This is a famous quote from John Dryden, an English Poet.
I am reminded of this while commenting on the DPDPA 2023 which by design or accident has many hidden gems that we often ignore in criticising the law.
In many of the interactions I have been having with industry experts particularly relating to the Comments on DPDPA Rules, I end up hearing criticisms from others which appear to be contradicting my own views on the positive features of the Act. Some times I feel that even the MeitY officials may not defend the law like what I may do.
The philosophy behind our approach to the DPDPA 2023 is that once the law is in place, we need to adopt to the laws until it is changed some time in future. We cannot expect that the Rules will be able to tweak the law and make it better. If there is any attempt then the law will be challenged in the Court and Indian Courts can easily be convinced to stay the law for an indefinite period.
Yesterday in the panel discussion organized by Center of Civic Society I reiterated that the DPDPA Rules should not be too detailed and continue to be “Principle Based”. I believe that we should not force MeitY to make the rules too detailed and give an opportunity for the vested interests to argue that it is ultra vires the law. For this reason, I have been advising the Government not to go too prescriptive in the rules as being advocated by the industry but remain generic.
It is true that in the Shreya Singhal case, Supreme Court expressed its unhappiness about the law being vague. But we all know that the supreme Court is not consistent and gives its views as it suits it for the moment. For example, in the Puttaswamy Case, one Judge said , “There is no need to define Privacy..” but went on to impose the liability to protect Privacy on the industry. The same judge even said that the …Even what is written in the constitution is not binding on the Court and they have the discretion to interpret the constitution as they deem fit. The Keshavananda Bharati judgement itself is a blot on the Indian judiciary and its ability to play a fraud on the Constitution but is a highly celebrated judgement which all our legal friends seem to swear by.
In our view, if the law is too prescriptive, it will only show the way how it can be violated legally under the principle, “What is not expressly prohibited under law is lawful” .
I would urge everyone to hear Justice Srishananda of the Karnataka High Court on “Difference between Offence and Crime” we will appreciate that society should discard this definition of what is lawful and unlawful. We should therefore ensure that law is not too prescriptive but deliberately let for contextual interpretation. This will prevent a situation where one judge regretfully remarked, “I know that the accused is guilty but I am declaring him innocent because the prosecution has failed to prove the evidence against him”.
Every one of us may be affected by a new law of the kind of DPDPA 2023 and our first reaction is always a reflection of our discomfiture. If I am a CEO, I am not happy with the new Compliance which requires more investment, effort and disruption of my current state of equilibrium.
In this state of mind, what comes to my immediate notice are the apparent short comings. However, when we reflect deeply we can find many positive features of the law that we can absorb and later convert to our benefit also.
If we are a “DPDPA Compliant Company” our long term sustainability is better addressed. If I try to cut corners today, I may have to fold up one day since we never know when the law will hit us badly.
“Compliance First” should therefore be the motto of every CEO.
The biggest strength of DPDPA 2023 is that it delegates the protection of Privacy to every Company that uses the Personal data because as a “Data Fiduciary” it is the trustee of the data principals. Government need not tell each company on what is lawful. They as “Trustees” have to figure out what is correct and exercise “Due Diligence” to protect the Privacy in the society.
This one principle is enough to elevate DPDPA 2023 above GDPR which provides the status of a “Controller” to a commercial company.
Let us therefore appreciate what is good in DPDPA 2023 and not try to only find faults….
Naavi
Naavi
