India's DPDPA - a citizen friendly bill with an eye on future

Image generated by Microsoft AI Designer

Few weeks ago I commented that the India-US collaboration is missing the key subject of Data Protection law. The Data Protection Bill was still in 'draft' stage then, and now that its been passed by the parliament, I got reading it. 

While my misgivings about Data privacy not being featured in India-US discussions as well as my reservations about the Bill excluding governments and regulators from its purview, continue; I must say that the the law itself has come out as a nicely drafted piece of legislation, and a departure from the legalese of other countries' laws such as EU's GDPR and CCPA/CCPR in California, United States.

Firstly, the language of the bill is quite lucid and easy to understand - for people like me who are not lawyers, the language was quite easy to understand and digest. Not just simple language, but the Act includes Illustrations within its text to clarify the meaning and intention of different clauses - which makes it far more relatable than any other privacy law. 

Second, probably the first law in India to use she/her for addressing an individual in a gender-neutral context. This is a hugely progressive move towards gender equality. 

Thirdly, the bill has innovated in the right places building on top of the UN adopted Privacy principles and existing template followed by GDPR, CCPA and other laws (ex POPI in South Africa and GDPL in Brazil). The 3 key innovations I noticed are:

1. Blacklist instead of whitelist: Most laws take an approach of mistrust when it comes to sharing data outside their borders, which is quite antithetical to the globalized digital world for which these laws have been drafted. Digital data is more often moving across national borders than within. Even for countries like India who have a huge Data Centre industry within itself, data will often move outside its borders and then return back to its domestic data centre. Hence, the DPDPA's approach where it only requires data to NOT go to a defined blacklist is far more pragmatic and commensurate to a global digital ecosystem. 
2. Mandating linguistic variety: As users, it has become common for us to just rush through the Privacy notices which websites throw at us, and click on "I Agree" without a second glance. There are many factors at play but one of them is our inability to read legalese in these notice texts, coupled with these notices not being in a language of choice for most people. India where people speak 300 dialects across (at least officially) 18 different languages, one of the reasons could be unavailability of the notice text in local language. Mandating that notice text be provided in all of India's 18 languages is another citizen friendly provision.
3. Digital office: In an extremely pertinent but forward looking move, the Act clearly describes itself to be meant only for digital data and all its entities - the Data Protection Board and the Appellate Tribunal - to exist as "digital offices" which means, in words of the Act itself: an office that adopts an online mechanism wherein the proceedings, from receipt of intimation or complaint or reference or directions or appeal, as the case may be, to the disposal thereof, are conducted in online or digital mode. This is so heartwarming to read for a digital enthusiast like me. For the first time a law is recognizing the changed milieu which mankind operates in and seeks to take advantage of rather than fight it.

Fourth, while many provisions of the law are similar to what other Privacy laws have, I find this to be first law that which does not look at Data Privacy as a matter of protecting Citizen's data alone, but that of maintaining a balance between the rights of individuals and the need by organizations to process their data. To quote the beginning sentences of the Act itself: 

A bill to provide for the processing of digital personal data in a manner that recognizes both

the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.

The act lives up to this motto and I noted some small quirks to achieve this objective:

1. Duties of citizens: The Indian law is probably the first one to have put duties of the Data Principal (referred to as Data Subject in other laws). This is a good move which will discourage rogue activists from using the law to harass corporates and other Data Fiduciaries in the name of the Privacy law. This has been a pattern in Europe and US where rogue activists have misused the privacy law to settle scores relating to employment disputes or payment related claims.
2. Conditionality of consent being lawful: As users we may not be well equipped or have enough time to understand and evaluate the implications of the consent we are giving. Here the law makes it clear that if the consent language violates the act, it will automatically become invalid.
3. Provision for a limited window holiday to startups: While the law puts the onus of implementing this clause on the Central government, it does allow it to exempt certain classes of Data Fiduciaries (referring to startups as an example) from the duties under this Act for any period. This is good move to prevent the law from stifling innovation simply because startups in India are not yet prepared for it. However, to prevent vested interests in the Central government to misuse this provision perpetually, the Act also states that the Central government can keep giving exemption only until a period of 5 years from the date of this Act coming into existence. Which means that the government will lose powers to exempt anyone for any period from 2028.
4. Research excluded: Unlike GDPR which allowed research to be exempted from Privacy law obligations only if the data was anonymized or pseudonymized, the Indian law allows research related work to be exempted irrespective as long as the results of the research are not used to to take any decision specific to an individual. This is again a prudent move because certain research may require identified data and de-identification of the data may reduce or eliminate the effectiveness of the research.
5. Not prescriptive measures: Unlike GDPR (which I had studied when it came out), Indian law does not get prescriptive - it does not talk about technologies or tools like encryption or de-identification. This is a welcome departure from the way the IT Acts (2000 and 2008 amendment) were drafted. This creates provision for longevity of this Act to survive technological and societal changes. This is pretty much in-line with the spirit of the Constitution.
6. Time limit on dispute resolution: While the Data Protection Board has not been given any time limit to resolve issues, the Appellate Tribunal shall be required to document any cases which have not been resolved for more than 6 months, For the Indian Judicial system where average age of cases is 20-30 years, this provision is a welcome move to bring efficiency in the process. 
7. Preventing Civil courts from adjudicating: The Act only empowers the Appellate Tribunal jurisdiction on cases under this act and prevents Civil courts from entertaining any cases under the Act which the Data Protection board is looking into. This again is a welcome move to prevent lawyers from playing the game of taking the case from one court to the other to delay justice.
8. Compulsory Parliamentary assent to rules: This is again a good move where the Government of the day cannot pass any rules under this Act voluntarily without consulting the legislature. Every rule made under the Act will have to be brought to the Parliament for ratification in its next session. 

Finally, is this law flawless - not so much. As I had mentioned in my previous blog post, this Act leaves out all Governments and several activities relating to law enforcement, judicial review, investigation of willful defaulters out of its purview. This is contrary to the propensity of data leakage incidents from government quarters itself. Government and law enforcement bodies should have been, at least, made responsible for data security and responsible handling of data via Technical and Organizational measures under this Act. 

Secondly, the Act gives sweeping powers to government to block content for access by the general public based on the Data protection board's advice. This actually infringes on citizen's right to information and as we have seen in past, such provisions are misused by governments to block legitimate uses of data, leading to more collateral damage than benefit the nation. 

Thirdly, the Act creates a special class of Fiduciaries called Significant Data Fiduciary (SDF) and following prudent privacy practices like conducting DPIAs or appointing a DPO is only required by SDFs. While this may keep the cost of compliance low for smaller organizations, it will also prompt large corporations to circumvent the law by offloading their crucial data operations to smaller firms or spin-off smaller entities to escape the provisions of the law. I feel that the identification of such malpractices will be an Achilles heel in stringent enforcement of this Act.

Lastly, as we all know, passing an act is simply a starting point and the major steps lie in implementing which has been a weak point for Indian ecosystem. The IT Act has been in force for 20+ years now and yet data security enforcement is not quite there yet. 

In conclusion, "The Digital Personal Data Protection Bill, 2023" is a huge step in the right direction and in the right spirit. It is also a well drafted law. We must hope that its implementation leads to permanent changes in the way India treats data of individuals and helps develop a mature digital data economy in India.

Amen!