One of the consequences of the Data Protection Act and the potential risk of penalty of 4% of total worldwide turnover for non compliance is that Data Fiduciaries are focussed more on the “Compliance” as per the written law.
It is true that the Data Protection Law (DPA 2021 or GDPR) is basically a law formulated to protect the “Privacy” of individuals. The compliance provisions are only a tool to achieve this Privacy protection when the personal data is in the form of “Electronic Information”.
“Privacy” in its pure sense is a state of mind of an individual and is dynamic. It will change from person to person and from time to time in the same person. Hence a “law” written down and enforced as a rule cannot protect “Privacy”.
The way out of this impossibility is to look not at the need to protect “Privacy” but to protect only “Information Privacy”. Further the protection of “Privacy” is simplified as protecting the choices made and expressed by the data principal about what information related to himself/herself may be collected by another person and how it can be used.
The law makers themselves have accepted the impossibility of defining “Privacy” and hence the data protection law tries to address only the way the personal data may be protected while in electronic form.
Considering this philosophy that “Privacy Protection is not possible but protection of the choice of a data principal of how some pieces of data may be used”, “Privacy Protection” as a concept has moved over to a concept of “Personal Data Protection”.
As a result, the “Privacy Policy” which is expected to describe the “Privacy Constitution” of an organization should accept its limitations and transform itself to a “Personal Data Protection Policy”. An organization can therefore commit only to a “Personal Data Protection Policy” and not to a “Privacy Protection Policy”.
Unfortunately, today organizations develop documents called the “Privacy Policy” and profess that they are committed to the protection of the Right to Privacy. This is not a valid commitment which can be put in practice except by empty words.
These privacy policies need to be re-defined and transformed as “Personal Data Protection Policies”.
The Complication of DPA 2021
The Indian DPA 2021 has complicated the issue further by calling the Act as “Data Protection Act” and not “Personal Data Protection Act”. As a result it is trying to assume a larger role to “Protect” both “Personal Data” and “Non Personal Data”.
Protection of personal data is related to “Privacy Protection”. But protection of “Non Personal Data” is not related to “Privacy Protection”. It is related to maintenance of law and order and prevention of Crimes, protecting the rights of the owners of non personal data against being inflicted with wrongful loss.
In view of this, the transformation of an organization from adopting a “Privacy Policy” to adoption of ” Personal Data Protection Policy” or a “Data Protection Policy” needs to be carefully structured.
The objective clause of this “Data Protection Policy” (DPP) should perhaps be defined as
“To manage personal data in accordance with the DPA 2021 and to manage the Non personal data in accordance with ITA 2000 “
This definition requires compliance of two laws simultaneously and substantially enlarges the scope of the Data Protection Policy.
It may be more practical for some organizations to split the DPP into a “Limited Data protection Policy” (LDPP) and continue with their current practices for compliance of ITA 2000.
In this context, LDPP can be defined as
“Managing personal data and non personal data in accordance with the DPA 2021”.
Modifications in PDPSI
Naavi and FDPPI had promoted a comprehensive framework called PDPSI for compliance of the earlier version of the Personal Data protection law in India. This requires upgradation consequent to the changes proposed by the JPC.
It is therefore necessary to consider upgradation of the PDPSI into DPSI or Data Protection Standard of India, where the earlier recommendations of PDPSI would continue to be relevant and the minor changes that may be introduced by the Data Protection Authority of India under Section 25 (Non Personal Data Breach notification) would be integrated in the fine tuning of the 50 implementation specifications.
The Data Fiduciaries may implement the LDPP and remain in compliance with the DPA 2021.
The distinction between LDPP and DPP would be that LDPP would cover the requirements of DPA 2021 related to personal data and non personal data. DPP will however include the complete compliance of ITA 2000 along with DPA 2021.
The data fiduciaries will however have the option to extend the implementation to not only a full fledged compliance of ITA 2000 but also for compliance of other international laws such as GDPR.
It is to be specifically mentioned that “Extension of DPSI to ITA 2000 or GDPR” does not mean over lapping of multiple regulations. Each regulation by law is applicable to one type of data and hence there is no over lapping of provisions.
For example all personal data requirements in India will be governed under DPA 2021. What is not covered under DPA 2021 including the Non Personal Data related regulations will be covered under IAT 2000.
Personal data which is under the scope of GDPR will be covered under GDPR and this will not include personal data covered under DPA 2021. Similarly, data covered under CCPA will not clash with either GDPR or DPA 2021 or data covered under DIFC-DPL will not clash with GDPR or CCPA or DPA 2021.
These differences will be addressed through the “Data Classification Policy” which will segregate the data under the control of a Data Fiduciary based on applicable laws.
More clarifications will be issued in this regard in due course when the law is finally passed.
Naavi