Usually, innovation tends to lead regulation by miles, more so in the tech space. However, sometimes, that isn’t the case. This is one of those rare exceptions. After the landmark Supreme Court ruling enshrining Indians’ right to privacy, it was only a matter of time for regulation to step up. And stepped up it has indeed, in the form of the Data Protection Bill. After nearly two years of the bill being in flux, a version was finally tabled. There’s still a process to be followed such as cabinet clearance followed by an introduction to the parliamentary houses, debates and eventually passage. But let’s dig in on why we should care.
The internet is complicated. Every click, every search, every action essentially is usually creating a data footprint. If that data includes, say, a form where you shared your name, age, identification, etc., the data you generated is your Personal Data which contains Personally Identifiable Information (PII). PII is generally used to prove your identity and authenticate, but when used maliciously can lead to dangerous outcomes like identity theft, cybercrime and more. Non-Personal Data on the other hand contains things like anonymized datasets, aggregated data and other data points which do not contain any PII. The DP Bill proposes to regulate both Personal as well as Non-Personal Data via a single Data Protection Authority (DPA). Once the draft gets ratified as law, businesses and data fiduciaries will have a tentative two-year window to become compliant with the new law.
A fair bit has also changed in the latest iteration of the bill as opposed to the initial draft. A controversial change that is in the discussion currently is the one regarding the government’s right to exempt government entities from certain provisions of the bill in certain circumstances. Dissenting notes were shared by quite a few members of the Joint Parliamentary Committee and not everyone is satisfied with the current exemptions. While I am not a lawyer, my initial reading does indeed indicate that this may be a valid cause for concern. Anyone running a data-driven business will have significant changes to navigate and the entire process will be disruptive, to say the least. We can already see how things are playing out in the payments space with the card tokenization deadline around the corner and solutions are releasing right up till the end. To say that this approach will be workable with respect to the DP Bill is being a little too optimistic. There are again plenty of changes in the latest draft, but legal firms who are focused on the data space are providing much better coverage from the legal perspective. More importantly, a discussion around data privacy and security is entering the mainstream foray, even if it is restricted to the urban tier 1/tier 2 city crowds. This is a significant shift and not something I would have considered possible just a couple of years ago. Equally, this is one of those rare legislations, where the majority of our elected representatives across party lines are aligned on the need for the data protection legislation and the broad outlines of it, dissenting voices and all.
But, let’s dig in on what changes if you work in tech. Everyone from social media to financial services to other sectors, all will be impacted. The emphasis on data localization alone is a massive undertaking for most established businesses. Be prepared for backups, migrations, and modernization from legacy data stores. Robust consent mechanisms, especially when it comes to Personal Data, will also emerge. We already have the Account Aggregator for Financial Data and the Ayushman Bharat Digital Health Mission for Health Data following DEPA (Data Empowerment and Protection Architecture) guidelines which implement a consent artefact that is compliant with the bill draft language. However, don’t be surprised if additional changes do emerge. Additionally, with consent comes purpose. Individuals will need to be clearly informed on the purpose their data is used for. This loop of consent, purpose and enforcement of the same will come with its own set of challenges. On the bright side though, a lot of grey areas around data usage will get stamped out and sectors that were previously neglected in favour of data-driven improvements for Ad-tech & user engagement will now get a decent boost.
Businesses and developers should start to adopt privacy by design principles as the default and minimize data collection and storage where possible. I can see a new Data Protection Officer
role emerging in most enterprises fast. Individual rights such as the right to access, correct, delete, and port data will also need to be supported by businesses. This brings me to what I started with. In the privacy tech space in India, I have not seen startups and entrepreneurs go after this space in a meaningful way. The DP Bill will provide a massive tailwind for anyone who’s offering the right services. Many VCs now have a dedicated Privacy Tech arm and globally, with advancements in spaces of concepts like zero-knowledge, the right amalgam of ingredients to build incredible privacy tech startups exist. Various geographies already have their versions of DP laws in place, and while GDPR may be the most famous, places like South Africa and Nigeria also have robust data protection laws. Building in this space is truly a global opportunity and having regulation like the DP Bill is a step in the right direction for society.