The world is drowning in spam calls, and India is no exception.
With spam calls from fake bank employees and insurance agents, we wonder, “How did they get my data?” But, we often just move on, mainly for two reasons: no awareness about individual rights among consumers and lack of accountability among businesses who collect and share personal data. So, it’s pretty safe to say that India’s new data protection law couldn’t have come at a better time.
India’s most recent stride in personal data protection comes in the form of the Digital Personal Data Protection (DPDP) Act, 2023, which received approval from the Rajya Sabha (the upper house of the Parliament) on August 4, 2023.
This development follows numerous iterations, a response to the growing demand for better data oversight and privacy safeguards. This legislative milestone sets the stage for how personal data is collected, used, and stored, giving individuals authority over their own data, so they can dictate how it will be used.
Even though the DPDP Act arrived at a time of exponential digital growth in India, it’s not flawless and criticisms run rampant. It’s far from being as strong as the data protection laws of other countries, such as Europe’s General Data Protection Regulation (GDPR), which is considered one of the best laws for data privacy.
Let’s dissect the hype and simplify some of the important parts of the act. We’ll also discuss what India could have done better—a few points for the next iteration, if you will.
What is personal data under the new law?
First things first, what exactly does personal data mean now?
The new law defines personal data as “personal data in digital form,” including name, address, phone number, email address, gender, date of birth, physical characteristics (such as height, weight, and eye color), location data, IP address, social media handles, employment status, and criminal history.
A key feature of the DPDP Act recognizes certain data as highly sensitive data, such as an individual’s sexual orientation, genetic data, biometric data, and health information, requiring stricter protection.
Under the new law, any entity collecting such data should provide a detailed invoice to the user. This invoice should include a description of the personal data they intend to collect and how it will be processed.
What new regulations will businesses need to comply with?
The DPDP sets out a number of rules for how businesses can process personal data. These rules are:
Businesses must obtain explicit consent from individuals to process their personal data.
Businesses must adopt appropriate measures against unauthorized access, misuse, alteration, and deletion of personal data.
Businesses must comply with the rights of individuals to restrict, object to, and withdraw consent of the processing of their personal data.
The new law establishes the Data Protection Board (DPB) to oversee compliance. The DPB is granted the power to investigate complaints, issue compliance notices, and impose penalties for violations of the law.
Whether it’s a big corporation or a startup, the DPDP Act applies to every business and every individual who handles personal data within Indian borders. When a business is compliant, it offers them numerous benefits such as:
Indian companies that comply with the DPDP Act can attract more customers and drive increased sales, resulting in the accumulation of additional data in their hands. This can then be harnessed to uncover fresh avenues for customer insights, personalized marketing, and product development—all while upholding stringent privacy and security standards. This innovative approach can potentially spark the creation of entirely novel products or services based on customer needs.
Fostering cybersecurity initiatives
The DPDP Act serves as a catalyst for strengthening India’s cybersecurity infrastructure. It creates a secure digital environment for businesses and individuals alike while paving the way for India to become a leader in cybersecurity. This can lead to the development of homegrown cybersecurity solutions, fostering a dynamic and competitive cybersecurity industry within India.
Better reputation, investment, and innovation
As India aligns its data protection standards with global best practices, companies can more readily compete in international markets. Businesses that can demonstrate a strong commitment to data privacy and security are likely to be more attractive to global partners and customers.
What criticism has the act received?
Some believe that the law is too complex or burdensome to comply with for small or medium businesses. Others argue that the law places a lot of power in the hands of the government, which opens new avenues for its misuse.
The law is too complex and burdensome for businesses to comply with
The DPDP Act is a complex law, making it difficult to understand and comply with for small businesses. Organizations might be fined heavily due the ambiguity around some clauses (discussed further down).
The law does not go far enough in protecting the privacy of individuals
The act allows businesses to process personal data in certain limited circumstances if it is covered in the contract of the business and if it is necessary to provide the promised features of the business. Critics argue that this could lead to businesses overstepping their bounds and processing personal data without adequate justification.
The law gives too much power to the government
The act places the power to appoint the members of the DPB in the hands of the Central Government. Furthermore, the law gives the government the power to access personal data without a warrant in certain circumstances. This has raised concerns that the DPB could be misused by the government to track certain individuals of personal or political interests.
The law might stifle innovation in the digital economy
While the new law will welcome new investments in products and solutions, the other side of the spectrum argues that the DPDP Act will stifle innovation in the digital economy. The new law’s requirements for consent and data protection could make it more difficult for businesses to market their products on a scale that they are used to.
How does the DPDP Act stack up to other regulations like the GDPR?
Despite drawing from the GDPR, there are a lot of places where the Indian data protection law falls short. For example, the GDPR covers everyone who resides in the EU, businesses operating in the EU, and any business operating inside or outside the region that keeps track of the data of EU individuals. The DPDP Act only applies to organizations working in India with the data of Indian residents and contains a few weak clauses around cross-border transfers of Indian data.
Unlike the GDPR, which requires clear permission from individuals for the use of their data, the DPDP Act lets companies use personal data without permission in a wider range of circumstances. This makes the rights of Indian residents weaker compared to those who are covered under the GDPR. Lastly, the GDPR can fine rule-breaking groups up to €20 million or 4% of their yearly global income, whichever is more. In contrast, the DPDP limits fines to ₹5 crore (about $670,000), which might not be significant for big corporations, reducing their fear of consequences.
A missed opportunity
Some of the terms used in the act are ambiguous and confusing, which could lead to different interpretations and levels of protection for individuals’ personal data.
One such term is “certain legitimate uses.” This term is not defined in the act, and it is unclear what constitutes a “legitimate use” of personal data. This could result in data fiduciaries adopting different levels of protection for specific use cases.
The act also requires data fiduciaries to take “appropriate” technical and organizational measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. However, it does not specify what constitutes appropriate security measures.
Finally, the act requires data fiduciaries to be “accountable” for their compliance with the new laws. However, it does not specify how data fiduciaries should demonstrate their accountability, which could make it difficult for individuals to hold data fiduciaries accountable for data breaches or other violations.
Ending on a brighter note
The DPDP Act is a complex law with the potential to offer a number of benefits to individuals and businesses. Organizations rooted in IT management, artificial intelligence, IoT, robotic process automation, and Web 3.0 deal with a ton of personal data, and this act will promote innovation and ensure ethical handling of data.
Businesses should start preparing for compliance by investing in security and asset management software, hiring data protection experts, and developing a compliance plan. The easiest way to start with compliance is using or partnering with software providers who comply with the law as soon as possible.
The DPDP Act is a major step forward for data protection in India and is a welcome move by Indian residents, especially in the age of rampant cybersecurity attacks and data misuse.