With a growing reliance on technology by Indians, how important is it to safeguard personal information and ensure responsible data handling? Are businesses transparent about the way they collect and process data? Do users truly understand how their data is used, stored and shared? Do they get the privacy policies and how accessible is this? What does it take for these businesses to comply with data protection regulations?
The Digital Personal Data Protection Act 2023 was passed in 2023 focusing on the processing of digital personal data in India. What would be the Bill’s role in the structure of tech regulations in India? Some say that India lacks comprehensive legislation for addressing data protection, could this Bill address the issue? Can it safeguard the use of personal data, while establishing the rights and duties of users and businesses? Can the Bill be a game-changer in the world of data protection and privacy? Could this be prepared for the evolving digital landscape of India?
According to Arun S Prabhu, Partner at Cyril Amarchand Mangaldas, “Policies, like the GDPR, are seen as extremely restrictive, when it comes to freedom of growth and how businesses operate & when it comes to balancing a free use of data and the protection of individual rights, it may have been a bit too heavy on one side. On the flip side, there are laissez-faire regimes that aren’t sustainable, because it leads to a loss of trust amongst users. If there are actions that are sufficiently intrusive or problematic in relation to data, users stop being comfortable with the product or service”.
Prabhu remarks, “In India, with the previous regime, as a data economy where there were rules to punish violations rather than prevent breaches, protection seemed to be only for a narrow set of information and enforcement seemed to be non-existent. Compared to that, the DPDP is a whole new world that creates a sense of simple, enforceable and transparent information rights, giving data principals the ability to enforce. The Bill carries a big stick and it’s not a slap on the wrist; there are fines going up to a material number. The combination of a large series of granular data subject rights and an effective enforcement mechanism would be a new dawn for data protection in India”.
And what could this mean for businesses?
Prabhu states, “If this Bill gets fructified, businesses in India would have to fundamentally rethink what they do with data. Prior to this, the approach to data has been that it’s good, it ought to be held on forever and as much of it should be collected in an appallingly insecure manner. Fundamentally, the DPDP Bill would force people to rethink whether data is an asset or a source of potential liability… In India, e-commerce businesses need to be mindful of a couple of principles. The first is the concept of purpose limitation, whereby if data is collected for a certain purpose, it has to be for that purpose or for something reasonably or ancillarily related to that purpose; it cannot be bundled. The second is storage limitation, whereby data is stored for as long as it is necessary and it must not be held on to perpetually. With these principles, the waters can be navigated fundamentally well. Yet, data-heavy businesses would be under a lot of scrutiny”.
And what could this mean for consent?
“Traditionally, in India, according to market practices, it was a zero-sum game, where if a person wanted a service, they had to accept a dense, long and incomprehensible privacy notice and some businesses didn’t even have an ‘opt-out’ option. Now, there’s a very high standard of transparency and comprehensibility being put on businesses in order to get consent from the average citizen. That doesn’t mean privacy sentences are going to be one-sentence long. There will still be complexity… But, now, there’s a legal requirement to make it understandable to everyone and if something is deemed to be convoluted or complex, one could say that the consent given was not valid. There’s, also, a new intermediary in the form of a consent manager to signify consent in relation to data. For instance, a consent manager would be able to provide consent for a person’s healthcare information for emergency medical care, but not for any other purposes. Another instance is if a person is receiving a lot of calls from insurance companies, they could go to their consent manager and disallow their contact information from being used to offer insurance or marketing services. So, this framework has a lot of power and if implemented properly, it would be quite disruptive in terms of preventing consent fatigue and empowering people to control their own data”, declares Prabhu.
Watch the whole interaction here: