The Digital Personal Data Protection Act, 2023 is not perfect. There are many things I would have liked to change. But it has been enacted and it is the law we’ve been given. It is time to stop the hand-wringing and get on with working with what we have.
This is a link-enhanced version of an article that first appeared in the Mint. You can read the original here.
In the end, it was all over almost before it started. Within a week, India’s Digital Personal Data Protection Act, 2023, went from being presented before the Lok Sabha to being passed by both Houses of Parliament, receiving a Presidential assent and being notified in the Official Gazette. Having tried to visualise what this moment might be like for over a decade, now that we have a data protection regime, it feels almost anti-climactic.
Long History
I have written frequently about the need for a data protection law in India, and, when the process started, have chronicled in these pages the fits and starts that have characterised our journey to this point. At times, I have expressed my exasperation with the meandering path we have taken to get here, often complaining bitterly about what I believed were fatal flaws in our approach.
Most notably, I have bemoaned the long, and ultimately futile, detour we took down the path of data localisation and the classification of critical personal data, just as I have agonised about the unintentional harms that I believe will inevitably result from obdurately insisting on parental consent for everyone up to the age of 18. While the law as enacted has all but dropped the notion of data localisation and critical personal data, the age of consent remains 18, and I worry that we may live to regret that.
To be completely fair, I have, at the same time, taken pains to commend the government on the many new regulatory innovations that various drafts have introduced along the way—from concept of a data trust score in the 2018 draft to the introduction of regulatory sandboxes in 2021 and the notion that transgressions might be forgiven based on a voluntary undertaking to comply that was introduced in 2022. Unfortunately, while neither the notion of a data trust score nor the idea that regulatory sandboxes could inform future policy directions have survived in the final law, I am curious to see how the concept of a voluntary undertaking fares and whether, if successful, we will see it proliferate through other statutes.
Tech Policy Community
One of the unintended but utterly delightful side-effects of having had to wait so long for the law to become a reality has been the emergence of an active, articulate and well-connected technology policy community whose numbers have grown steadily over the years. This community discusses policy developments across all aspects of technology, content and telecommunication in WhatsApp and Signal groups—as well as at in-person events—where they share news and viewpoints on various developments. Much of the public writing on tech policy in the country (mine included) owes a lot to discussions within these groups.
As is often the case in truly diverse groups, viewpoints vary widely across different members. As a result, there have been times when arguments have become somewhat heated. On more than one occasion, moderators have had to intervene to prevent an argument from degenerating into ad hominem attacks—which, in one extreme instance, resulted in some members forking themselves off into an entirely different group.
I have always believed that strong opinions can only be formed in the crucible of vigorous debate. Which is why, despite this unpleasantness, I’ve preferred to remain a part of these groups—even if my views were only ever shared by a small minority.
Pessimism and Petulance
But, as accustomed as I am to the cynicism that infuses these circles—particularly in relation to motivations of the government— I’ve been somewhat surprised by the unrelenting pessimism that has followed the coming into effect of India’s new data protection law. Even though virtually everyone followed, with undisguised excitement, the passage of the law as it unfolded live on Sansad TV, few, if any, of the op-ed pieces I have read over the past week have had anything good to say about the enactment.
Many dismissed it outright, claiming that it is nothing more than a wholesale attack on individual rights. Others have raised fears of a far more insidious hollowing out of the way in which our society is ordered. Some commentators have focused their criticisms on the exemptions provided to the government and the power they have retained unto themselves to prescribe new obligations through regulation, while still others have complained about the simplicity in language that I had always believed was its defining virtue.
As I read these negative articles, I could not help but feel a bit disappointed by this petulant response. It was as if the tech policy community had created a vision of what an ideal data protection law ought to look like, and since the draft we got did not concur with that vision of perfection, took it as a kind of personal affront.
We need to recognise that policymaking is messy business. Laws have to accommodate diverse views of disparate constituencies, many of whom often sit at opposite ends of the ideological spectrum. As much as we, in our armchair confabulations, may have had a vision of what an ‘ideal’ statute should look like, legislators have to sacrifice this perfection in order to accommodate contradictory viewpoints—and we cannot hold it against them if, in the process, our own views were not considered.
Now that it has been passed, this is the law we’re going to have to deal with. And no amount of hand-wringing is going to change that fact. Rather than bemoan what might have been, we need focus on all that needs to be done now.