On August 9, 2023, the Rajya Sabha “unanimously” passed the Digital Personal Data Protection Bill (DPDP), 2023 and drew the curtains on a journey that began roughly a decade ago. In the process, it has predictably provoked mixed reactions. One of the overarching goals of the legislation, by the government’s own admission, is to strike a balance between protecting personal data and enabling the processing of such data for lawful purposes, so as to enable innovation and promote economic growth. In doing so, the government has largely exempted itself from the purview of the law, in letter and spirit.
The Act declares that for the “security of the state, maintenance of public order or preventing incitement to any cognisable offence relating to any of these, and the processing by the central government of any personal data that such instrumentality may furnish to it”, the state falls outside its scope.
In other words, the state could, in theory, invoke national security to justify any action. Recall how President Donald Trump had controversially invoked national security to defend an increase in steel tariffs in the US in complete violation of all obligations made in the WTO. The Act also provides that the central government notify a Significant Data Fiduciary (SDF), and impose obligations on it, including periodic audits and data protection impact assessments, among others. While notifying such SDFs, the government will consider the volume and sensitivity of personal data processed, risks to the rights of the data principal (the individual who owns the data), the potential impact on the sovereignty and integrity of India, risks to electoral democracy, security of the state, and public order.
Finally, the Act mandates the establishment of an adjudicatory body, Data Protection Board (DPB), that will enjoy quasi-judicial powers and will be wholly appointed by the central government. The letters in the law are unambiguous.
The spirit of the Act reinforces the letters. Here’s how. Prima facie SDFs are most likely to be entities that enjoy “significant market power” (SMP) and as such possess the means to abuse their dominance. If one draws a parallel with competition policy that relies heavily on SMP analysis, notification of the SMP is the privilege of the regulator because it has the necessary expertise to do so. Moreover, competition policy is no longer concerned with size and structure, but with conduct. As a result, competition law in India continues to be largely ex-post implying that the market regulator, the Competition Commission of India (CCI) intervenes once market distortion has occurred.
Through this legislation, the government has signalled an intent to lay down ex ante rules to keep a check on the power enjoyed by certain platforms that exercise immense influence. There is nothing wrong with that, except the task ought to be delegated to the DPB. And in practice it still might. But why should governments get involved in notifying SDFs in the first place?
If designed well, ex ante regulation could help in: (i) Acknowledging and possibly limiting the harms that digital behemoths have the potential to unleash; and (ii), ensuring that the burden of onerous obligations does not create high entry barriers for start-ups seeking to disrupt the behemoths, Schumpeterian style. Many other jurisdictions have incorporated or are in the process of incorporating ex ante obligations on identified entities.
For instance, the proposed American Data Privacy and Protection Act (ADPA) imposes additional obligations on entities identified as “large data holders”, categorised by revenue and volume of data collected. While the EU’s GDPR did not have such thresholds, the recently passed Digital Services Act (DSA) classifies platforms or search engines that have more than 45 million active users per month as very large online platforms (VLOPs) or very large online search engines (VLOSEs) and imposes additional obligations such as independent audits, an established point of contact and sharing data with the commission to assess compliance, to name a few.
Though well-intentioned, the Indian approach is likely to encounter a few speed bumps. For starters, inclusion of vague qualitative parameters such as risk to electoral democracy and public order are likely to make the process imprecise due to the lack of an objective criteria or any tangible metrics for such designation. What’s more, any such determination must rely on market analysis requiring specialised skills and subject matter expertise, which may be beyond the know-how of the government. And by limiting the term of the DPB to two years, with possible extension, in spirit, the members will serve at the privilege of the government creating perverse incentives. The Act also empowers the government to exempt any private entity from additional obligations imposed on SDFs. This leaves room open for arbitrariness and regulatory asymmetry.
Another aspect of the law that seems odd is designating the Telecom Dispute Settlement and Appellate Tribunal (TDSAT) as the appellate tribunal of DPB. TDSAT was established with a view to hear appeals against orders of the Telecom Regulatory Authority of India (TRAI). Data is vastly more than just telecom and arguably more complex. Telecom disputes have over time themselves become more intricate and time consuming to resolve. It took a decade, if not more, to establish the jurisdictional boundaries between TRAI and TDSAT because, in part, the system was gamed by vested interests for narrow gains that hurt the sector. It could well be argued that TDSAT was unable to function along Benthamite lines for the welfare of the majority and it is unlikely to do so under the current structure to enable protection of personal data. Repurposing an existing institution to deal with ever more complex questions posed by new and emerging technology is a brave experiment. Data governance is serious business and if the government is serious about it, then it needs to delegate, in letter and spirit.
Suri is Research Lead, The Centre for Internet, and Society and Kathuria is Dean, School of Humanities and Social Sciences at Shiv Nadar Institute of Eminence and Professor of Economics. Views are personal
