The much awaited Digital Personal Data Protection Rules are finally with us and, with that the final piece of the puzzle is in place. While there is a lot to unpack, overall, the Rules follow the Act in terms of simplicity - adding just enough to make it complete without complicating things unduly. That said, there are a few issues that still need to be sorted out.
The individual agency that privacy laws offer were designed for a time before networked privacy. As a result we cannot just rely on laws and regulations to protect our data but need to do considerable additional work to secure it.
The question of what is to be done with personal data in the course of an M&A transaction is always complicated. It becomes even more so when the data in question is highly sensitive genetic information that was collected for a specific purpose. We need to think through these issues as the Indian law comes into force.
We have built our data protection laws on the edifice of consent. As a result, they are based on constructs that are derived from contractual frameworks. While this may have been acceptable in the early days of privacy law, the harms they need to protect against today are perhaps more effectively dealt with under tort law. We need to re-think consent.
While data protection laws are, for the most part, domestically focussed, when personal data has to move across border they need to work well with each other. But before that can happen, countries need to agree on the principles of interoperability.
India’s new data protection law will require businesses to make significant changes to the ways in which they conduct their business. To the point where they will have to fundamentally re-imagine their ways of working. It is not clear to me that many of them understand the sheer magnitude of what that entails.
One of the more worrisome provisions of India’s new data protection law has to do with processing of children’s data - and in particular, how data fiduciaries should go about verifying the age of those whose data they process. Thanks to India’s digital public infrastructure, I believe we may have a novel solution.
The ODR approach can offer the soon-to-be-formed Data Protection Board mechanisms that are digital from the ground up. By integrating various elements of India’s digital public infrastructure into the ODR process adopted, we can ensure that data protection in India is techno-legal from the get-go.
The Digital Personal Data Protection Act, 2023 is not perfect. There are many things I would have liked to change. But it has been enacted and it is the law we’ve been given. It is time to stop the hand-wringing and get on with working with what we have.
India’s new data protection law is simple and principle based. But it will require companies big and small to make radical changes to the way they operate. And I don’t think businesses fully realise the changes they are going to have to make.
