Posted on by Insights Editor
Print Friendly, PDF & Email

EDITORIAL ANALYSIS :  India’s data protection law needs refinement

 

Source: The Hindu

 

Prelims: Personal Data Protection Bill, Justice B N Srikrishna, Convention on the Rights of the Child, 1989, Protection of Child Rights Act, 2005 etc

Mains GS Paper II and III: Government policies and interventions for development of various sectors and issues arising out of them etc

ARTICLE HIGHLIGHTS

  • The European Union’s (EU) data protection law, i.eThe General Data Protection Regulation (GDPR)came into force in the middle of 2018 and achieved widespread popularity, the most comprehensive data privacy law in the world.
  • India released The Digital Personal Data Protection (DPDP) Bill, 2022.

 

INSIGHTS ON THE ISSUE

Context

Background of data privacy law:

  • Started in 2010 with the constitution of the Justice Srikrishna Committee.

 

Justice BN Srikrishna Committee Data Protection Report:

  • The Committee was constituted by the union government in July 2017, to deliberate on a data protection framework.
  • The Supreme Court in its Puttaswamy judgment, 2017: It declared privacy a fundamental right.
  • Interests of citizens: The report has emphasized that interests of the citizens and the responsibilities of the state have to be protected, but not at the cost of trade and industry.
  • It proposed a draft Personal Data Protection Bill.

 

New Data Protection Bill:

  • Inclusion of the word “digital” in the Bill’s title speaks to India’s long standing goal of being a digitally forward society.
  • Bill has two major stakeholders:
    • Data Principal
    • Data Fiduciary.
  • Data Principal: It refers to the subject whose data is being processed
  • Data Fiduciary: It is an entity that processes this data.
  • fiduciary” whilst referring to a data processor is significant.
  • The relationship between the two is guided by:
    • trust, assurance and good faith.
  • Data Fiduciary: It is responsible for safeguarding the interests of Data Principals.
  • Bill describes:
    • the obligations of the Data Fiduciaries towards Data Principals
    • the rights and duties of the latter
    • regulatory framework through which data will be processed.
  • Bill lists the “duties” of the Data Principals: these have no bearing on the realization of the rights provided by the Bill.

 

Important aspects of bill:

  • In addition to the general obligations to prevent the misuse of the personal data of individuals
    • The Bill has outlined a category of Significant Data Fiduciaries entities: that are required to comply with additional measures to safeguard the personal data of individuals.
    • Only companies that process vast amounts of data or have a potential impact on the country’s sovereignty and integrity need to take such stringent measures.
    • Such measures reduce the compliance cost of companies that are at a nascent stage.
  • Data localisation” in the previous versions of the Bill, have been omitted: The reworked Bill permits the government to notify countries to which data transfers may be permitted.

 

Issues around data use:

  • The draft released for public comments is not as comprehensive as its previous versions
    • Government may present a Bill that is largely similar.
    • Critical gaps remain in the DPDP Bill that would affect its implementation and overall success.
  • DPDP Bill only protects personal data, that is any data that has the potential to directly or indirectly identify an individual.
    • In the modern data economy, entities use various types of data, including both personal and non-personal data to target, profile, predict, and monitor users.
    • Non-personal data is typically anonymous data that does not relate to a particular individual
      • For example: aggregate data on products which numerous users look at between 9pm and 11pm on Amazon).
    • Non-personal data when combined with other datasets can help identify individuals, and in this way become personal data, impacting user privacy.
      • Example: Anonymous datasets about individual Uber rides in New Delhi can be combined with prayer timings to identify members who belong to a certain community, which could include their home addresses
    • The process of re-identification of non-personal data poses significant risks to privacy.
      • Such risks were accounted for in previous versions of India’s draft data protection Bill
      • By not recognising these risks, the DPDP Bill is very limited in its scope and effect in providing meaningful privacy to Indians.
    • Inability of the proposed data protection board to initiate a proceeding of its own accord.
      • Under the Bill, the board is the authority that is entrusted with enforcing the law.
      • The board can only institute a proceeding for adjudication if someone affected makes a complaint to it, or the government or a court directs it to do so.
      • Only exception to this rule is when the board can take action on its own to enforce certain duties listed by the Bill for users.
      • This is for the adjudication of disputes between the law and users.
      • For example: obligation on users not to register a false or frivolous complaint with the board, and not between users and data-processing entities.

