“…The biggest challenge that we will see is how do we humanize [the Digital Personal Data Protection Act, 2023]? Because when you want to build compliant systems for this particular law, you have to humanize it to an engineer, to a product manager, to a user… till date, this right was something which was known in certain other circles for certain other purposes under certain other laws. What does it mean for us where a user is giving consent for a certain set of data and it has to be used for a certain purpose? What does it mean for the user? So there is a big task, not only for fiduciaries to figure out how to make these obligations come alive, but you will also have to, I think civil society and the government also has a huge task here to make this law a real law, because this is something everyone has been demanding…” said Tamoghna Goswami, Senior Manager Public Policy at ShareChat, when talking about the challenges data fiduciaries (entities) will face in terms of obligations.
Goswami was discussing obligations to companies as per Indian law, following the passing of the Digital Personal Data Protection Act, 2023 (DPDP) at MediaNama’s flagship event ‘PrivacyNama.’ Fellow speakers Varun Sen Bahl, Public Policy Manager at NASSCOM, Pragya Misra, Director of Public Affairs at Truecaller and Nehaa Chaudhari, Partner at Ikigai Law, with Prasanto Ray from FDI Consulting as the moderator, also talked about challenges companies foresee due to lack of industry guidelines in the Act. The full conversation can be seen here:
This discussion was organised with support from Meta and PhonePe, and in partnership with CUTS, and the Centre for Communication Governance.
Privacy advocate, guidelines needed in enforcement structure: Bahl talked about how the lack of a privacy advocate for any enforcement authorities under the DPDP Act is a concern. As the law is now, the Data Protection Board does not have a formal function of issuing advisory or guidance. Further, this responsibility is not assigned to the central government. Bahl warned that this could create a scenario where the Act is only interpreted after an enforcement action is inevitable.
“So, somebody has to burn their fingers for everybody else to figure out how not to burn their fingers. And that seems to be an inefficient, costly way of arriving at clarity that can be brought about through just having good guidance out there that’s developed in a consultative manner. And that has some level of authority and some level of certainty for people to rely on. And this is not just for fiduciaries, it’s also for processors and for data principles as well,” said Bahl.
He gave the example of Turkey that updated its data protection laws in 2016 to comply with the Data Protection Directive, the predecessor of the GDPR. It ended up drafting a short law for itself regarding data protection and in the initial years only focused on its enforcement. However due to limitations on state capacity and lack of actual guidelines and guidance for the industry, there was much confusion about the interpretations of the new law. Bahl said the situation in Turkey improved only in 2018, when the first guidelines came out on technical and organizational measures. Accordingly, he argued that the first challenge for entities navigating the DPDP Act in India is to think about building reasonable guidance and developing a privacy advocate role in the enforcement structure.
Creating systems for implementation: Goswami pointed out that it will take a long time to figure out how to create systems that have a user interface basis and background systems as well. Entities also have to consider the source of certain data and the consent required to use the data. There are also unanswered questions about the categorisation of data as personal, sensitive, critical, etc. Moreover, Goswami asked stakeholders to consider how the law can be made real to a user sitting in a tier-3 city who is accessing the internet for the first time.
“I think it’s a learning process for everyone who is creating implementation systems for Indian law. Eventually there’ll be a bit of clarity when the rules come in and when the implementation cycles are finished, when there are certain clarificatory notifications also, which are brought in, then I think we will be in a place to say, okay, obligations have been met with,” Goswami said.
Interpretation of rights differs case-to-case: Aside from obligations to companies and the government, the DPDP Act also talks about user rights. Goswami said that the application of these rights will differ on a case-to-case basis with the compliance varying from a company like Truecaller to one such as ShareChat, etc.
Where should companies look for guidance?
The discussion on guidance and advisories for navigating India’s data protection law lead to a debate among speakers about the interpretation of the law itself. Goswami discouraged attendees from referring to Western countries’ approaches to data protection laws for interpretation of the DPDP Act. She said that the Indian judiciary has its own set of interpretive laws as well as certain jurisprudence in place for interpreting specific words.
Referring to past compliances abroad is beneficial: Bahl argued that referring to developments outside India could help resolve issues like the distinction between a data fiduciary (entity here) and a data processor with greater ease. For example, the terms “controller” and “processor” are well-understood in the European context and have equivalent meanings under other laws like the data protection law in Singapore where the idea of an organization is similar to that of a controller. Bahl said that it would help Indian entities to benefit from the learnings other countries have about the terms and concepts “literally imported” from the laws in those regions.
“When you think about what guidance can do here, guidance can make that definition of data fiduciary [entity] and the idea of joint fiduciary-ship anchored in real world examples. It can also give clarity on how the central government, which will be the one making references to the Board with complaints, is interpreting the law itself, which has a function in the market of setting a baseline for compliance that then everybody can look towards,” said Bahl.
Article continues below , you might also want to read:
- Here’s What Companies Can And Cannot Do As Per India’s Data Protection Bill
- Deep Dive: How Will Ex-Ante Regulations Impact Indian Companies
- Tamil Nadu’s Online Gambling Ban Comes Into Effect: What Now For Gaming Companies?
- Here’s When Entities Don’t Need To Ask For Consent As Per India’s Digital Personal Data Protection Bill
Previous compliance measures cannot be copy-pasted: Bahl also agreed with Goswami that GDPR compliance cannot be copy-pasted to the Indian context since the grounds for processing will differ. This means that a company already GDPR compliant will have to start afresh when preparing for operations in India with regards to mapping personal data and purposes to different bases.
“[Starting afresh] is time-taking. That is something that will require even a GDPR compliant organization, to figure out, will require guidance. Also [it will need guidance] on what different “grounds” mean. And so I feel like, it makes sense that organizations that have complied with foreign data protection laws to be better placed than those that haven’t, but it’s not like it’s a cakewalk for them as well,” said Bahl.
Industry efforts can fast-forward guideline creation: While discussing concerns around the lack of guidelines, Chaudhari suggested that the industry need not wait for the government to come up with the guidelines. Chaudhari argued that guidelines come from multiple categories like consultation papers, consequences resulting from directions from Privacy Commissioners’ offices, etc. In the DPDP Act’s case, there will be the central government as a separate government entity, the Data Protection Board playing a distinct role in different kinds of guidance. So, while the rules will be framed by the central government, the interpretation of the law will come from the Board. Even there, once the law comes into effect, different guidelines may come in from different people.
As such, she said, “I actually don’t think it hurts us in any way to get a little bit ahead of that and say, why don’t we attempt to make sense of the words that we’re talking about? Just to pick up from where Varun [Bahl] left off, what would we like to see when we say technical and organizational measures? Do we want something in the rules that says, if I implement this ISO standard, I get a check that says, “yes, you have implemented satisfactory technical measures.” “These five things, if you do organizational measures.” So, yeah, I actually don’t think that that’s a bad thing at all,” said Chaudhari.
Note: Speaker Pragya’s surname was changed to ‘Misra’ following editorial inputs at 2:28 PM on November 2, 2023.
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!