What India’s Data Protection Law Brings to the Regulatory Mix

With the recent signing of India’s Digital Personal Data Protection Act, another nation state established rules and guardrails for how it wants organizations to handle the data it collects while also offering citizens some measure of control over the information gathered about them.

There are nuanced questions, though, about what India will allow — including certain exceptions for government collection of data — and who the state might put on a “red list” that would preclude them from engaging in business that relies on data derived from citizens of India.

As more countries debate legislation to regulate how data is owned, used, and controlled even by overseas organizations, India’s example may show that data privacy compliance around the world might not be just a carbon copy of GDPR (General Data Protection Regulation).

Joe Jones, director of research and insights with the International Association of Privacy Professionals, shares some of his perspectives with InformationWeek on the swift passage of the Digital Personal Data Protection law in India and whether it sets a tone for more legislation to come in other nation states.

Did the legislation in India flow through easily? Are we starting to see states find their stride with data privacy policies?

I’ve been following the whole debate in India for about seven years now, since they first proposed a new bill, and Indian politics is so complex. There’ve been so many iterations with this bill. [Editor’s note: Prior proposed privacy bills in India were withdrawn in 2019 and again in 2022 before this latest version was submitted to Parliament Aug. 3.]

That this one passed — you know, it was proposed, and it was passed within days, and it was pretty unceremonious. It was pretty quick, seamless — with opposition — but not frustrating opposition. It ultimately just went through; so, I think it took a lot of people by surprise, to be honest. It’s a bit like if the US Congress were to pass a privacy bill next week without much fanfare, so it’s quite extraordinary in that sense.

It could serve as a bit of a road map for countries that it doesn’t have to be as disputed and as protracted as it has been in the past. The [European Union General Data Protection Regulation] GDPR was really contentious. I’m not saying everyone needs to “down tools” and just pass things, but India has certainly shown that you can do this pretty quickly if you want to.

Some past proposals had proved controversial, for example data localization and “greenlists” of countries for data transfers compared to this version, which flips the paradigm to have “redlists” of countries data can’t flow to. Wider geopolitical — data privacy laws effectively becoming buy-in at the diplomatic tables on data flows and digital trade — and technological developments, for example AI, may have also helped accelerate things.

With this legislation how does it compare with what we’ve seen on the international scene? There’s certain elements such as the exceptions for government use of data — how does this law compare with others?

A lot of people in a lot of organizations will be focused on that particular question because this applies to 1.4 billion people in India, but it also applies to organizations outside of India. So that’s a common principle with some existing privacy legislation. It has extraterritorial scope. If you’re a company based anywhere in the world that provides goods or services in India or even if you conduct activities that are related to the provision of goods and services in India, you’re covered.

You’re not covered if you just outsource to India, so that’s a huge part of the commercial pie when it comes to global trade in India. If you are not providing any goods or services in India, you’re just outsourcing, you will not be covered by this. The fundamental building blocks of what we’ve seen with privacy legislation around the world exists in this bill. You’ve got to have a legal basis for collecting and using data. Data subjects have certain rights and certain conditions. International transfers are regulated, though there’s a paradigm shift in how India’s region transfers data compared to other countries.

The fundamentals are all there; there are just some notable differences. The government exemptions — that is common around the world. The scope of these exemptions is quite unique to India. In the UK we have government exemptions there. You wouldn’t expect UK spy agencies to tell people, “Hey, we’ve collected your data, you’re under surveillance. It’s your right to complain.” There are various digital exemptions in place around the world.

What comes next after this? Is there anything to improve upon or does this law, as it is, close the books with no need to further amend it?

It’s almost too good to be true that this would all be done. It’s now been signed by the president, so it’s law; it’s an act. Now there are about 20 to 25 provisions that have been earmarked for further regulation — secondary legislation, secondary regulation that needs more clarification. There’s still going to be months, if not a few years, of the law being further unraveled and interpreted. That’s going to be important. There are provisions that are on the books now that people have to wait and see. One example is, in the EU you can’t send data to a country unless the EU has said it’s “adequate” and they’re on the “green list,” unless you use contracts.

In India, they’ve totally flipped that paradigm. This law says everyone in the world can send data everywhere unless, and until, we put them on the “red list.” So, they’ve flipped. Essentially, they’ll be doing inadequacy assessments and that will take some time to see who they’re going to put on that list.

What might deem an organization or state “inadequate?” What tends to raise those red flags?

This is the sort of stuff that’s become so immersed and steeped in geopolitics. Strictly from a data protection perspective, you would expect India to put on their red list those countries that don’t have the same rights and protections and safeguards that exist in their act now in that legislation. This is so immersed in the politics of the of the day. Couple of weeks ago we saw some EU regulators ban transfers to Russia. We’re seeing a bit more, a lot more actually scrutiny on transfers to China. India’s place in the world is pretty interesting on all of that. It’s a bit closer to Russia and China. It’s pulled in different directions. I think it’s going to be fascinating to see whether they’re going do any inadequacy, red list assessments, and if so, who’s going to be on that list.

Have we come to a place in time where policymaking for data privacy has rather matured and there is a better understanding of how these laws are written and then enforced?

Yeah, definitely. I think so. Something that happened last year — the Commonwealth countries, a lot of countries in Africa, the Caribbean, and some in Asia, UK obviously, but they all came together, and they drafted a model data privacy law that they all agreed works in their countries. I think we’re seeing more of that. We’re seeing more coordination; we’re seeing more cohering of different approaches around the world, a lot more maturity helped in part by the fact that a lot of these countries now have their own domestic laws and statutes and helped in part by the challenge of cross-border trade and cooperation.

What to Read Next:

US Data Privacy Relationship Status: It’s Complicated

EC Says European Private Data Can Flow to Compliant US Companies

Will Your Company Be Fined in the New Data Privacy Landscape?