India to set up independent Data Protection Board under new legislation
India's data protection framework gets governmental nod, rules in the making
The data protection framework in India received harbingers of its implementation process as the government gave its consent this week after a long-standing anticipation. Ashwini Vaishnaw, Union minister for electronics and technology, provided insight on the critical developments needed to see it in action, primarily the rules formulation and the establishment of the Data Protection Board. These are anticipated to unfold in the forthcoming months.
During the interview, Vaishnaw enlightened the public on the procedure of the rules implementation that’s taking place simultaneously. He noted that the rules are being formulated to be straightforward and flexible enough to adapt to technology’s dynamic landscape, similar to the accessibility and simplicity of the law. The implementation will follow the democratisation of technology, integral in India’s digital services expansion to remote and poverty-stricken regions.
On further development, Vaishnaw has noted that the emerging rules would be visible to the parliament and that the formation of the independent Data Protection Board is underway. In the near future, an influx of activity might be witnessed, catapulting the Board’s implementation and digital-by-design setup.
Regarding the selection for the Board, Vaishnaw drew attention to the Act’s provision for absolute independence, much like TRAI (telecom regulatory authority of India), hailed as the epitome of an independent body. The Act specifies the appointment duration, the type of subjects handled, cooling-off periods. The candidates for the Board would primarily be individuals adept with the digital economy and comprehend its nuances.
External prospects from the government would also be considered for the Data Protection Board. Classification of fiduciaries is poised to be nature-specific or sector-specific and model itself according to the proportions set by the Puttaswamy judgment. The judgment aimed to treat fiduciaries like startups, ordinary data, and significant data, separately.
When asked about behavioural tracking, particularly for children’s privacy, Vaishnaw referred to the seven principles which dictate what, how, and when data can be collected and used. Any data beyond the consent framework becomes illegal, thus, holding Big Tech and all social media companies accountable.
Merely clicking ‘I agree’ without understanding what one consents to is a ubiquitous issue today. Vaishnaw mentioned plans to address this in the law by creating a consent framework that is fair, reasonable, and easily understood. In line with the country’s diverse linguistics, the minister emphasised that consent notices would be constructed in 22 official languages.
Data fiduciaries have, by and large, voiced readiness for the law, as this principle has been implemented in other geographical sectors and India was well-prepared after the Puttaswamy judgment. However, this law is conjectured to invoke a substantial behaviour change, as protocols will alter and accountability will become stringent.
Children’s protection under this law includes verifiable consent and age verification, feasible through the country’s robust digital public infrastructure. For example, Digital India, Aadhaar, online authentication, Digilocker. These provide the capability to perform any verification online seamlessly, an advantage not available to numerous nations.
The regulations will be varied to accommodate different platforms. For instance, restrictions for educational apps differ from online game apps due to the potential inclusion of violent content affecting children’s behaviour.
Blocking fiduciaries in violation of the law provisions is a pivotal aspect of Clause 37 of the Act. Enacted after the 2022 draft, this clause caters to platforms that repeat violations, disregarding privacy even after penalties. A severe measure could involve blocking or disallowing the service after hearing out the platform’s side and adhering to the principles of natural justice.
The interviewer raised concerns about sweeping exemptions for government purposes. Vaishnaw responded that the exemptions were in absolute alignment with the Constitution, which includes carve-outs for national security, friendly country relations, public order, crime incitement and investigation.
Looking at the future, possibilities of Digitisation of India and amendments to the telecom bill before the 2024 elections were broached. The goal is to create a digital economy framework adaptable to technological changes and advancing towards democratising technology.
The less stringent data localisation norms in the new law than the original proposal is interesting. Every sector will have regulations specific to its requirements. In multinationals’ response to the new law, the principle-based approach rather than a prescriptive one was generally appreciated. The independence of the Data Protection Board evoked a positive reaction. The Indian IT industry sees this as a compelling lever for growth.
