<p>On July 5, the Union Cabinet <a href="https://www.deccanherald.com/national/cabinet-approves-data-protection-bill-draft-to-be-tabled-during-monsoon-session-of-parliament-1234206.html">cleared India’s long-awaited data protection law</a> — the Digital Personal Data Protection Bill, 2022. Reports suggest it will be tabled before Parliament in the upcoming Monsoon Session.</p>.<p>The Bill follows from the landmark KS Puttaswamy judgment of the Supreme Court of India in 2017 that recognised privacy as a fundamental right, and is India’s fourth attempt to introduce a data protection law.</p>.<p>Among other things, the Bill lists the rights and duties of individuals and the obligations of companies that have access to personal data. There’s no doubt about the necessity of a personal data protection law. As we gear towards the parliamentary approval of the Bill and its implementation, we need to be conscious not only of the rights and obligations under the Bill but also of how these may impact the competitiveness of Indian firms.</p>.<p><strong>Cost of compliance</strong></p>.<p>Complying with the Bill will be expensive. The Bill requires certain types of companies to implement security and technical measures and safeguards to protect data, and are likely to be both time- and cost-intensive. What this means in practice for companies has not yet been spelt out; it is likely left to the much-discussed provision in the Bill that enables the government to prescribe rules explaining the Bill.</p>.<p>However, if the experience in Europe is anything to go by, compliance costs for data protection legislation are high. A <a href="https://techmonitor.ai/policy/privacy-and-data-protection/gdpr-cost-businesses-8-of-their-profits-according-to-a-new-estimate">2022 report</a> suggests that compliance with the Global Data Protection Regulation (GDPR), the European data protection legislation, cost companies an 8.1 per cent drop in profits, and that most of the drop in profits was a result of increased compliance costs.</p>.<p>The European experience also suggests that bigger and more successful companies have the upper hand in compliance, because they already have in place the skills and resources to implement data protection legislation. This means that smaller, newer companies spent a disproportionately large amount on compliance.</p>.<p>It is, of course, possible that compliance costs in India will not be as high as those in Europe. Indian companies are no strangers to complicated compliances: <a href="https://www.moneycontrol.com/news/business/indian-companies-continue-to-pay-a-high-cost-for-compliance-report-says-5521041.html">reports suggest that the average Indian firm must meet over 25,000 central compliances alone (with the number approaching 70,000 if it operates in all states</a> to operate in India. However, introducing a new set of compliance obligations may add to the already-onerous compliance requirements that Indian companies are straining under, and disadvantage smaller companies.</p>.<p><strong>Privacy as a ruse</strong></p>.<p>The Bill may bolster companies’ ability to use privacy as a ruse to benefit themselves and eliminate competition in certain types of markets.</p>.<p>The Bill’s prioritisation of user consent could be weaponised. Take for example the use of data in providing personalised advertisements. Companies that have access to vast troves of consumer data, which enables them to provide targeted advertisements that benefit consumers, may make it more difficult for their competitors to access data.</p>.<p>They can do this in many ways. One way is to restrict the competitors’ access to data by citing reasons of user consent and privacy, while reserving the use of the same data for itself. <a href="https://digiday.com/marketing/apples-att-power-play-the-hard-truths-of-throttled-competition-and-concentrated-leverage/">This is in fact what Apple does</a>: it requires competitors who offer apps on its iOS system to show a prompt to consumers, seeking their consent to use personal data. Apple positions this as a move that safeguards user privacy. At first blush, this seems like a compelling argument. What Apple doesn’t reveal is that it does not display the same prompt to consumers for its apps.</p>.<p>Of course, it is possible for companies to adopt this strategy even in the absence of a data protection law. However, with the emergence of this law, it becomes all the more important to ensure that companies don’t rely on privacy/data protection frameworks to justify moves that are designed to only benefit themselves.</p>.<p><strong>Looking ahead</strong></p>.<p>India is on the cusp of change. In the last year alone, the government has taken many measures to ensure that the digital economy — including smaller Indian players — continues to thrive, and that competition between players is encouraged.</p>.<p>In the coming days, as the Bill receives further attention and is debated, it is essential to ensure that the various laws are complementary and that new laws do not widen the chasm between players of different sizes and strengths, but allow for fair and contestable markets.</p>.<p><em>(Rahul Rai is Partner, and Shivanghi Sukumar is Counsel, Axiom5 Law Chambers.)</em></p>.<p><em>Disclaimer: The views expressed above are the author's own. They do not necessarily reflect the views of DH.</em></p>
