“Without a strong data protection law, we wouldn't quite be able to take any action as what has happened is not a breach. While Section 43A of the IT Act talks about lack of consent from the users, it does not spell out any consequence for violating the same,” said Pranesh Prakash, policy director at think tank The Centre for Internet and Society (CIS). “Essentially, it's a toothless tiger.”
Having a data protection law might not directly stop firms from buying data from third-party developers and then deploying it for targeted users, but it is a great pre-emptive measure to stop unnecessary data collection. If users are asked to give consent for their data, it would vastly reduce the risk.
“The government's statement would be well supported, if it would be bringing a law, listening to key voices of experts and civil society. Even though the Justice Srikrishna Committee is currently examining and is expected to come out with a draft law, the timeline, transparency and willingness to safeguard user rights need to be better demonstrated,” said Apar Gupta, an independent lawyer.
Other experts have voiced their concerns over allowing tech giants to take sensitive user data out of the country. Once the data is out of India's jurisdiction, there is no way to ensure these companies are following the laws mandated by the government.
“Facebook is not an Indian company. We do not know how far it is complying with India’s IT Act. We should not be compromising on security and allow tech firms to play in the market without complying with the laws,” says Pavan Duggal, cyber law expert and Supreme Court advocate.
While both the Congress and the BJP have accused each other of working with Cambridge Analytica and denied their own affiliation with the company, the UK-based firm was already functioning in India through its partner Ovleno Business Intelligence (OBI). The OBI website, which has now been taken down, had listed the BJP, the Congress and Janata Dal (United) as its clients.