The new age of data protection in India
For more than two decades of the internet, India has moved at breakneck speed to go digital. But we have made this journey without the compass of a data protection law resulting in a state of zero control over our own personal data. Business practices are deeply entrenched in what are soon to be non-compliant activities. With the Digital Personal Data Protection (DPDP) Act, a lot is about to change and a lot must be done to comply.
Personal data is now locked and Consent is the key.
There's a palpable sense of unpreparedness among Indian businesses and the rumblings of this upheaval seem distant echoes rather than an urgent call to action.
Part 1 of this series is an explainer that breaks down the key provisions of the DPDP Act and considers the pressing compliance implications for businesses.
In this article (Part 2), we will trace the lineage of data regulation in India to unpack the full weight of this groundbreaking statute. Businesses will encounter a sharp revelation: the frailty of the previous regulatory framework which was practically non-existent. This will illuminate the path ahead and better prepare us for the new age of data protection.
Data "Protection" under the old regime
In the digital age user data is oil. We have UPI, KYC, Aadhar and other digital public infrastructure based solutions. Data is at the center of critical processes - from government welfare schemes like the Jan Dhan Yojna to marketing and digital lending in the private space. Today, more than 60% of business is transacted online.
Who oversees this burgeoning digital landscape? Until now, there was no law or authority to regulate personal data and privacy in India. As a result, user data has been available at little cost and no liability.
Currently data protection and privacy is under the authority of the Ministry of Electronics and Information Technology (Meity). However, Meity does not exercise any real authority over personal data and did not even exist until 2016. Ever wonder why you keep getting promotional calls and emails despite never remembering to sign up or giving any consent? It is because there was no law effectively keeping it in check.
Before Meity was a ministry, it was a department under the larger Ministry of Telecom where the Department of Telecommunication (DoT) had power over data. The DoT’s license agreement talks about privacy and confidentiality. The Dot regulates internet calling and messaging apps like Whatsapp. So how did DoT regulate data?
There was no law or authority on personal data
There was only a patchwork of law that was not even enforced.
TRAI Regulations
The menace of unsolicited telemarketing was being addressed through Telecom Regulatory Authority of India (TRAI) regulations of 2007 and 2018 both of which saw little success. The DoT maintained a ledger of mobile subscribers who had opted to not be contacted for promotional purposes. Telemarketers used this very list for contacting the users against their consent. Penalty for non-compliance was cancellation of mobile subscriptions which telemarketers easily overcame by getting new subscriptions. Note that the legal obligation was on the Telecom service providers (TSPs) and not the businesses actually making the calls. TSPs were happy to cancel subscriptions and sell more as a result.
As we saw in Part 1, the Digital Personal Data Protection Act completely does away with this futile approach and puts the businesses on trial for violating user consent. The penalties range up to 250 Crore Rupees. This is one of the many stark differences between the old and new regimes.
IT Act 2000 and IT Rules 2011
With the Information Technology Act 2000 (“IT Act”) the state’s focus was on digital signatures, providing legal recognition for electronic documents and the like as per India’s WIPO obligations. Personal data, protection, privacy and consent were not even afterthoughts. A decade later the government came out with rules for reasonable security practices and sensitive personal data or information. But these rules were not meant to protect all personal data as they only covered data like passwords, financial information, health, sexual orientation, biometric records etc.
Further, there was a low penalty of up to 5 lakhs for sharing sensitive personal data without consent but that too required proof of wrongful intent. Data which is routinely used by corporations like name, phone number, email, and online activity were left out of the ambit entirely.
The failure of these regulatory moves is not surprising.
These laws were aimed at providing greater control to the government and ensuring data protection for Infosec purposes. Even the data localization rules notified by the RBI and Meity were meant to prevent data leakage to China and not protect individual choice. Data rights, control over processing, obligations of companies and user consent were never in the data regulation conversation to begin with.
So Meity was late to the party and was given no real power under the IT Act and Rules. DoT had more power but not nearly enough to curb even telemarketing problems let alone data protection and privacy at large. Both bodies operated within a patchwork of law that only mentioned consent but did not practically protect data at all. The cost of data was low and returns were high.
This weak legal regime allowed Indian businesses to get entrenched in practices widely non-compliant with the DPDP Act.