<p>On July 5, the Union Cabinet <a href="https://www.deccanherald.com/national/cabinet-approves-data-protection-bill-draft-to-be-tabled-during-monsoon-session-of-parliament-1234206.html">cleared India’s long-awaited data protection law</a> — the Digital Personal Data Protection Bill, 2022. Reports suggest it will be tabled before Parliament in the upcoming Monsoon Session.</p>.<p>The Bill follows from the landmark KS Puttaswamy judgment of the Supreme Court of India in 2017 that recognised privacy as a fundamental right, and is India’s fourth attempt to introduce a data protection law.</p>.<p>Among other things, the Bill lists the rights and duties of individuals and the obligations of companies that have access to personal data. There’s no doubt about the necessity of a personal data protection law. As we gear towards the parliamentary approval of the Bill and its implementation, we need to be conscious not only of the rights and obligations under the Bill but also of how these may impact the competitiveness of Indian firms.</p>.<p><strong>Cost of compliance</strong></p>.<p>Complying with the Bill will be expensive. The Bill requires certain types of companies to implement security and technical measures and safeguards to protect data, and are likely to be both time- and cost-intensive. What this means in practice for companies has not yet been spelt out; it is likely left to the much-discussed provision in the Bill that enables the government to prescribe rules explaining the Bill.</p>.<p>However, if the experience in Europe is anything to go by, compliance costs for data protection legislation are high. A <a href="https://techmonitor.ai/policy/privacy-and-data-protection/gdpr-cost-businesses-8-of-their-profits-according-to-a-new-estimate">2022 report</a> suggests that compliance with the Global Data Protection Regulation (GDPR), the European data protection legislation, cost companies an 8.1 per cent drop in profits, and that most of the drop in profits was a result of increased compliance costs.</p>.<p>The European experience also suggests that bigger and more successful companies have the upper hand in compliance, because they already have in place the skills and resources to implement data protection legislation. This means that smaller, newer companies spent a disproportionately large amount on compliance.</p>.<p>It is, of course, possible that compliance costs in India will not be as high as those in Europe. Indian companies are no strangers to complicated compliances: <a href="https://www.moneycontrol.com/news/business/indian-companies-continue-to-pay-a-high-cost-for-compliance-report-says-5521041.html">reports suggest that the average Indian firm must meet over 25,000 central compliances alone (with the number approaching 70,000 if it operates in all states</a> to operate in India. However, introducing a new set of compliance obligations may add to the already-onerous compliance requirements that Indian companies are straining under, and disadvantage smaller companies.</p>.<p><strong>Privacy as a ruse</strong></p>.<p>The Bill may bolster companies’ ability to use privacy as a ruse to benefit themselves and eliminate competition in certain types of markets.</p>.<p>The Bill’s prioritisation of user consent could be weaponised. Take for example the use of data in providing personalised advertisements. Companies that have access to vast troves of consumer data, which enables them to provide targeted advertisements that benefit consumers, may make it more difficult for their competitors to access data.</p>.<p>They can do this in many ways. One way is to restrict the competitors’ access to data by citing reasons of user consent and privacy, while reserving the use of the same data for itself. <a href="https://digiday.com/marketing/apples-att-power-play-the-hard-truths-of-throttled-competition-and-concentrated-leverage/">This is in fact what Apple does</a>: it requires competitors who offer apps on its iOS system to show a prompt to consumers, seeking their consent to use personal data. Apple positions this as a move that safeguards user privacy. At first blush, this seems like a compelling argument. What Apple doesn’t reveal is that it does not display the same prompt to consumers for its apps.</p>.<p>Of course, it is possible for companies to adopt this strategy even in the absence of a data protection law. However, with the emergence of this law, it becomes all the more important to ensure that companies don’t rely on privacy/data protection frameworks to justify moves that are designed to only benefit themselves.</p>.<p><strong>Looking ahead</strong></p>.<p>India is on the cusp of change. In the last year alone, the government has taken many measures to ensure that the digital economy — including smaller Indian players — continues to thrive, and that competition between players is encouraged.</p>.<p>In the coming days, as the Bill receives further attention and is debated, it is essential to ensure that the various laws are complementary and that new laws do not widen the chasm between players of different sizes and strengths, but allow for fair and contestable markets.</p>.<p><em>(Rahul Rai is Partner, and Shivanghi Sukumar is Counsel, Axiom5 Law Chambers.)</em></p>.<p><em>Disclaimer: The views expressed above are the author's own. They do not necessarily reflect the views of DH.</em></p>