Regulating the intersection of data protection and competition is hard. Dominant platforms can leverage user data to create monopolies, limit user choice and raise competition concerns. As India prepares its own data protection law, it should try and avoid regulatory overlaps and strike a balance between data protection and competition regulation.
A reflection on the tech policy developments in India during 2022. While my initial predictions about data protection laws and tech sector reforms didn’t unfold as expected, there have been positive strides in India’s digital public infrastructure, like the UPI payment system and Account Aggregator ecosystem. India’s upcoming G20 presidency could further spotlight its techno-legal approach to regulation.
India’s new draft data protection law mandates that data fiduciaries must notify affected individuals and the Data Protection Board of a breach, but it lacks specifics as to timelines or remedial actions. I worry that over-reporting minor incidents could lead to public desensitization, and would have preferred a more balanced approach that only requires notification of only the most high-risk breaches, similar to the European GDPR.
The new draft of India’s digital data protection bill is praised for its simplicity and relatability, although it has raised concerns for its lack of detail and government exemptions. The draft also misses key concepts like data portability and uses non-standard terminology.
The latest draft of India’s Digital Data Protection Bill, 2022, stands out for its simplicity and new concepts like “voluntary undertaking” and official recognition of “consent managers.” However, it omits features like data portability and the right to be forgotten. Critics argue the draft lacks safeguards and over-delegates legislative authority, particularly around the concept of “deemed consent.” But the principles-based approach it espouses could ensure agile and enduring data protection regulation.
Given the Indian government’s increased use of technology, concerns around personal privacy necessitate the conduct of privacy impact assessments and the implementation of appropriate safeguards, such as a government privacy office, to balance the benefits of the technology with the potential harms to privacy.
The US Supreme Court’s decision in Dobbs v. Jackson Medical overturned Roe v. Wade, ending the guaranteed right to abortion since 1973. The ruling challenges decades of jurisprudence, threatens civil liberties, and impacts personal privacy. It also raises questions about the doctrine of stare decisis and the frailty of judge-made law.
We need to have checks and balances in law enforcement, even though technological advancements will allow us to take shortcuts. Else we will not be able to prevent state overreach that affects the fundamental rights of citizens.
An analysis of the JPCs draft of the data protection bill has some welcome changes - the amendments to children’s data and the introduction of Section 62 that allows complaints to be filed. It also has some misguided changes such as the introduction of NGOs in the definitions. It also has changes that will have a significant impact such as the amendments to Section 35 and 36 on exemptions to law enforcement. Finally it introduces some new concepts that are problematic such as the requirement that data protection officers in companies need to be senior officials and the inclusion of non-personal data within the ambit of the law.
When there were limited uses to which data could be put, it was easy to evaluate the harms that could result from providing consent. Things are much more complex today so data protection regulations have tried to improve the quality of consent. This has resulted in the transparency paradox. If we can adopt consent templates we can give users appropriate autonomy.
