A Blueprint For Implementing India’s Personal Data Protection Law

The urgent question that arises is: What happens after our new data protection law is passed?

A stream of binary coding is seen displayed on a laptop computer screen as a man works to enter data on the  keyboard. (Photographer: Chris Ratcliffe/Bloomberg)
A stream of binary coding is seen displayed on a laptop computer screen as a man works to enter data on the keyboard. (Photographer: Chris Ratcliffe/Bloomberg)

Information from individuals is often stated to be the fuel that will power our new digital economy. As India powers into the information age, a key issue facing policymakers is the regulation of the use of this personal information.

India is proposing a “Fourth Way” to regulate personal data, distinct from the approaches of the United States, European Union, and China; through our draft Personal Data Protection Bill that was released last year after a public consultation process. The Minister for Electronics and Information Technology has expressed the Government’s intention to table the Bill in the upcoming Winter session in Parliament.

The urgent question that arises is: What happens after our new data protection law is passed?

In the clamour around a handful of contentious issues (like data localisation) in the text of the Bill, many have failed to grasp that some of the most important aspects of the Bill have been left to be specified through future regulations from the central government or the proposed Data Protection Authority.

These issues require deeper consideration and a wider public conversation if we want to avoid ad-hoc release of regulations that could compromise users’ protections and disrupt the digital economy. We need to begin a focused national conversation around the regulation and institutional structures that will come alive after the Bill is passed.

Role Of Central Government And Future Data Protection Authority

While the Bill sets out the core principles and substantive provisions of the new data protection regime, much of the power to make regulations fleshing out how these requirements will actually be implemented will fall to the central government and the future regulator (the DPA). The delegation of these rule-making powers—also called “subordinate legislation”—is a common practice aimed at enabling more responsive rule-making by authorities, so that the law can evolve alongside developments in society.

If all laws could only be made by Parliament, this would slow down the law’s responsiveness to changes in the environment.

For instance, the Bill specifies that it will not apply to anonymised data. It also sets out a definition for anonymisation. To make this meaningful for companies and incentivise anonymisation, the future DPA will need to release detailed technical standards, regulations, and guidance on anonymisation to implement the vision of the Bill. This is just one example of many regulations that will be needed to effectively implement the Bill.

Analysis in our recent policy brief reveals at least 82 action points for Central Government and the DPA after the Bill is passed to give effect to its provisions.

The urgency is heightened since most of this activity needs to take place in the 30 months after the Bill is passed.

Timelines Under The Bill

The Bill already envisions clear milestones for its implementation.

First, the central government must identify a date (called the ‘Notified Date’) within 12 months of the Bill being passed, on which certain transitional provisions come into effect. These transitional provisions enable the setting up of a new Data Protection Authority and give the central government and the DPA powers to make subordinate legislation.

Second, the central government must establish the DPA and overarching rules to allow it to perform its functions within three months from the Notified Date.

Following this, the DPA must issue regulation on the scope and limitations of the Bill, grounds of processing personal data, service provider obligations, consumer rights, and regulatory tools. The Bill requires the DPA to complete all this within 12 months from the Notified Date.

Finally, the Bill states that all the other provisions will automatically come into effect within 18 months from the Notified Date.

Going by these timelines, a vast amount of regulation on various aspects of data protection will be made within a maximum of two and a half years from the date of the enactment of the Bill. Although these timelines serve as milestones for authorities, they do not provide a systematic framework to prioritise the release of subordinate legislation.

In the absence of a systematic approach, there is a risk of ad-hoc passage of rules that can severely disrupt the digital economy and create gaps in consumer protection. 

Need For A Systematic Implementation Blueprint

There is a pressing need for a blueprint to guide coordination between the central government and the DPA on the release of subordinate legislation to foster consumer protection and regulatory certainty. In our policy brief, after mapping the action points required to implement the Bill we ordered these against objectives of

  • user protection, and
  • the practical clarity required for entities to comply with their obligations.

By doing so, we were able to prioritise the actions roughly into first-order and second-order items of priority. This rough framework helped reveal immediate areas for regulatory attention after the Bill is passed, and those that can come later given scarce regulatory capacity.

For instance, the establishment of the DPA and its adjudication wing is clearly of the highest priority for the central government. Once this is completed, the central government can turn to other substantive matters on which it needs to directly issue regulation such as on the conditions for cross-border transfer of data.

For the DPA, specifying methods of anonymisation will be a matter of top priority. 

As discussed above, this will be a crucial boundary since the processing of anonymised data is not within the purview of the Bill.

Another priority area will be the rules on the grounds for processing of personal data. The Bill creates a system whereby all entities (public or private sector) must select one of the specified grounds laid out in the Bill as the basis on which they are processing personal data. Detailed regulation on the conditions, safeguards, and measures to be taken to select use grounds will be required to enable this system work.

The DPA must also prioritise regulation on the form and content of notices to be given to users prior to processing personal data. Under the new regime, giving such notices can be a pre-condition to personal data-processing.

Need For Consultative Regulation-Making

The real story of India’s new data protection regime will only come alive in the months after the Personal Data Protection Bill is passed. Deep subject matter expertise and knowledge of data practices will be required to ensure the spirit of the Bill is reflected in subordinate legislation. Developing robust and timeless regulation will require collaboration between regulators, entities processing data, civil society, researchers and technologists. If we are serious about meaningful data protection for Indians in the future, we need to begin this conversation now.

Malavika Raghavan heads the Future of Finance Initiative, and Srikara Prasad is a Policy Analyst with the Future of Finance Initiative, at Dvara Research.

The views expressed here are those of the authors and do not necessarily represent the views of BloombergQuint or its editorial team.