On December 20, 2023, representatives from major technology companies convened with officials from the Indian Ministry of Electronics and Information Technology (MeitY) in a closed-door meeting. The agenda centred around deliberations on the draft Rules for implementing the Digital Personal Data Protection (DPDP) Act, which is expected to be shared soon with the public for consultation.
The fact that the private sector was offered a preliminary opportunity to express their opinions before the finalization of these rules underscores the government's commitment to cultivating a pro-business environment through the DPDP Act.
The upcoming release of the draft rules is poised to closely follow the enactment of the DPDP Act in August 2023. The Act has received acclaim for striking a delicate balance between safeguarding individual data privacy and encouraging innovation within the burgeoning technology landscape of the country.
A Pro-Business Focus
Surprising the business community, the DPDP Act 2023 removed the data localization requirements, marking a significant departure from the previous iterations of the Act. The earlier DPDP Bills required certain categories of personal data to be stored and processed within the country. The provision faced staunch global opposition, particularly from the US, which criticized India's requirements as discriminatory and trade distortive.
In contrast, the DPDP Act, 2023 adopts a more inclusive approach, granting firms autonomy in the choice and location of cloud services for storing and processing personal data of their users. By prioritizing cost-effectiveness and competitiveness for the firms, the removal of data localisation requirements signals a more accommodating government stance.
In addition to scrapping data localization requirements, the DPDP Act 2023 also allows unrestricted cross-border transfer of Indian users’ personal data abroad, barring certain destination countries. Firms would not be required to conduct post-transfer impact assessments or to ensure that the destination country has similar data protection standards– mandated in other jurisdictions like the EU and Vietnam. This provision significantly reduces the compliance burden, particularly for foreign digital companies operating in India.
Data Protection Impact Assessments (DPIAs) are resource-intensive exercises mandated for tech companies in various jurisdictions to pre-emptively evaluate and mitigate risks associated with processing personal data. However, the DPDP Act only mandates that Significant Data Fiduciaries (firms processing either sensitive or large volumes of personal data) conduct DPIAs.
This targeted approach indirectly benefits larger tech companies who already conduct DPIAs to comply with global privacy laws while also reducing operational challenges for smaller businesses, thus fostering economic competitiveness for the entire private sector.
Further, the Act acknowledges that certain provisions may hinder the sustainability of resource-constrained startups. To address such concerns, the Act exempts startups from many obligations imposed on data fiduciaries in the Act, thereby supporting the Startup India mission. The exemptions increase the appeal of Indian startups, which could likely drive more investments from venture capitalists.
Transition to a Conditional Data Protection Model
There are three internationally recognised models of personal data protection regulations: limited, conditional and open. Through various iterations of the privacy bills, India has transitioned from a limited model, which imposed stringent restrictions on data flow to prioritize privacy akin to the approach in China and Vietnam, to a relatively more liberal framework of a conditional model, which is prevalent in the EU.
The DPDP Act, 2023 facilitates international data flows for economic activities while still ensuring privacy – a move that has been welcomed by the tech industry players. With robust data protection measures through legislation, India is deemed to meet the "adequate level of data protection safeguards" required by many jurisdictions for cross-border data transfers. This can also attract foreign data processing businesses to establish operations in India, fostering employment opportunities for the country's enormous tech talent.
Grey Areas for Businesses Remain
While most provisions of the Act favour businesses, some aspects cast doubt on the intended positive impact. Notably, the Act mandates businesses to report all data breaches to the Data Protection Board and affected individuals. The Board can also direct remedial measures and impose hefty penalties (up to 250 crore rupees) for inadequate security safeguards. Universal application of these requirements, even for minor incidents, may disproportionately affect smaller enterprises, increasing their compliance burdens.
Moreover, certain provisions of the Act do not augur well for the digital advertising ecosystem. The Act mandates companies to use data solely for its intended purpose, thereby restricting digital advertisers from collecting extensive datasets for targeted campaigns. However, the business model of many digital platforms today hinges on providing free social media or search engine services to the users, and using their personal data in return to target online advertisements to generate revenues.
Compliance with the DPDP Act might involve soliciting explicit opt-in consent for personalized ads, but even this could face challenges. For instance, Germany's Federal Cartel Office ruled in 2019 that Facebook cannot make the provision of its social media services contingent on customers consenting to personalized ads, underscoring potential challenges in implementing such requirements.
Competitive Edge in Global Data Governance
The passage of the business-friendly data privacy legislation comes at an opportune time. China, India's biggest competitor for overseas tech business investments, is placing stringent data protection requirements to crack down on US-origin big tech companies. Firms are already looking at countries like Vietnam to diversify their tech manufacturing supply chains under the ‘China Plus One’ strategy. However, with Vietnam’s strict data regulations, particularly related to data localization and cross-border data flows, India now offers a more lucrative tech ecosystem as an alternative to China.
Countries like Norway and South Africa have praised the DPDP Act as a significant milestone, recognizing it as a model for implementing data protection measures, particularly in developing regions. Meanwhile, New Zealand has taken a keen interest in how the DPDP Act would be enforced.
Broadly, the DPDP Act is a positive stride towards the government’s goal of creating a one trillion-dollar digital economy by 2026. However, it must be remembered that this is only the first step towards responsible data governance in the country and not the final step.
(Nidhi Gupta and Rohanshi Vaid are Researchers with the Asia Competitiveness Institute, Lee Kuan Yew School of Public Policy, National University of Singapore. Ammu George is a Lecturer at Queen’s Business School, Queen’s University Belfast and Adjunct Fellow with the Asia Competitiveness Institute. Views expressed are those of the authors alone.)