Do We need an Unregulated Data Processing regime?

The Minister of IT Mr Ashwini Vaishnav recently commented  that there is no plan to scrap the current draft data protection regulation (as has been falsely projected by some journalists) and he hopes that the bill will be passed soon if not in the current session at least in the Monsoon session.

He said that there have been comprehensive consultations and we should be able to resolve differences if any and get the bill passed.

Simultaneously the media campaign has started again to highlight that the Social media Companies are unhappy, the Start Up companies are unhappy etc. Organizations like NASSCOM who have to support the initiative of getting an early law in place are only reflecting the objections of the industry and making it difficult for the Government to go through with the passage of the Bill.

The objections raised are largely excuses and even if they are relevant, it is possible to be corrected either through notifications or in the next amendment. We need to be keep them aside for the time being and see how the law gets assimilated by the industry after which we will have more information on what changes are required.

The tech companies are already in compliance with the GDPR regime and they are aware of how to wade through the data protection law. Indian law cannot be too hard compared to GDPR. Start ups have been given 3 years time under the Sand Box time and hence should not have any complaint.

The Social Media intermediaries are only required to allow the choice to their customers to verify themselves and after such verification insist that their identity be disclosed with their messages. This will not disable the Social Media intermediaries to continue having fake accounts and spread fake messages if they so desire. The viewers will start discounting the posts of un verified accounts and the media need not be bothered.

At the same time, the media has the option to be an “Intermediary” and not be considered as a “Publisher” if they can give up the control on the content. There is a new attempt to pitch the Ministry of I&B against the Ministry of IT saying that there will be overlapping of the domains. We know that the ministers of the two ministries held a joint  press conference to announce the February 25, 2021 Intermediary rules and it is unlikely that they will start objecting to each other now.

IAMAI has also criticised the bill as if it poses a risk to the digital eco system by having an impact on free speech. We donot know how there is a conflict since the Constitution itself has provided for reasonable exceptions to any fundamental right and it would apply even to the right to privacy.

IAMAI has also criticised the expansion of the scope to Non Personal Data is an enabling provision forced on JPC by the earlier objections and can be clarified through the notifications.

The restrictions on data transfer outside India has already been softened to bring it very much below the GDPR standards and compared to the Indian law, GDPR with the recent EDPB guidelines is a more strict data localization law than the DPA 2021.

The DPA 2021 when implemented will have to manage conflicts with several sectoral regulators including the CERT In, RBI, IRDAI and TRAI. It is therefore not a burden for them to handle the Cyber Law division of I & B ministry also as another sectoral regulator.

We can expect that the DPA as a body of 7 senior persons will device a method of consultation with the sectoral regulators as envisaged under Section 56 of the Bill.

There is no doubt that industry will be happy without any regulations and hence are opposing the regulations. Cost of Compliance is associated with every law and cannot be a reason for non regulation. It is strange that the companies  donot complain with cost when GDPR is imposed on them but have only objections when there is an Indian law of similar nature.

The attitude of the industry and the associations that represent them are not sustainable on close scrutiny. The objections are only saying that we donot want any regulation and want to be not accountable for data breaches or for compliance and has to be ignored.

I hope the MeitY will not yield to the pressure tactics and go ahead with the law for early passage. If they yield then they will be liable for Contempt of Court since the bill has been already delayed beyond any reasonable time.

Naavi

 

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.