By Akhilesh Tuteja
The much talked about Data Protection Bill 2019, which was withdrawn by the Government in the month of August 2022 is back with a new version. It will be unfair to call it a revision of the previous Bill as this is largely re-written and bears little resemblance to the earlier version.
The government has attempted to strike a good balance of providing protection to the citizens (Digital Nagrik) with respect to privacy of personal information while minimizing cost of compliance and undue friction in the way of doing business. Privacy has remained a hotly debated topic for decades. While the generally acceptable privacy principles remain unchallenged, the way these principles are implemented and enforced remain an area of unsettled debate.
In addition to the seven principles on which the government is building this regulation, I would add that the current Bill also seems to follow another principle—‘progress over perfection’.
The current draft significantly simplifies many aspects compared to what we saw in the earlier version or what we are used to seeing in many parts of the world. For example, eliminating the need to further classify certain types of personal data as sensitive personal data may take away the ability to provide granular control but it significantly reduces the complexity, overhead, and risk of potential classification errors given the volume of digital data we process in our country. I work with a large number of Indian and global corporations and majority of the organizations struggle to keep their data classification current. While I am not suggesting a simple trade-off between privacy and cost of doing business, however, this approach can substantially reduce the cost of doing business without taking away the rights of individual’s privacy.
The Bill also introduces the concept of deemed consent. It may appear as a dilution of the explicit consent principle; but it is a good enabler of efficiency and eliminates unnecessary friction in circumstances where the delayed explicit consent may not be desirable. However, such a provision also brings forward serious misuse potential and therefore, the circumstances under which deemed consent can be used must be minimised. I expect a shorter and tighter list of deemed consent criteria in the final Bill.
The Bill is forward looking in many respects. The concept of right to nominate is an excellent framework in today’s digital economy. With increase in digital assets and digitally controlled assets, this framework not only enables better management of personal information in the event of death or incapacity but also provides a direction for other regulations to follow.
The introduction of consent manager can have several positive outcomes. It is likely to give rise to newer business models and entities and will hopefully provide a relatively easier implementation ability to businesses, which may not be able to build internal capabilities and may benefit from standardized services provided by a consent manager.
Another significant change from the earlier version is the removal of criminal liabilities and introduction of graded financial penalties for non-compliance, which provides a more balanced approach for handling violations.
Being a father of an only daughter and a champion of inclusion, diversity & equity in KPMG in India, I couldn’t ignore that not only the contents of the Bill are forward looking but the tone and language is equally contemporary. The document avoids use of masculine pronouns like he/his/him and instead uses the feminine pronouns like she/her. This is an incredible departure from the traditional approach and must be celebrated.
An interesting dimension on the applicability is the concept of digital data. The Bill limits its applicability to digital data only. This is a novel concept and appears to be another aspect of progress over perfection. This one limiting factor substantially improves the practicability of implementation where the data remains in paper form throughout the life cycle of data processing. However, this appears to be an afterthought—the definition and a few scenarios included in the Bill need some improvement to fully embed the concept of digital data with reasonable clarity.
While the current Bill is progressive in many ways and I compliment the government for following a comprehensive consultation process, there are many aspects of the implementation, which have been left out to be notified through Rules subsequently. The impact (both positive and negative) for such a far-reaching regulation will only be known when it is implemented, and the respective rules are prescribed and enforced.
I believe that in the fast-moving world of digitalisation, it is nearly impossible to develop a perfect legislation. For a country like India with its socio-economic diversity, the current Bill is a step in the right direction.
The author is Head, Global Cyber Security Consulting Practice, KPMG
Disclaimer: Views expressed are personal and do not reflect the official position or policy of Financial Express Online. Reproducing this content without permission is prohibited.