A small step for data protection, big leap awaited

It is an exciting time to be in the Indian tech policy space right now. The government has listed the Personal Data Protection Bill in Parliament for the winter session. The Union Cabinet has approved the Bill and it is likely to be introduced for discussion before the on-going winter session of Parliament ends on December 13.

Going forward, this Bill will update the currently non-existent standards for privacy and consent. The law will (as stated in the draft Bill prepared by a high-level committee headed by former Supreme Court judge B N Srikrishna) also set up a data protection authority. As these developments occur, and India begins to set its own standards in the space, it is important to keep in mind that this milestone is the beginning for stronger data protection, and not the end.

One of the most important aspects of the Bill is the setting up of the data protection authority (DPA). While the draft Bill sets up broad principles for privacy, a huge chunk of the work has been left for the DPA to carry forward. There are big-ticket items that need to be resolved while keeping in mind the larger vision for data protection in India. For instance, the authority will need to establish and enforce conditions on which personal data can be collected, accessed, and processed without consent. The DPA will need to be the policy formulator as well as the enforcer. Given the pace of progress in technology, the DPA will also need to be proactive in its approach rather than reactive. All of this means that the authority is always going to be strapped for capacity and will need to have appointments whose values align with that of the law’s larger vision. It is a thankless task to manage trade-offs between privacy and innovation in a country like India. That is what the Bill is formally setting in motion through establishing the DPA.

Momentous as the Bill’s passage will be, it is crucial to note that this will not automatically mean that personal data is safeguarded going forward. There is potentially a 12-month period between the date it is signed-off by the President and when it is finally notified by the Central Government. This can be followed by a 3-month period to establish the Data Protection Authority and another nine to 15 months for all provisions to come into effect. Cumulatively, this could mean that it may be more than two years after it receives Presidential assent before there is a fully-functional data protection regime in place. The process could conclude earlier, but given the complexity of the tasks at hand, it is not unreasonable to expect that most of the allowed timelines will have to be utilised.

As with any policy, the outcomes will depend on how effectively it can be implemented. Much has already been written about the drawbacks of a consent-based model resulting in consent-fatigue. The Bill calls for privacy by design, but ensuring accountability will be difficult since most design decisions are opaque. A recent study on the EU’s General Data Protection Regulation (GDPR) and ePrivacy Directive violations revealed that 54 per cent of websites tested were non-compliant. Also, considering the number of data fiduciaries (not limited to the online world) one can interact with on a daily basis, a person may never find out if their personal data has been misused, or which entity is responsible.

The Bill proposes mechanisms for addressing grievances. It also requires entities that handle large volumes of user data to undergo audits and assessments. How responsive and transparent these processes turn out to be will be the indicators of how efficient the policy is. There have only been limited studies on privacy in the Indian context but the most existing literature points to the collectivist nature of society to explain the low levels of privacy consciousness. While awareness is growing, if people display a high level of apathy towards ensuring the protection of their personal data it may push data fiduciaries down the path of non-compliance.

The government should table the Bill at the earliest to allow sufficient time for discussing the finer aspects of the Bill on the floor of the house. The number of questions posed to MEITY on the topic of privacy and data protection indicates a high degree of interest in Parliament on the subject. The government should also endeavour to remain as transparent as possible when framing the remaining provisions. Simultaneously, society should not slide into complacency after the passage of the Bill. Instead, it must continue to stay engaged to ensure that we have a strong data protection regime that succeeds in safeguarding Indians’ fundamental right to privacy.

(Rohan Seth and Prateek Waghre are technology policy analysts at The Takshashila Institution)

Disclaimer: The views expressed above are the author’s own. They do not necessarily reflect the views of DH.