The Digital Personal Data Protection Bill - that has been listed as one of the items for discussion in the Monsoon Session of Parliament - will, if enacted be a significant first step in the journey to a functional privacy regime. But there is still a lot to be done including issuing regulations and establishing the Data Protection Board.
This is a link-enhanced version of an article that first appeared in the Mint. You can read the original here.
It’s now been over a decade that I’ve been waiting for a data protection law. Over that time, I have on numerous occasions (and with misplaced enthusiasm) assured colleagues around the world that a law was imminent. Each time, I’ve had to sheepishly eat my words when the then current draft was either re-written or withdrawn—to the point where this has become a standing joke in the international round-tables and conferences that I attend.
And yet, when I heard that the Digital Personal Data Protection Bill has been listed as one of the items of business to be taken up in the 12th Session of the 17th Lok Sabha commencing later this week, I couldn’t help feeling more hopeful than I have at any previous time in the past 10 years.
Waiting for a Decade
The very first draft of a data protection law I worked on was in 2012 when the government was looking to establish a privacy framework to support the Aadhaar identity project. That draft did not, for various reasons, make it to Parliament, but several of the concepts contained within it got incorporated directly into the Unique Identification Authority of India Act. This contributed in no small measure to that law eventually being upheld by the Supreme Court when it was challenged on the grounds of violation of privacy.
During that very case, the government assured the court that it would enact a data protection law. To that end, it appointed Justice B.N. Srikrishna to prepare a report on what such a law should look like. I, along with many others in the tech policy community, participated in the wide-ranging discussions that ensued, sharing views on what an Indian data protection regime ought to contain. Throughout this period, there was a healthy diversity of views across a range of participants, but the one thing we all agreed on was that we could no longer do without a law. India’s digital footprint was already as deep as it was wide, and, as a result, Indians were generating data so rapidly that we could no longer afford to muddle along without one.
Simple
Over the years, I have, through the articles in this column, shared my views on what needs to be included in a modern data protection framework, and what should not. I’ve consistently argued against a complex, compliance-heavy regime like the EU’s GDPR, preferring instead simple principles-based regulation that clearly describes the boundaries within which data businesses need to operate, while still remaining agile enough to respond to evolution in technology.
This is why I grew increasingly concerned with each new draft of the law that was released in the public domain, first by the Srikrishna committee, then by the ministry of information technology and finally by the Joint Parliamentary Committee. Not only were the frameworks being proposed too complex for a country that had neither the experience nor the institutional wherewithal to effectively operationalise them, they imposed on businesses a compliance burden that was so heavy that it would cost them dearly.
Withdrawn
When I first heard that the government had decided to withdraw the law it had worked on for four years and replace it with a new, simpler draft, my initial reaction was of mild disbelief. Legislators, in my experience, rarely opt for simplicity, fearing that if they do so, they may inadvertently create loopholes through which regulated entities can escape. Up until then, despite assurances to the contrary, every successive draft of the privacy law had been more complex than the one before it—to the point that the different iterations had caused it to unravel and become internally inconsistent. Even so, nothing in my personal experience led me to believe that the new draft would be any simpler than the ones that preceded it.
When it was finally released for public consultation, I was pleasantly surprised. For the most part, the draft Digital Personal Data Protection Bill was pretty much what we had been promised—simple, principles-based and generally appropriate for our current stage of maturity. Most businesses I spoke with confirmed that, if passed as is, they would have no problem complying with the obligations it imposed after a reasonably short transition period.
To be clear, there were things we would have liked to see changed—clauses that needed to be tweaked and others I would have liked removed. I had an opportunity to engage in the consultations that followed and found the government not just willing to hear our points of view, but keen to understand what impact the text of the draft would have on implementation of the law.
Democratic Consultation
In a truly democratic process, it is impossible for everyone’s suggestions to be incorporated, especially when they come from different perspectives. I know that is probably the case for several of my suggestions, but I know that where there exists a multiplicity of views, it is only possible for one to be reflected. All that matters to me is that the process was fair, thoughtful and open.
I am keen to see what the final draft of the bill sets out, and, barring unexpected surprises, hope it gets the votes needed to enact it into law. Because, as momentous as that will be, this is just the first step. Once the law comes into force, we still have to issue regulations, put in place the Data Protection Board, and do a whole host of things that need to be done in order to have a functional privacy regime in the country.
The next few months are going to be busy. And I just can’t wait.