Privacy

We've Got Work To Do

The Digital Personal Data Protection Act, 2023 is not perfect. There are many things I would have liked to change. But it has been enacted and it is the law we’ve been given. It is time to stop the hand-wringing and get on with working with what we have.

The Business End of the DPDP Act

India’s new data protection law is simple and principle based. But it will require companies big and small to make radical changes to the way they operate. And I don’t think businesses fully realise the changes they are going to have to make.

Around The Corner

The Digital Personal Data Protection Bill - that has been listed as one of the items for discussion in the Monsoon Session of Parliament - will, if enacted be a significant first step in the journey to a functional privacy regime. But there is still a lot to be done including issuing regulations and establishing the Data Protection Board.

Sharp Lines

Regulating the intersection of data protection and competition is hard. Dominant platforms can leverage user data to create monopolies, limit user choice and raise competition concerns. As India prepares its own data protection law, it should try and avoid regulatory overlaps and strike a balance between data protection and competition regulation.

Looking Back

A reflection on the tech policy developments in India during 2022. While my initial predictions about data protection laws and tech sector reforms didn’t unfold as expected, there have been positive strides in India’s digital public infrastructure, like the UPI payment system and Account Aggregator ecosystem. India’s upcoming G20 presidency could further spotlight its techno-legal approach to regulation.

Data Breach

India’s new draft data protection law mandates that data fiduciaries must notify affected individuals and the Data Protection Board of a breach, but it lacks specifics as to timelines or remedial actions. I worry that over-reporting minor incidents could lead to public desensitization, and would have preferred a more balanced approach that only requires notification of only the most high-risk breaches, similar to the European GDPR.

Exceptionally Simple

The new draft of India’s digital data protection bill is praised for its simplicity and relatability, although it has raised concerns for its lack of detail and government exemptions. The draft also misses key concepts like data portability and uses non-standard terminology.

Digital Personal Data Protection

The latest draft of India’s Digital Data Protection Bill, 2022, stands out for its simplicity and new concepts like “voluntary undertaking” and official recognition of “consent managers.” However, it omits features like data portability and the right to be forgotten. Critics argue the draft lacks safeguards and over-delegates legislative authority, particularly around the concept of “deemed consent.” But the principles-based approach it espouses could ensure agile and enduring data protection regulation.

Privacy Impact Assessment

Given the Indian government’s increased use of technology, concerns around personal privacy necessitate the conduct of privacy impact assessments and the implementation of appropriate safeguards, such as a government privacy office, to balance the benefits of the technology with the potential harms to privacy.

Judge Made Laws

The US Supreme Court’s decision in Dobbs v. Jackson Medical overturned Roe v. Wade, ending the guaranteed right to abortion since 1973. The ruling challenges decades of jurisprudence, threatens civil liberties, and impacts personal privacy. It also raises questions about the doctrine of stare decisis and the frailty of judge-made law.