The DPDP Saga

 

Few Questions & Review:

1.   The wordings for the data scraping provisions missing.

2.   The Data Privacy breach penalties are upto 250 crores. Penalty on the Data Principal is 10k.

3.   S.17(1)(d) says: d) personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India; the exemptions suited for IT/ITES.

4.   The Act is applicable within territory of India, & outside, if processing is in connection with any offering of services or goods to Data Principals within the territory.  

5.   Again, not applicable for those who use for personal use or have made it voluntary online or is under any obligation to make that data available.

6.   The face is the personal identity, thus, what about deep fakes or morphed data being used?

7.   A good thing is that Data now is ought to have been used by the Data Fiduciary via Data Processor or not, restricted to the work for which the Data Principal has given the consent, and, the data is/would be bound to be erased, after the completion of the work, unless retention is necessary in compliance of any law. But again, would be difficult for Data Principal to ascertain how & where the data was/is or would be used.

8.   But the default retention period is missing?

9.   Regarding consent, usually every Significant Data Fiduciary takes consent of the Data Principal before collecting its data (even if unknown to it how that data is being eventually consumed or used); so, is this more inclined towards micro level, rather at macro? And the remedies against at the micro, in terms of penalties then seems missing. 

10.              Every major data leak is eventually being reported by the mainstream, anyhow. Thus, the data Principal receives an email regarding that & being notified by the (Significant) Data Fiduciary. The Data Fiduciary usually mentions that the Data was/is/would be protected by all feasible measures taken with good faith, and due care was/is/would be taken in protecting the data of the Data Principal, hence not liable! Further, Data Principal would hardly come to know about the breach itself, unless acknowledged by the Data Fiduciary or Processor themselves? And as the Internet evolved by manipulating & stealing data of Individuals including Data protected by IP, & there’s a doubt whether Data Fiduciaries ever give a lucid reply u/s 11(1), and even if given; then consent terms, including given under clickwrap & browsewrap; allowed them to do so. And such agreements always take the consent of the Data Principal that the local laws would always be applicable in the event of any dispute. Thus, implementation issues?

11.              Of course, My IP is already Protected. But how it has been consumed, whether via scraping, or, manipulating of personal data via third parties; I’ve no idea!   

All said & done, the Internet was already crumbled by the policies such as -> number of clicks + followers == payback to the users + paycheck to the resident employees + revenue for the company. Internet may never be ameliorated!

© Pranav Chaturvedi