Privacy

Data Transfer Interoperability

While data protection laws are, for the most part, domestically focussed, when personal data has to move across border they need to work well with each other. But before that can happen, countries need to agree on the principles of interoperability.

Are We Willing to Change

India’s new data protection law will require businesses to make significant changes to the ways in which they conduct their business. To the point where they will have to fundamentally re-imagine their ways of working. It is not clear to me that many of them understand the sheer magnitude of what that entails.

Age Tokens

One of the more worrisome provisions of India’s new data protection law has to do with processing of children’s data - and in particular, how data fiduciaries should go about verifying the age of those whose data they process. Thanks to India’s digital public infrastructure, I believe we may have a novel solution.

Embracing ODR

The ODR approach can offer the soon-to-be-formed Data Protection Board mechanisms that are digital from the ground up. By integrating various elements of India’s digital public infrastructure into the ODR process adopted, we can ensure that data protection in India is techno-legal from the get-go.

We've Got Work To Do

The Digital Personal Data Protection Act, 2023 is not perfect. There are many things I would have liked to change. But it has been enacted and it is the law we’ve been given. It is time to stop the hand-wringing and get on with working with what we have.

The Business End of the DPDP Act

India’s new data protection law is simple and principle based. But it will require companies big and small to make radical changes to the way they operate. And I don’t think businesses fully realise the changes they are going to have to make.

Around The Corner

The Digital Personal Data Protection Bill - that has been listed as one of the items for discussion in the Monsoon Session of Parliament - will, if enacted be a significant first step in the journey to a functional privacy regime. But there is still a lot to be done including issuing regulations and establishing the Data Protection Board.

Sharp Lines

Regulating the intersection of data protection and competition is hard. Dominant platforms can leverage user data to create monopolies, limit user choice and raise competition concerns. As India prepares its own data protection law, it should try and avoid regulatory overlaps and strike a balance between data protection and competition regulation.

Looking Back

A reflection on the tech policy developments in India during 2022. While my initial predictions about data protection laws and tech sector reforms didn’t unfold as expected, there have been positive strides in India’s digital public infrastructure, like the UPI payment system and Account Aggregator ecosystem. India’s upcoming G20 presidency could further spotlight its techno-legal approach to regulation.

Data Breach

India’s new draft data protection law mandates that data fiduciaries must notify affected individuals and the Data Protection Board of a breach, but it lacks specifics as to timelines or remedial actions. I worry that over-reporting minor incidents could lead to public desensitization, and would have preferred a more balanced approach that only requires notification of only the most high-risk breaches, similar to the European GDPR.