Editorial: A Complex but Vital Law
Can the DPDP Act Secure our Data
In a cursory reading, the Digital Personal Data Protection (DPDP) Act comes across as complicated. Its clauses, technical terms, and add-ons can be boring and convoluted. But be cautioned: we shall ignore this vital Act at our own peril. Sooner or later, all of us will have to know – or suffer – its consequences. That is why it is a good time to start making sense of it.
This special issue of your journal tries to discuss the Act in its overall context. The idea is to appreciate the value of our data and begin to think about its full protection individually as well as collectively. We have tried to explain the provisions of the Act in simple terms through FAQs and focused articles. A glossary of technical terms is given on the preceding page while a timeline follows on the next page.
As we know, our daily activities create digital footprints that can be accessed, stored or shared by multiple agencies. We generate personal data virtually all the time: when we follow a digital map, order things online, share a joke or a selfie, make a payment, or just phone a friend. Even while we sleep, our smart watch records our heartbeats and sleep patterns. CCTV cameras do the same when we take a walk in the park. All such data is of enormous value for multiple players like governments, businesses, scammers, political parties, or entities based overseas.
Some of this data keeps slipping out of our hands with or without our knowledge. When we use an app, or when we make a UPI payment, we give our consent to third parties to process that data, presumably for lawful purposes. Often, we do not even know if and when such consent was given. This is where a data protection law steps in. The DPDP Act aims to protect the privacy and personal data of individuals. The Indian law draws on the European General Data Protection Regulation (GDPR) but many feel that it falls short of its stated objectives.
The DPDP Act applies to all personal data collected online or digitised from offline sources. It grants an individual the right to obtain information regarding personal data, seek corrections, and ensure redress of grievances. The objective is to ensure that data is maintained accurately, stored securely, and erased when its purpose has been met. The law permits the transfer of data overseas with certain conditions. It has a compliance and oversight mechanism for organisations and companies with provisions for penalties through a proposed Data Protection Board.
The main criticism of the DPDP Act comes from the sweeping exceptions it provides to the state and its agencies. This is also a point of departure from the European GDPR which puts the autonomy of the individual at the centre. The DPDP Act overrides consent for certain purposes vaguely defined under the umbrella of national security, public safety, and prevention of offences. It also makes the citizens vulnerable to data breaches and mass surveillance.
For a healthy relationship between technology and democracy, the law has to catch up quickly with the fast-changing digital world. As citizens, we do not tend to protect our general data as keenly as we guard our investments or bank accounts. But a fair and progressive law requires us to be sufficiently aware of all its implications in light of our fundamental right to privacy. This issue is a step in that direction.
As always, your comments are welcome at commoncauseindia@gmail.com
Vipul Mudgal
Editor
NEXT »
