Some companies and their paid media friends seem to believe that it is better if India does not pass the PDPB 2019/DPA 2021. Various strategies are being used to create doubts in the minds of people that India does not need this law for the time being.
The latest Economic Times campaign is to suggest that ITA 2000 requires amendment since it is 22 years old and hence DPA 2021 can be re-drafted from scratch. I presume that these are only the wishes of some companies who are comfortable with the lawlessness that prevails in the Privacy and Data Security in India and wants to push the Indian Government into a situation where it can be blamed for not following the directive of the Supreme Court on introducing a robust Privacy protection law.
Though there must be sympathizers of the industry in the MeitY, their sympathy may not be able to stop the passage of the DPA 2021 though delays can be expected further on the implementation of different provisions.
It is necessary for the industry to recognize that India is not really dependent only on the PDPB2019/DPA 2021 to have a data protection law in India. In fact India already has a reasonable data protection law in place in the form of ITA 2000/8 and even if the Government intends to re-draft the ITA 2000, it cannot abandon the existing provisions of ITA 2000/8.
In the recent days, we have seen the Intermediary Guidelines and the CERT IN guidelines on Data Breach Notification issued under ITA 2000 which shows flashes of intention on the part of the Government to use the existing provisions of law even if the new provisions are obstructed.
ITA 2000 has the CERT IN which through its powers under Section 70B can issue directives and enforce Data Breach related provisions. Through the Data Breach prevention mechanism, it can exercise regulation on how data needs to be handled by organisations.
Though at present CERT IN is not talking about personal data, nothing prevents them from stating that “Data Protection Responsibilities” under Section 70B includes both personal data and non personal data and the protection of personal data is in the interest of all citizens and protection of Indian constitution.
Secondly, while CERT IN has the powers to impose its own penalty regarding non compliance of its directive, nothing prevents CERT IN from filing a complaint with the Adjudicator or inform the Police about any contravention of the ITA 2000 whether it is of Section 43A or 43 or any of the sections of Chapter XI.
The Adjudicator of ITA 2000 has the powers to start an inquiry suo-moto and need not wait for a complainant. Penalties upto Rs 5 crores can be imposed by the adjudicator of a State and money kept for the benefit of meeting the claims from prospective claimants.
These are the powers now available in ITA 2000/8 but not implemented so far because the CERT IN or the Adjudicators are not keen. But if the Government of India wants, it can make them active.
If so, companies who are opposing the DPA 2021 now would feel that it is better to have the act in place rather than being tried under ITA 2000 which has far more stricter provisions than DPA 2021.
When I look at these persons opposing DPA 2021 and feeling happy that their wishes are receiving some traction, I am reminded of the idiom “From the frying pan to Fire”.