Will India’s new data protection law achieve its ambition of creating a truly ‘Digital India’: exploring challenges that lie ahead

India’s wait for an overhaul of its digital privacy laws — a fundamental right long under ever-increasing attack– has just gotten longer. Being the world’s third most-impacted country by network security attacks, with a dramatic increase in the number of data leaks and breaches, a more comprehensive cyber code is ideally the need of the hour. However, just as the GDPR opened the floodgates to the EU’s digital regulation, the same applies to India with respect to its newest regulation. The Digital Personal Data Protection 2023 (DPDP 2023) is the country’s first major technology law, poised to help fulfil India’s ambitions. Earlier this year, after a 15-month wait, India’s government finally opened the implementing rules of the DPDP 2023 for public comment. However, broad-ranging industry concerns persist from latent data localization, broad-ranging state powers, compliance costs and administrative burden on businesses, owing to certain provisions of the draft rules like processing of children’s data and user consent mechanisms, among others.

Recently, more than thirty (30) civil society organizations have started a campaign demanding the revocation of a provision in the data protection law that has amended the much-valued Right to Information (RTI) Act. The amendment permits the government to withhold personal information, potentially restricting various civil society actors, including the media, social activists, advocates and others, from accessing vital information required to expose corruption and hold the government accountable. The larger question, however, is whether the government will be able to balance the public’s right to access information with the right to privacy.

Given the federal set-up of the Indian Republic, the different Indian state governments will have a major role in the country’s emerging data protection ecosystem. Each constituent state will be given broad leeway to develop their own data protection policies and how to retain and process its citizens’ data. This has largely been left to a kind of trial and error, which is something only the future will tell. There may be instances where the local state policies conflict with those of the federal government or where one state has more stringent policies compared to the other – a situation quite like how the EU’s member states apply and implement the GDPR. This is also likely to impact the country’s overall digital economy ambitions.

Another factor that will impact the future of India’s digital economy is the surprising exclusion of non-personal data from the country’s data privacy regime. The exclusion of non-personal data, which many other jurisdictions have addressed, will most definitely cause complications in the current data ecosystem in which most companies operate. It remains largely up for speculation whether the government has a larger privacy law plan with the inclusion and regulation of non-personal data. The matter only gets more complicated as Rule 12(4) of the DPDP 2023 rules, which applies to a class of data fiduciaries, namely significant data fiduciaries (i.e. companies which will possess significant amounts of data), may well apply to non-personal data when it is transferred outside India.

Furthermore, it must be noted that most pertinent concerns on cross-border data restrictions continue to persist. Many digital rights activists continue to argue that the decision to retain latent data localization mechanisms is concerning, and further clarification is needed. The DPDP act and its accompanying rules make it clear that certain classes of data fiduciaries, especially significant data fiduciaries, may be subject to data flow restrictions should the government decide so. The act and its accompanying provisions are drafted broadly and avoid specifying any parameters the government would use to restrict cross-border data flows. Overall, these restrictive provisions for cross-border data flows can cause roadblocks to international trade—something India’s trade partners are wary of as the country sets off on an ambitious roadmap to sign various free trade agreements. Finally, the lack of legislative guidance on how the government determines a restricted jurisdiction may create investment risks.

Given India’s desire to foster an international image of a thriving and open digital economy with a robust data services industry, these issues have become more relevant. For the country to achieve this goal, the government must move fast to create a framework that brings it on par with its partners on the international stage. Given that the DPDP Act intersects with existing laws and regulations, the government must also work harmoniously with other envisaged digital regulations, such as AI and other emerging technologies. By addressing these issues, India can work through the various complexities of privacy and achieve its ambition of a thriving digital economy.