Aadhar and the first echoes of Data Protection
Like the DPDP Act, Aadhar was a game changer when it was first introduced. Aadhar data includes your name, number, address, photo, biometric info, and date of birth. When Aadhar is linked to your bank account even your financial information is at risk. One ID can authenticate everything online for a negligible price. With the combined powers of Aadhar, KYC, UPI, electronic signatures and other technologies, businesses rapidly scaled in the digital realm. But with this great convenience also came great risks.
Time and again, Aadhar and personal data of Indian citizens has been leaked. This is due to dated state IT infrastructure that falls easy prey to prospecting hackers. These concerns related to Aadhar lead to the Supreme Court's privacy judgement. On the court’s directions the government formed a special committee headed by former justice B.N. Srikrishna to report on a new data protection regime. The committee went back and forth with the parliament with different drafts and ultimately the Digital Personal Data Protection Bill was approved by both houses of the parliament and received the President’s assent. On 11 August 2023, the Digital Personal Data Protection Act became law.
After such a long time since Aadhar and the privacy judgment, people moved on and business continued as usual. Now that the DPDP Act is here, businesses will need to break this continuity and realign practices to the new norm of consent.
Focus shifts from InfoSec to real Data Protection
Foreign companies and especially Multinational Corporations have been tussling with data protection laws like the GDPR and CCPA for a long time now. They could no longer operate with a free hand because of robust regulatory frameworks around data protection and user consent. Their practices have evolved to attain compliance at many levels. The DPDP Act is India’s GDPR or CCPA moment and similar seismic changes are expected for businesses of all types. MNCs will be given a smaller window for compliance but will have an easier time as they have mostly adapted to the more extensive obligations under the GDPR and CCPA. For Indian businesses, it is a new game altogether and there may not be a long window for achieving compliance.
The law before the DPDP Act was concerned with information security and not data protection or rights. Under infosec frameworks, user data is still property of the business to protect for itself. With the DPDP Act, the ownership, control and everything in between is assigned to the individuals. The individuals own the data and businesses owe legal obligations to the individuals to not use it without consent.
This is how the Digital Personal Data Protection Act changes the game!
Putting the onus of Data Protection on businesses
While consent is king, there are notable exceptions especially for government functions. It is typical for the state to create a law and at the same time create an exception allowing it to bypass it completely. Businesses will not have this advantage and are liable to pay hefty fines to the government if even a single obligation is breached. The government also has the power to classify a business a Significant Data Fiduciary (SDF) and exact higher compliance standards. Many industries will be impacted - Banks, NBFCs, insurers, telemarketers, e-commerce, SMEs, healthcare and many more.
Under the DPDP landscape, data fiduciaries cannot simply pass the buck to data processors through indemnity clauses. The onus is on them to ensure compliance at every stage, necessitating proactive measures. A lot of Indian businesses are interconnected in a complex network of vendor relationships such as Zomato's intricate web of partnerships with restaurants and delivery services, or Flipkart's extensive array of sellers. Zomato shares customer data with restaurants and payment gateways. If any one of these partners fails to handle data in accordance with the DPDP Act, it is Zomato that could face penalties, not just the offending party. Flipkart must now ensure each vendor in its network operates in compliance with the DPDP, which could involve auditing hundreds, if not thousands, of third-party vendors.
These networks, while operational marvels, have not been designed with data protection at their core. This interconnectedness means there isn't a unified system that monitors all the data that flows through the channels—where it comes from, where it's stored, and what happens to it along its journey. This poses a significant challenge because the DPDP Act demands a level of oversight that most companies are currently ill-equipped to provide. It's not just about having data; it's about knowing every grain of its lifecycle, an insight that many businesses lack due to the distributed nature of their operations.
Introducing Consent Managers
Reflecting on the GDPR's impact in Europe, we saw the emergence of the data discovery industry. European businesses scurried to understand and map their data in an effort to comply with GDPR requirements. These companies had to invest in technologies and processes to identify and classify the data they held, often leading to substantial operational overhauls. Most notable of these are the Consent Manager Platforms (CMPs) which are also envisaged as Consent Managers under the Digital Personal Data Protection Act.
Consent Managers emerge as the custodians of consent, easing the task of managing user preferences for Data Fiduciaries. They act as registered intermediaries, ensuring that the complex process of consent collection, modification, and revocation is streamlined and documented.
For Indian businesses, achieving this degree of meticulous data mapping is a formidable task. Data fiduciaries are expected to exert an unprecedented level of control and knowledge over their data— a stark contrast to the prior lax regulations. The game has changed dramatically and a lot must be done to catch up.