 

Way Forward

  • A simple and effective solution would be to add a penal provision in the Bill that provides for financial penalties on data-processing entities for the re-identification of non-personal data into personal data.
  • In the data economy, users have diminished control and limited knowledge of data transfers and exchanges.
  • Due to the ever-evolving and complex nature of data processing, users will always be a step behind entities which make use of their data.
    • For example, a food delivery app can take all my data and sell it to data brokers in violation of my contractual relationship with them.
  • The Competition Commission of India, which is responsible for the enforcement of India’s antitrust law, has the power to initiate inquiries on its own (and utilizes it frequently).
    • A simple way to do this would be to have a provision in the DPDP Bill that allows the data protection board to initiate complaints on its own.
  • There are not the only gaps in the DPDP Bill, but finding solutions to them would help address challenges in implementation in a significant way and make for a more future-proof legislation.
  • We need to shift our approach with respect to children’s data before this Bill is brought to Parliament.
    • To avoid the folly of treating unequals equally and blocking off access to the Internet for teenagers these steps are needed.
  • Platforms should be mandated to undertake a risk assessment for minors and not only perform age-verification-related corresponding obligations

 

QUESTION FOR PRACTICE

What is the CyberDome Project? Explain how it can be useful in controlling internet crimes in India. (UPSC 2019) (200 WORDS, 10 MARKS)

Examine the scope of Fundamental Rights in the light of the latest judgment of the Supreme Court on Right to Privacy. (UPSC 2017) (200 WORDS, 10 MARKS)

Related Articles

1
UPSC Editorial Analysis: India’s Digital Governance Posted on December 4, 2025
2
UPSC Editorial Analysis: State of the World’s Children 2025 Report Posted on December 4, 2025
3
UPSC Editorial Analysis: India’s Labour Codes Posted on December 3, 2025
4
UPSC Editorial Analysis: India’s Fight Against Tuberculosis Posted on December 2, 2025
5
UPSC Editorial Analysis: Human–Wildlife Conflict in India Posted on December 1, 2025
6
UPSC Editorial Analysis: Mental Health Crisis in India’s Education System Posted on December 1, 2025
7
UPSC Editorial Analysis: Strengthening Child Nutrition in India Posted on November 28, 2025
8
UPSC Editorial Analysis: AI, Space Militarisation, and Modern Warfare Posted on November 28, 2025
9
UPSC Editorial Analysis: Strengthening India’s Higher Education Posted on November 26, 2025

Related Articles

1
UPSC Editorial Analysis: India’s Digital Governance Posted on December 4, 2025
2
UPSC Editorial Analysis: State of the World’s Children 2025 Report Posted on December 4, 2025
3
UPSC Editorial Analysis: India’s Labour Codes Posted on December 3, 2025
4
UPSC Editorial Analysis: India’s Fight Against Tuberculosis Posted on December 2, 2025
5
UPSC Editorial Analysis: Human–Wildlife Conflict in India Posted on December 1, 2025
6
UPSC Editorial Analysis: Mental Health Crisis in India’s Education System Posted on December 1, 2025
7
UPSC Editorial Analysis: Strengthening Child Nutrition in India Posted on November 28, 2025
8
UPSC Editorial Analysis: AI, Space Militarisation, and Modern Warfare Posted on November 28, 2025
9
UPSC Editorial Analysis: Strengthening India’s Higher Education Posted on November 26, 2025