The Digital Privacy and Data Protection Act (DPDP), legislated by parliament, which intends to protect personal data of individuals, is an oddity in the internet age. Amongst its perceived benefits, which are questionable, it will create headaches for companies, with oppressive compliance obligations. The Act is based on the European model, a moot idea created by a Brussels based bureaucracy. The European Union is a sad example of a lagging continent, which has lost out to others in the international community of nations. When the Eurozone was created, its annual output was the same as the United States. Now Europe is about half the size of America. Some of this can legitimately be ascribed to onerous obligations that inhibit business growth and productivity.
As the digital landscape morphs rapidly, so do the tribulations encompassing data privacy and protection. The DPDP Act, falls short of addressing the intricacies of modern data usage. In an age governed by tech giants like Google, Apple, and dozens of applications that collect, analyse, and monetise user data, the Act faces acute restraints that undermine its efficacy. One could justifiably question as to what the fuss was all about in the first place? One of the primary concerns with the Digital Data Protection Act is its limited scope. While it aims to safeguard personal data, its definitions and parameters often fail to encompass the vast array of data collected in the digital ecosystem. For instance, the Act does not adequately cover the myriad of metadata generated by user interactions, which can reveal as much about an individual as the data explicitly shared. In an environment where companies like Google and Apple harvest data on user behaviour, preferences, and habits, the Act’s reach feels insufficient. Tech companies know almost everything about users. These include sleep patterns, health issues, exercise routines, travel habits and much more. The information that they collect and store, can be used to identify patterns on personal preferences, routines and even political leanings.
The Act operates under the premise that Indian companies and entities are the primary collectors of data, but in reality, for many users’ data is controlled by global corporations. Google, Facebook, and Apple are not bound by Indian regulations, when operating in their own jurisdictions. This discrepancy creates a significant loophole: users can be subject to Indian data laws while their data is ultimately processed, stored, and monetised outside the country, rendering local protections ineffective. Even if the Act were to establish robust protections, the practicalities of compliance and enforcement present significant hurdles. The sheer scale of data collection by major tech companies makes it challenging for regulatory bodies to monitor and enforce compliance effectively. Another critical issue is user awareness. Many users remain ignorant of the extent to which their data is collected and used. While the Act promotes user consent, it cannot empower individuals with the knowledge required to make informed decisions about their data.
While the Act purports to give users greater control over their personal data, in practice, it may create an illusion of control. Users can request data deletion or modification, but the actual implementation of these rights can be fraught with complexity. The power dynamics between users and tech companies often favour the latter, making it difficult for individuals to exercise meaningful control over their data. Whilst it will clearly not serve its intent, it will almost certainly frustrate businesses and impair their operations and growth. That cannot be construed as a good thing. In any event, most users actually don’t care. They willingly share their daily lives on social media platforms, leaving privacy issues quite irrelevant.