Written by Meghna Bal
An interesting report emerged from the EU on April 3 regarding the European Commission’s plans to slash the EU General Data Protection Regulation (GDPR) — its most famous, and beloved, privacy regulation. Broadly, privacy laws like the GDPR govern how companies doing business in a given region where the law is enacted (in this case Europe) handle the personal data of its citizens. Given that India is on the verge of implementing its own privacy law, the Digital Personal Data Protection Act, 2023 (DPDPA), it should pay attention.
The EU is considering revising the GDPR because it creates a cumbersome and costly compliance regime. For instance, a study by the German Chamber of Commerce and Industry (GCCI) found that around 75 per cent of German businesses still had to put in high to extreme efforts to comply with the law, years after its implementation. Another study revealed that the GDPR induced about a third of available apps on the Google Play Store to shut down their operations, and in the months following its implementation, the entry of new apps fell by half. A 2022 paper by Oxford University economists found that the GDPR shrank the profits of European businesses by 8.1 per cent.
India, for its part, had reservations about the GDPR model. Though the initial draft of our privacy law closely mirrored the GDPR, reports suggest that efforts were made to ensure that the former was not as compliance-heavy as the latter. For instance, in 2022, then minister of state Rajeev Chandrasekhar suggested that the GDPR was not innovation-friendly, and a little too “absolutist”.
Unfortunately, though the DPDPA differs from the GDPR, it is mostly in ways that are more stringent, less clear, and more difficult to implement. For instance, the DPDPA omits legitimate interest as a legal basis for processing data without user consent. Legitimate interest allows data to be used for reasonable purposes such as fraud prevention, system security, or even marketing, without troubling users for consent each time. In the EU, even journalists rely on legitimate interest to access records for investigative reporting on financial crimes.
Most data privacy laws, including the GDPR, recognise legitimate interest as a legal ground to avoid unnecessarily inconveniencing businesses and consumers, and ensuring the integrity of online systems. As the DPDPA does not recognise legitimate interest as a legal basis for data processing, every time a business wants to notify a customer about a new offer or update their security settings, it will have to ask for their consent.
Consumers are likely to face a deluge of consent notices as a consequence. The barrage of consent notices may result in a situation where consumers quickly tire of having to sign off on them, and stop opting in. In turn, such consumer refusal to consent, not out of privacy concerns but largely out of annoyance, may lead to compromised security settings, and hinder the ability of businesses to prevent spam and fraud.
The DPDPA also does not include contractual necessity as a legal basis for processing data without user consent, making it impossible to fulfil digital transactions or services that involve third parties. Let us consider a hypothetical situation where A wants to send a gift to B. A provides B’s name, address, and phone number to BHL (a logistics company) for the delivery. Now, BHL will not be able to complete the delivery because it does not have B’s consent to process her data. BHL will not even be able to contact B to ask for her consent, because that would also involve processing B’s personal information — and BHL cannot do this without her consent.
The omission of contractual necessity will bring any business dealing with the personal data of third parties to a virtual standstill. Aside from logistics companies, and those that rely on these entities to send or import shipments, BPOs may also be implicated, as they will not be able directly secure customer consent for any services.
The commercial and compliance havoc wrought by the GDPR will seem mild in comparison to the DPDPA, unless fundamental design changes are introduced. The over-reliance on individual consent for sanctioning data operations risks overwhelming users, paralysing businesses, and possibly undermining the very objective of safeguarding personal data.
Ironically, it seems that India needs to take a leaf out of the EU’s book and streamline the DPDPA to better serve consumer and business interests. As a starting point, India must amend the DPDPA to include contractual necessity and legitimate interest as legal bases for processing data without consent. Without such course correction, the country risks implementing one of the world’s most burdensome and impractical privacy regimes — sacrificing both innovation and individual convenience and security at the altar of compliance.
Meghna Bal is the director of the Esya Centre, a tech policy-focused think tank. Views are personal
