Balle! Balle!

I am borrowing the above phrase — used in many Punjabi songs and widely popularized via Hindi cinema to depict happiness — to share the general state of mind of folks associated with privacy in India today.

On 11 Aug. 2023, 1.4 billion additional people on this planet came under the purview of a personal data protection law when India passed its much-awaited, many-years-in-the-making Digital Personal Data Protection Act. After its long gestation period, many didn’t expect the law's actual passage to happen so quickly.

In these notes, I thought I should distill some of the chatter surrounding the DPDPA, so readers get a sense of the general narrative.

Many lacunae and shortcomings have been identified, some of which are, indeed, worrisome. This includes clauses that give the government power to exempt departments from the DPDPA's purview and criticism that the Data Protection Board of India, established under the act, has no teeth, and is designed to be "under the government's thumb." Critics say many aspects of the law are broad, leaving uncertainty for organizations, among other concerns.

The DPDPA is being compared to the EU General Data Protection Regulation. With the GDPR considered the "gold standard" in most circles here, many have expressed disappointment the DPDPA does not live up to its standards. This comes as no surprise, though. Ministers and government officials have long stated that India is looking to forge its own path that works for the reality of the country.

Differing from the GDPR, the DPDPA has done away with data classification. The final version takes a U-turn from previous drafts that went down the path of "sensitive personal data" and "critical personal data." Instead, the act classifies organizations, with some to be considered "significant data fiduciaries" based on the privacy risks they present. Those classified as such will face additional obligations.

Also different from the GDPR, there are no complex cross-border rules. Another U-turn from earlier versions, the act keeps it simple: personal data can be freely transferred to any country, except those "blacklisted" by the government.

The DPDPA takes some innovative steps:

  • New terminology is used, like "data principal" and "data fiduciary" in lieu of the commonly used terms "data subject" and "data controller." This, in my view, is significant given that it puts the individual front and center as the "principal" whose data it is all about and accords a "fiduciary" status to data in the nature of how it is held by an organization.
  • Duties have been given to "data principals," signaling that while they are afforded rights, they have some responsibilities of their own, too — a balance of sorts, which is interesting.
  • Among the act's four rights, the "right to nominate" data is new, and is so needed in today's era where our lives are increasingly digital.
  • Extra protections for children are in the act, another positive aspect. Probably the advantage of the law coming into force later than most.
  • The concept of a "consent manager" — an entity that can be an intermediary, of sorts, enabling "data principals" to manage their consents efficiently.

Questions around when the DPDPA will take effect are leading to speculation and confusion. The government has yet provide formal notification on when aspects of the law will come into effect, given it allows for different clauses to take effect at different times. We will have to wait and watch.

Overall, despite the criticisms and issues, the DPDPA is a great start. Rome was not built in a day. India did not win its independence in a day. To expect everything to be crystal clear in one stroke is being a tad idealistic.

To quote one of my favorite women, Maya Angelou:

"Do the best you can until you know better. Then, when you know better, do better."

So, as we privacy folks roll up our sleeves and get busy getting India up the privacy curve, here is to exciting and interesting times ahead.