The saga of India passing a new data protection law to replace ITA 2000/8 has still not reached the final chapter. There are completely contradictory statements coming from the Government and the Opposition. We are aware that the opposition political parties in India are determined not to allow any significant legislation to pass through the Parliament and the Data Protection law is one such law considered politically significant.
Some time back the minister of IT Sri Ashwini Vaishnaw stated (according to press reports which many times are false and unreliable) that the Standing committee has passed the draft. Now some members of the opposition say that they have suggested 40 amendments to the Bill and they will discuss this further in the next meeting. Mr Rajeev Chandrashekar had suggested regarding the cross border transfer of data that India would opt for a “Positive list” based on mutual agreements with some countries. Of late he has changed his version (again according to press reports which many times are false and unreliable) and is now indicating that there will be a negative list of countries to which data transfer would be regulated and all other countries would be in the “Adequacy and Allowed” list.
There is a slew of articles published from Dr Amar Patnaik in some part of the media suggesting a complete revision of the approach to the law itself. (Refer here).
Mr Karti Chidambaram as a member of the IT Standing committee has indicated (As per the George Soros supported “Wire”) has said that 40 amendments have been proposed by the committee.
Some of the concerns expressed by the committee are said to be
1.Excessive Centralization of power
2.Lack of independence of Data Protection Board
3.Blanket exemptions to some data fiduciaries
4.Unchecked exemptions provided to Government
5.Lack of attention to protecting Children’s data
6.Impact on the Right to Information (RTI) Act
These are the laundry list of objections that have been raised in every draft presented earlier. He has also pointed out that since the Bill was never introduced in Parliament, it was never referred to the standing committee for discussion and whatever discussions happened were preliminary in nature and happened when the bill was put out for public consultation. He has also said that it does not address the concerns of the Supreme Court on Privacy.
In what indicates an indefinite delay, he has suggested “In a letter to Union IT minister Ashwini Vaishnaw on Monday, Mr Karti Chidambaram has sought to widen the scope of consultation for the Bill as well as the Digital India Bill, and hold stakeholder consultations across states, and ensure that the discussion is also held in regional languages.”
There was one report that the Bill now be presented in the Monsoon session but it is yet to be confirmed.
For those who are aware of the Indian political scenario, the situation is very clear. Whatever be the proposition from the Government, it will not be accepted by the opposition. Hence there is no way the legislation can be passed by consensus. The Minister also should be aware of this.
If despite this, Ministers are making statements that the bill will be presented, passed etc., they are to be treated nothing more than political statements.
The current version of DPDPB 2022 is one of the most industry friendly provisions suggested by the Government and if the opposition stalls the Bill then there is no option for the Government to continue to use the current law namely ITA 2000 with Section 43A, Intermediary guidelines etc as the Data Protection regulation of India. The Adjudicators and CERT need to become more active and provide the “Regulatory oversight in the absence of the Data Protection Board” for which the law as is present now can be sufficient.
The objections raised by the IT Standing committee are related to the Regulatory authority, Government powers and the Cross border transfer. Other than this the Bill should be considered as “Acceptable”. Out of these two categories of objections, Regulatory authority and Government powers are not affecting the “Compliance” in the industry. Whoever is the regulator and whatever are the exemptions granted, industry level compliance is not directly affected. The Cross border related issues and the exemptions to the industry are being covered by the ITA 2000-Section 43A rules which will continue to apply as “Due Diligence” under ITA 2000.
What is required is for some Adjudicating officer taking up a data breach issue and imposing a fine of Rs 500 crores to stamp the authority of ITA 2000 and CERT In to initiate a prosecution. Then the industry will realize that there is already a law in India and what DPDPB 2022 is likely to do is only to replace it with an improved version. Politicians will also realize that what they are stalling is not the law itself but an improvement of the existing law.
Hence irrespective of the statements of the politicians, industry needs to go ahead and continue its Privacy and Data Protection implementation from the current “Best Practices Perspective”.
But what is disappointing is that the Government has shown no commitment to pass the law and is happy to play along with the opposition to postpone the passing of the law.
Naavi