The Urgent Need for Actionable and Comprehensive Data Protection Legislation in India

The exponential growth of digital transactions in the past decade, especially in the last two years of the COVID-19 pandemic, has resulted in the huge generation of data whether in terms of volumes, varieties, and velocities (Seethalakshmi and Nandan 2020; Teltumbde 2017). Concerns and issues with respect to the inappropriate management of data, particularly personal or sensitive data have also emerged, including data breaches and privacy violations (Kurian 2021; Douglas and Walsh 2020). The recent IBM report on “Cost of a data breach” disclosed a loss of nearly `176 million in 2021–22 to data breaches by Indian firms, which is 6.6% increase from 2021 and nearly 25% increase from 2020 (Ponemon and IBM 2022). This has potentially increased the vulnerability of the processes and structures for data protection that should rather aim to enhance the trust and confidence of the users and citizens in the state’s capacity to protect their fundamental rights.

Over the last few years, the Government of India’s regulatory actions in the data protection space have largely been on a piecemeal basis through interim guidelines, policies, and frameworks, such as Ayushman Bharat Digital Mission, 2020, Telemedicine Practice Guidelines 2020, 2022, Draft India Data Accessibility and Use Policy, 2022, and National Health Data Management Policy, 2021, 2022, to name a few. Further, India’s journey towards having strong data protection legislation has been chaotic with multiple rounds of deliberations, and different versions of proposed bills under different ministries and departments. These included the Digital Information Security in Healthcare Act (DISHA), 2018, the draft Personal Data Protection Bill (PDPB), 2019, and the revised draft Data Protection Bill (DPB), 2021. This long arduous process ended up with the withdrawal of the draft DPB, 2021 in August 2022. This is proposed to be replaced with a new comprehensive legal framework to address the contemporary challenges of digital ecosystem (ET Tech 2022). Thus, in the absence of comprehensive data protection legislation, it is only the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, drafted in accordance with Section 43A of the Information Technology (IT) Act, 2000 that governs the sensitive personal information of the citizens in India currently. However, the existing mechanisms under the IT Act and its 2011 rules are inadequate to safeguard the fundamental rights of the citizens (MietY 2000, 2011). For example, some of the aspects that highlight the inadequacy of the IT Act and Rules 2011 include a lack of
defined data storage policy, data retention measures, non-adherence to data minimisation and purpose limitation, no penalties for data breaches, and a lack of proactive measures to ensure the security of personal data. With the current fragmented legislative state of data protection, and no comprehensive law in effect, millions of citizens’ personal data continues to be at the risk of being misused, sold, and manipulated without their consent (JPC 2021; Marr 2018; Cassidy 2020). This raises the risks and uncertainties associated with privacy while weakening public trust in the government’s power to safeguard their right to privacy.