In 2017, when a committee of experts under retired Justice B.N. Srikrishna proposed a new data protection law for India, the world seemed to be marching inexorably towards globalization, and private industry seemed to be taking centre-stage, with nation-states fading in importance.
The world in 2022 stands changed. Brexit, trade disputes, brinkmanship and war have turned the tide, and states have sought to control technology as the power of online platforms, particularly in electoral democracies, has become evident. In India, pandemic lockdowns have shown both the tremendous benefits that transacting online can bring, as well as many of the risks. India has demonstrated the will to implement difficult and novel reforms in its very own way.
It was perhaps inevitable, therefore, that the committee’s ornate draft, based largely on Europe’s Global Data Protection Regulation (GDPR), which attempted to create a “fourth way” for “countries in the Global South”, would be re-examined. The various appendages that were grafted on to it, most prominently by a joint parliamentary committee which proposed that non-personal data also be regulated through it, made this relook even more of a necessity.
Previous drafts were viewed with fear by Indian industry as being too onerous and complex. Europe, with its long history of data protection, significant resources and relative homogeneity, struggled with implementing its GDPR, and imposing complex legislation on India’s nascent and poorly regulated yet massive and heterogenous digital markets may have had unintended consequences for economic growth.
Therefore, the withdrawal of the previous draft and the release last week of a simpler, 24-page draft Digital Personal Data Protection Bill, 2022, drawing inspiration from Singapore’s Personal Data Protection Act, 2012, is timely. As a whole, it represents a more forgiving and business-friendly framework for compliance, and a more practical and realistic approach to getting data protection legislation in place quickly.
Once it is passed, hopefully in the next budget session of Parliament, businesses should expect to operate in an environment of greater focus on personal data. Companies will have to put in place a grievance redressal mechanism, failing which complaints can be made to a Data Protection Board. Individuals will have the means to understand how (and by whom) their data is being processed, and to correct and/or erase it. They will also have the option to approach high courts, which, after the Puttaswamy decision, are protective of data privacy and quick to penalize behaviour such as the use of egregious modes of data collection and “all or nothing” consent.
Businesses that process large volumes of data, do so in risky ways, or have the ability to impact electoral democracy or public order can expect to be notified as “significant” data fiduciaries. They will need to appoint data protection officers, strengthen policies and prepare for audits. Businesses that are “significant” under other regulations (such as those governing IT intermediaries), may be significant here as well. Startups and small enterprises can hope for some relaxations. The bill allows the government to exempt businesses. This was done with the recent cyber-security directions, which showed an intent to move with the market. Businesses that breach the bill’s provisions should expect significant consequences. While the draft no longer has criminal penalties, it prescribes large fines (of up to ₹250 crore for specific breaches and ₹500 crore per incident), and the Data Protection Board is expected to carry a “big stick”.
The bill is out for public comments, and businesses should seek clarity on key aspects. For instance, detailed consent is needed from users for collecting and processing data; and where data was collected under the current law, refreshed consent must be obtained. This may prove difficult. Similarly, consent and notices need to be obtained and provided in one of 22 different languages by the choice of users. Entities (especially small ones) which offer services in only one or two languages may want to seek relaxation on this, allowing them to provide notices in the same languages that they offer their services.
Further, certain businesses such as search engines, credit-rating or fraud-prevention services or those processing public information may enjoy the ability to operate under “deemed consent”. However, the draft bill requires that they do so for a public purpose, which is defined narrowly. This may need to be broadened to achieve its intended effect. Similarly, businesses that operate in the news space may seek a clearer exception.
Crucially, unlike India’s previous drafts of privacy legislation, this bill is intended to have an overriding effect. Businesses that are subject to sector regulation would still need to demonstrate compliance with contrary requirements under the bill. Ambiguities and contradictions with sector norms must therefore be identified early and resolved.
Lastly, like several other aspects, the thorny problem of international data flows has been left to rule-making by the government. Getting predictability on this along with a clear implementation timeline may help businesses design their systems. Businesses should raise their concerns as part of the consultations that are to take place. Once its rough edges are smoothened, the bill will create a practical and facilitative environment for doing business in India.
Cyril Shroff & Arun Prabhu are, respectively, managing partner, and partner and head—technology, media and telecom, Cyril Amarchand Mangaldas
Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.