With the European Union (EU) fining Meta and stating that the company did not protect European data from America's surveillance regime, retired Supreme Court judge BN Srikrishna is foreboding a similar kind of tussle in India if modifications are not made to the upcoming data protection law.
The EU's clash with the surveillance laws of the United States was the reason behind the former fining Meta a record €1.2 billion. The EU also ordered Meta to stop transferring EU data to the US.
"This is going to happen in India, if this government doesn't take adequate care in the Digital Personal Data Protection Bill (DPDP) 2022," said Srikrishna, who led the committee that drafted the Personal Data Protection Bill in July 2018.
Why? EU's General Data Protection Rules (GDPR) requires one to identify (before data is transferred from Europe to any countries outside the EU) whether the laws in the other countries are equivalent to European ones in terms of safeguarding data of EU citizens, explained Mathew Chacko, Partner at Spice Route Legal.
"In the 2022 data protection bill, the government can exempt any agency from any of the provisions of the Act. That means any government agency can dip into data and take it without consent. Does it really give people adequate protection that is expected under the law? This is going to be a big issue," Srikrishna said.
The area of focus, Chacko pointed out, is the regulations of government in relation to data interception. Meta is subject to US surveillance laws (like FISA 702), that give powers to the US government to ask for data whenever they want.
India too has similar powers under the Information Technology Act, Telegraph Act, and provisions of the Indian Penal Code. The upcoming DPDP Bill 2022 expands on these provisions by providing exemptions to government agencies from the provisions of the bill.
"The government must, while enacting the new data protection legislation, comprehensively grapple with the problem of interception. Not only so that it complies with the requirements of European law, but also so that it complies with the requirements of the Indian constitution," Chacko told Moneycontrol.
"If they do not, the same issues that have happened between the US and the EU on data transfers, in respect to FISA 702, could see itself being revisited in India, perhaps in a slightly less hostile or less controversial manner," he added.
GDPR Vs DPDP: Cross border data regulations
As per the proposed DPDP Bill 2022, the government after an assessment will notify the countries or territories outside India to which data may be transferred, Siddharth Mahajan, Partner, Athena Legal said.
"The government under the proposed law intends to have a white-list approach," Mahajan said.
However, when it comes to comparison with similar regulations in jurisdictions such as the EU, the DPDP falls short.
"The GDPR takes into account various situations and also provides standard contractual clauses which may allow transfer of EU data between two private entities located in the EU and outside to facilitate such transfer of data outside the EU," he said.
"Earlier versions of the proposed Indian data law had similar provisions to GDPR; however, the present version is much more simplified," he added.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
