By 2026, India’s digital economy is anticipated to grow to a staggering $1 trillion. For everything from shopping and socialising to education and government services, people are quickly moving online. Nevertheless, we are also producing enormous volumes of personal data as we embrace convenience. It is quickly becoming essential to comprehend how this data is managed and secured. After five years of debate and consideration, the Digital Personal Data Protection (DPDP) Law 2022 was recently put up as a framework to protect people’ information from abuse and unauthorised access. Although while the Bill explains people’ rights regarding their personal data and the duties of data collectors, several sections, such the connection with sectoral data protection rules, lack specificity.
Conflicting sectoral regulations are a problem that the current draught of the Bill attempts to address. In Section 29, it is stated that the provisions of the Bill will complement existing regulations rather than create new ones, but in the event of a conflict, the Bill’s provisions will take precedence. The first section enables the Bill to close any regulatory loopholes, while the second section raises questions regarding sectoral rules that could go above and beyond what the Bill stipulates. The context, which includes the types of data gathered, the methods used to obtain them, their intended uses, and the dangers involved, has a significant impact on data protection and privacy. Sectoral knowledge is therefore essential for efficient regulation.A detailed grasp of a certain sector’s market dynamics, technology, hazards, and business strategies is provided by sectoral expertise. Also, it makes it possible for regulators to have informed and fruitful conversations with stakeholders and industry experts.
Two main strategies have been developed by the international community to control privacy and safeguard data: general legislation and sector-specific rules. The Global Data Protection Regulation (GDPR), which offers the strongest and strictest framework to date, exemplifies the holistic approach. The sectoral approach in the US, however, is a patchwork of rules catered to certain businesses, as seen by statutes like the Gramm-Leach-Bliley Act (GLBA) for financial institutions and the Health Insurance Portability and Accountability Act (HIPAA) for the healthcare sector.
Although being a broad framework, the GDPR provides unique rules for some sectors, such as the health care industry (Article 9). Moreover, GDPR allows EU Member States to enact actions above and above those specified in the regulation. In comparison to the GDPR, Germany’s Bundesdatenschutzgesetz (BDSG) includes several measures that are more stringent. The European Data Protection Board (EDPB), which is composed of representatives from the data protection authorities of each EU member state, offers advice on the application and interpretation of the GDPR, including challenges unique to certain industries.
For a number of reasons, including uneven protection, difficulties enforcing the legislation, rules that overlap and contradict one another, and a lack of federal oversight that leaves some industries unprotected, the American sectoral approach to data protection has been regarded inadequate. Businesses are left in a state of confusion and with coverage gaps, and there is no centralised agency to police data protection regulations, which prevents standardisation. Even in the United States, calls for a federal framework are becoming more frequent. Given that the Data Protection Board is intended to be a grievance agency rather than a regulator, the GDPR model may not be applicable to India. An independent regulator like the EDPB could have been more appropriate for the former version of the Bill, which included an Indian Data Protection Authority.
For instance, the Reserve Bank of India’s order on the preservation of payment data and the National Health Authority’s Health Data Management Policy are two examples of sector-specific laws governing data privacy that currently exist in India. They are the outcome of in-depth industry conversations and advice from specialists. The significant effort put into developing these laws would be undermined if they were ignored and a new framework was established. Any departure from the rules in place will force the industry to alter its operations once more, which will be expensive.
Hence, the DPDP Law must act as the foundational layer of protection, with sectoral regulators having the authority to add to it. Particularly in India, where not all authorities may have the same capacity, this approach may be helpful. In order to more effectively defend the interests of citizens, we must allow sectoral specialists to weigh in on the complicated topic of data protection. In the years to come, this will guarantee a safer, more secure, and dynamic digital environment.