The recently released draft of the Digital Personal Data Protection Bill, 2022 is a pragmatic, evolved, and contextual approach to protecting Indian personal data. Significantly, it marks a clear rupture in the direction in which the debate on privacy has been evolving, where data privacy necessarily has to be protected by a powerful, cross-sectoral, and intrusive regulatory agency.
The 2019 version of the law, the Personal Data Protection Bill, 2019, was an expansive, cross-sectoral law that proposed many consumer rights and significant privacy-related compliance obligations on Indian businesses. Elevated protections were accorded to sensitive and critical personal data. Data fiduciaries had additional requirements to be designated as “significant.” Cross-border transfers of data were restricted based on whether the data was sensitive or critical. While some of these rights and requirements are necessary, the 2019 bill would have required a significant increase in compliance costs across the economy, especially for small businesses. The bill also proposed an independent regulatory agency, the Data Protection Authority, to implement the law, specify the details of many of its parts through regulations, and supervise compliance with the law and its own regulations. One major flaw in the 2019 bill—that is sadly present in the new version as well—was the exemptions given to government agencies from many data protection requirements. The bill’s biggest issue was the challenge of implementing all its provisions effectively, from ensuring a wide degree of compliance requirements to setting up a new regulatory agency with an expansive mandate. In contrast, when the EU adopted the General Data Protection Regulations (GDPR), it was preceded by almost three decades’ worth of privacy regulation and court jurisprudence. The GDPR harmonized this developed field of regulation across the EU. This was an incremental step in privacy regulation. Importantly, after the GDPR was enacted, many countries in the EU transitioned from pre-existing agencies or departments to creating independent Data Protection Authorities (DPAs).
For India, on the other hand, the 2019 bill meant a quantum jump in regulation, with no prior jurisprudence, experience, or expertise in data regulation. Implementing a novel, expansive law would have meant significant regulatory uncertainty and increase in compliance. The DPA would have had to implement this expansive law while being beset with the same constraints—lack of experience, expertise, or jurisprudence in data regulation.
Since data privacy regulation is cross-sectoral, the DPA would have to build knowledge of specific privacy concerns across a number of sectors, or mandate sector-agnostic standards. This would have created the risks of overregulation in some sectors and under-regulation in others. The consequence of these asymmetries would have affected small businesses more since large, technology-intensive firms are already internalizing many of these costs.
To implement such an expansive law with a degree of moderate success, the DPA would have had to prioritize from among its functions, and identify the most challenging issues. This would have created the additional risk of incorrect problem identification. Each of these issues would have been easier to handle in a mature digital economy with decades of experience and jurisprudence, but much harder for the Indian DPA.
The 2022 draft bill completely does away with the DPA. In its place is a body with a much narrower mandate, the Data Protection Board. The board is vested with a narrow set of functions—conducting inquiries against businesses for non-compliance with the law and penalizing non-compliance with financial penalties of up to INR 500 crore (5 billion), and issuing directions to businesses to remedy data breaches. The board is not a regulation-making body and will not set standards. Neither will it supervise the entire economy to ensure compliance with these standards. This is likely to improve regulatory certainty and provides a better balance between enshrining data privacy requirements on the one hand and allowing the economic use of personal data on the other.
There are at least three ways in which the removal of the DPA achieves this balance:
- While the 2022 bill retains many of the consumer privacy rights and concomitant obligations for businesses, the requirements in the bill will not be subject to further interpretation and standard-setting by a DPA. Businesses will be free to interpret these provisions in the manner that best suits them. This is a big change. In every sector with a regulator, the continuous stream of regulations requires continuous changes in compliance. The lack of prior jurisprudence and context-specific knowledge about the Indian market would have made this process much more uncertain and cumbersome for businesses. The 2022 bill places an emphasis on outcomes instead of regulatory compliance.
- This change in approach will in turn make the role of the Data Protection Board critical. Its decisions when dealing with complaints of non-compliance will create the first systematic jurisprudence on data protection in India. Instead of protecting privacy through regulatory fiat, regulatory standards will be created whenever the board interprets the activities of businesses in specific contexts and decides whether and how they have violated the law. The composition of the board, its independence from the executive, and the degree of expertise they can rely on while adjudging cases will therefore play an important role in how consumers and businesses will think about data protection.
- Regulatory requirements often end up excluding many participants from the market because these are not met by certain entities. Achieving the right balance between allowing “good” firms and excluding “bad” ones is easier for regulators when markets themselves are mature enough to understand what kinds of conduct are unacceptable. However, there are only a few such commonly understood standards within the realm of personal data. Many of these standards, such as consent-notice, purpose and storage limitations, and data security requirements, are already present in the bill. DPA regulations would have straitjacketed the adoption of many of these standards and possibly made compliance harder for many businesses. In addition, India’s digital economy is still maturing, and many business models will be tried and discarded. This dynamism is essential at an early stage of market development. A full-fledged regulator restricting these developments through regulatory fiat would have possibly resulted in false exclusions. A board with limited power to adjudicate on complaints will instead allow these standards to be created and absorbed by the market over a period of time.
For these reasons, there is much in the 2022 draft bill to be enthused about. While there are some issues that still require greater deliberation and clarification, on the question of institutional structure, the government has successfully resisted the allure of creating a shiny new regulator. Once India’s digital ecosystem matures, we may well require one. For now, it is more important to allow the market to develop within a clear and simple set of privacy protection parameters, and this is what the 2022 bill does.