India's digital data protection law: The challenge ahead lies in implementation

After a long wait and multiple drafts, the Digital Personal Data Protection Bill, 2023, has been passed by both Houses of Parliament, giving India its first legislation regarding citizens’ online privacy. With its passage, the country now has guidelines around how an individual’s data can be used by private or government entities. 

This legislation is the culmination of years of effort by the government and industry to bring a standalone data protection law in India that aims to regulate all forms of personal data collected, processed and stored in the digital format, and it is also applicable to entities operating from outside India. It introduces key concepts such as Data Fiduciary and Data Principal, and emphasises the importance of obtaining the user’s consent to process their data. Manish Sehgal, Partner of Risk Advisory at Deloitte India, says that once notified, “the law will allow individuals (referred to as Data Principals) to govern their own personal digital data, and require enterprises (Data Fiduciaries) to process personal data of individuals in a lawful manner, for specific purposes only”. The formation of the Data Protection Board and the fact that it will be manned by professionals is also important.

However, once the legislation is notified, its implementation will be a challenge as the cost of compliance for businesses, especially small and medium enterprises, may increase substantially. The law also proposes penalties for non-compliance that can go up to `250 crore. Then there are the costs associated with complying with the provisions of the law that organisations would have to contend with. Further, implementing the technical measures required to protect users’ data could also be complex for some entities. This includes ensuring data security, data classification, managing consent and providing mechanisms for data portability and erasure. 

Amit Jaju, Senior Managing Director of Ankura Consulting Group (India), says that individuals may not be aware of their rights—like the onus of providing consent for their data do be collected and processed by Data Fiduciaries, and the details of what such consent entails—which could limit the law’s effectiveness, and businesses may not fully understand their obligations. “Businesses need to invest in new systems and processes, train employees and hire data protection officers. They will also need to manage consent on a large scale and comply with data localisation norms… The law’s effectiveness will also depend on the capacity of the Data Protection Authority to enforce its provisions,” he says.

In addition, the legislation includes provisions related to the storage and processing of personal data in India. These data localisation requirements could pose challenges for businesses that operate globally, or those that rely on cloud services based outside India. The law also enables the central government to exempt certain Data Fiduciaries, including start-ups, from the provisions of the legislation, and block public access to a given Data Fiduciary’s platform in certain circumstances. 

As technological advancement tends to move faster than regulation, the government now needs to ensure that the provisions of the law are implemented effectively. Jaspreet Bindra, Founder and MD of tech advisory Tech Whisperer Ltd, explains, “Take the case of generative AI. ChatGPT, Bard, etc., have already made similar laws and regulations obsolete or incomplete in parts of the world. The EU is scrambling to integrate this new technology into its regulatory framework, but by the time that comes out, the technology would have moved even further away.”   
     
@nidhisingal