The Digital Personal Data Protection Bill was passed by the Lok Sabha yesterday. Even though there are a few provisions in this draft that I’d have preferred were left out, I believe this is the closest we have ever come to a law that is appropriate for our current stage of maturity in data protection.
India is probably the last significant nation without an active data protection regime. As a result, notwithstanding the depth of our tech industry, we have none of the institutional infrastructure that is commonplace elsewhere in the world — both within private sector entities for them to comply or in the executive branch of the government to enforce.
This is why I have been opposed to the enactment of a compliance-heavy, General Data Protection Regulation (GDPR) style regulation in India, even though this is widely believed to be the gold standard for data protection.
The new bill retains much of the simplicity that was the hallmark of the draft version made available for consultation. While it emphasises consent as the primary grounds for processing, the notice requirements are simple, doing away with much of the complexity that previous versions had.
Most of the other data protection principles — retention restrictions, purpose specifications, data security, and the like — have been included, though with none of the detail that GDPR-style laws possess.
But where the proposed law really shines is in some of its less obvious innovations.
Take for instance the stipulation that the data protection board will function as a digital office, organising all its business — from the receipt of complaints to the pronouncement of judgment — in a digital manner.
To the best of my knowledge, this is a first in any regulation in the country and, while it is not yet clear exactly what this will translate into, I am excited at the possibilities this opens up. Dare we hope that an online dispute resolution framework will be incorporated into the data protection regime?
I also like how the draft has brought the concept of the consent manager — so central to India’s data empowerment and protection architecture — into the foreground, effectively establishing it as a new institutional actor distinct from other data fiduciaries. By requiring all consent managers to be registered with the data protection board, it hints at the possibility that we might see cross-sectoral consented data-sharing arrangements in the near future.
Finally, by removing the restrictions on cross border data transfers introduced in 2018 by the BN Srikrishna Committee, it looks like we have finally reverted to the far more sensible approach of simply listing those countries to which data transfers will not be permitted. That said, there are various provisions that I believe we need to reconsider before the bill is made law. I have already spoken at length of my concerns with requiring data fiduciaries to put in place age-verification mechanisms in order to process children’s data. This will, I believe, have serious downstream effects on all online activities — whether or not targeted at children.
I have, similarly, shared misgivings over the way in which personal data breach is currently defined, and the fact that the obligation to report every incident to all affected data principals is not only excessive but also often impractical to implement.
I have also grown increasingly concerned with the duties that have been imposed on data principals — a first, to the best of my knowledge, in any data protection law anywhere in the world. While the intention appears to be to prevent frivolous or motivated claims by individuals who will see this new regime as a new opportunity to harass corporate entities, I am concerned that it might, to the contrary, end up having a chilling effect on data principals who are, as it is, ill-equipped to challenge large corporate entities who control their personal data.
But by far the most worrisome provision is section 37 (that has been introduced for the first time in this version) that confers upon the central government the power to block access to any online information that enables a data fiduciary to “carry on any activity relating to theoffering of goods or services” in the country.
While I might bring myself to consider the inclusion of such a clause if it is aimed at preventing the unauthorised dissemination of personal information without the consent of the data principals, section 37 offers no such qualification.
The ability to block any and all content — even if it has no bearing on personal data — is, in my opinion, beyond the scope of this legislation. It ought to be deleted before the law is enacted.
It is easy to find flaws in any proposed legislation. Precisely because it needs to address the concerns of so many different constituencies, it is impossible that any law will satisfy everyone equally. Which is why even though it is not perfect, I am glad that the Lok Sabha has passed the draft as it is.
We can keep tinkering with the text but there comes a point when we need to stop thinking and start doing.
Rahul Matthan is partner, Trilegal. The views expressed are personal