection law is implemented, and how the legal framework that is being built will be used by the Indian authorities.
India’s data protection law as a follow up to the GDPR
In some quarters, India’s data protection law is already being compared to the groundbreaking General Data Protection Regulation, a sweeping European Union regulation designed to protect data privacy and give individual users unprecedented control over the use of their own personal information.
Indeed, many of the same concerns raised about the General Data Protection Regulation are being raised about India’s data protection law, including worries about data localization and the potential for widespread surveillance by a rogue government. This new privacy law does bear some similarities to the EU regulation, but there are some key differences as well. In the end, it is best to consider India’s data protection law on its own merits, separate from the similar but distinct European Union regulations.
Will the proposed regulations be enacted?
While both laws are designed to protect sensitive personal data, and both have been passed in response to widespread data breaches and security concerns, India’s new law is distinctly Indian in nature. Whether a future supreme court judge eventually strikes down the new privacy law or lets its stand, the door has already been opened. Already businesses are changing the way they collect data, and they are caring for the data collected in new ways.
Some firms are appointing a dedicated data protection officer, whose job it is to protect the privacy of individual users and protect the data with which the firm has been entrusted. Others are rethinking their roles in the digital economy, looking for a way to align their business needs with the new data protection requirements.