India's Data Protection Law: What To Watch Out For

The passage of the Digital Personal Data Protection Bill (DPDP), 2023 by the Rajya Sabha on August 9, 2023, marked a significant milestone in a journey that began nearly a decade ago. As expected, this development has triggered a range of reactions from various quarters. The primary objective of this legislation, as stated by the government, is to strike a delicate balance between safeguarding personal data and facilitating its lawful use to encourage innovation and stimulate economic growth. However, a critical examination reveals that the government has largely exempted itself from the provisions of the law, both in letter and spirit.

The Act explicitly excludes the state from its scope when it comes to matters to the “security of the state, maintenance of public order, or preventing incitement to any cognizable offense.” This leaves room for the state to potentially invoke national security to justify its actions. This echoes past instances, such as when former U.S. President Donald Trump controversially invoked national security to justify steel tariff increases, disregarding international trade agreements.

Furthermore, the Act empowers the central government to designate Significant Data Fiduciaries (SDFs) and impose various obligations on them, including periodic audits and data protection impact assessments. In making such designations, the government takes into account factors like the volume and sensitivity of personal data processed, risks to the rights of data principals, potential impacts on India”s sovereignty and integrity, and risks to electoral democracy and public order.

The Act also mandates the establishment of a Data Protection Board (DPB) with quasi-judicial powers, entirely appointed by the central government. The Act”s language leaves no room for ambiguity, and its spirit reinforces its provisions. It is likely that SDFs will be entities with significant market power, potentially able to misuse their dominance. While competition policy relies heavily on analysis of significant market power, notifying entities with such power should ideally be the prerogative of a specialized regulator with the necessary expertise. Competition law in India primarily operates in an ex-post manner, intervening aftermarket distortion has occurred.

The government”s intent to establish ex ante rules to control the power of influential platforms is evident through this legislation. While this may be a legitimate aim, the responsibility should ideally rest with the DPB. In practice, it might still be delegated to the DPB, but the question arises as to why governments should be involved in designating SDFs in the first place.

Well-designed ex ante regulations can serve two crucial purposes: firstly, recognising and potentially limiting the potential harm that digital giants can cause, and secondly, ensuring that onerous obligations do not create high entry barriers for startups looking to disrupt these giants, following the principles of Joseph Schumpeter”s creative destruction. Many other jurisdictions, like the proposed American Data Privacy and Protection Act (ADPA) and the EU”s Digital Services Act (DSA), are also incorporating ex ante obligations on identified entities.

However, the Indian approach is not without its challenges. The inclusion of vague qualitative parameters like “risk to electoral democracy” and “public order” may introduce imprecision into the designation process due to the lack of objective criteria or tangible metrics. Additionally, making determinations based on market analysis requires specialized skills and subject matter expertise that the government may lack. By limiting the DPB”s term to two years, with the possibility of extension, members may serve at the government”s discretion, potentially creating perverse incentives. The Act also grants the government the power to exempt private entities from additional obligations imposed on SDFs, raising concerns about arbitrariness and regulatory inconsistency.

Another curious aspect of the law is designating the Telecom Dispute Settlement and Appellate Tribunal (TDSAT) as the appellate tribunal for the DPB. TDSAT was originally established to hear appeals against orders of the Telecom Regulatory Authority of India (TRAI). However, data governance extends far beyond telecommunications and is arguably more complex. Repurposing an existing institution to handle complex questions posed by emerging technology is a bold experiment. If the government is genuinely committed to effective data governance, it should consider delegating this responsibility, both in theory and practice.

While the Digital Personal Data Protection Act aims to strike a balance between data protection and innovation, it raises important questions and challenges. The involvement of the government in designating significant data fiduciaries, the use of qualitative parameters, and the limited term of the Data Protection Board all warrant scrutiny. The Act”s success in achieving its goals will depend on its implementation and adaptability to the rapidly evolving digital landscape.