Data protection bill: Revamped to be simple or soft?


Digital Personal Data Protection bill after getting a full makeover is now open for public opinion for a month. Regulation, reach and results - does the revamped rulebook cover all the consent concerns? Will our data finally be secure or has the draft diluted critical concerns for consensus? Host Anirban Chowdhury explores and explains the new bill with Rahul Matthan, Partner at Trilegal and NS Nappinai, Supreme Court lawyer & Founder, Cyber Saathi. Credits: TV18

​This is an audio transcript of The Morning Brief podcast episode: Data protection bill: Revamped to be simple or soft?

Anirban Chowdhury 0:06
I'm going to start with the cliche, which is perhaps the truest of all cliches today. Data is the new oil only as an asset, it's perhaps much more puzzling, powerful, personal, and in India's case, unprotected, that is set to change now. Last Friday, the government finally presented its digital personal data protection bill 2022. A draft set of rules to protect our personal digital data from our biometric scans to our bank account details.

BG Sound 0:45
This evening, the government releases a draft of the revised data protection bill three months after withdrawing the previous bill. The new bill is solely focused on personal data localization rules, see some relaxation penalties capped at 500 crore rupees. The government reserves the right to exempt entities from these laws in case of national security and public order.

Anirban Chowdhury 1:08
The bill has been in the works for more than five years. It's been the subject of fervent consultation, furious contention, and quite a few changes. But what was uploaded on the website of the Ministry of electronics and IT on November 17, was a crisp 24 page document, perhaps the most simply written legal document to have come out of the Indian government in a long time. What is this draft? Well, it has a set of rules for companies that collect and store our data. It makes our consent while sharing data, the most important part of its framework, and it has listed a set of penalties from a few 1000s of rupees to hundreds of crores in case of data breaches. But do simpler rules mean softer rules? Do the rules cover all sections of people whose data is shared, including minors? Do they hold the government perhaps the biggest data gather in the country accountable enough? is the authority or the nodal body which will protect our data strong enough to do so. It's the 22nd of November from the economic times. I'm Anirban Chowdhary, and today we analyze whether the new set of data rules does its most important job well, protecting our data.

Anirban Chowdhury 2:41
The idea of the privacy laws was first floated in 2009. The year when new anti terror laws were floated, the RBI introduced a stimulus package after the global meltdown. Ramalinga Raju confessed to the Satyam scam, and an Indian court first overturned a 148 year old colonial rule that banned homosexuality. But the privacy laws, they only gained steam in 2017 a historic judgment upholding India's right to privacy. Thereafter, another Supreme Court Judge V N Srikrishna was asked to draft what was called the data protection bill 2019. The bill was changed several times and inflated with many amendments and clauses. And just when it was going to be finalized. It was withdrawn in August. The government said it would come up with a fresh draft and it did on Friday. The current draft is nothing like the earlier ones. It's less than a fourth in size and has less than a third of the number of clauses and what's really brilliant. It uses she and her as pronouns for all genders. It has removed contentious segments like non personal data. Big tech firms especially will be very happy with the fact that the new rules allow companies to selectively transfer personal data of their consumers outside India. Instead of localizing them as the firm's were fearing the new draft introduces terms like deemed consent and consent Manager, which we'll discuss in today's episode. Like previous draft, it still exempts the central government from the rules and gives it the right to keep other agencies too outside them. To explore the nuances of the bail which affects everyone, you, me and big corporations. I spoke to Rahul Matthan, Partner at the Law Firm Trilegal. Rahul helped in writing one of the earlier drafts of the data privacy laws way back in 2011. He's been closely studying its evolution ever since.

Anirban Chowdhury 4:48
Rahul, thank you so much for agreeing to be part of the Morning Brief. Good to have you here.

Rahul Matthan 4:53
Thanks, man. It's a pleasure.

Anirban Chowdhury 4:54
So we are discussing the draft data protection bill. My first question to you is very soon input, what is it three ways in which my digital life will improve, because of this new set of rules,

Rahul Matthan 5:06
three ways, perhaps be simplistic, but I think what this law, if it is passed will give us is a framework within which we can control what is done with our data. And as a result, control things like how third parties can get insights into what we are, how we're going to behave, and things like that. I think the second thing is that it is a modern framework. And so it reflects some of the innovations that India has made, which in many ways are different from what the rest of the world does, and I'm talking in particular, about reference to the consent Manager,

Anirban Chowdhury 5:43
which is a person or an entity that enables you and me to give our consent to our data being taken, review, and withdraw it also, if need be.

Rahul Matthan 5:53
The consent managers, as you know, is a uniquely Indian innovation that forms part of India's data empowerment and protection architecture. And in many ways, it goes far beyond what any other country in the world has done with regard to data portability, and the way in which the data that's contained in silos can be managed by individuals. And I think the third one, and this is sort of the difference from the world that existed up until now. So we've got to recognize it, we've had what we call privacy rules under the Information Technology Act, which were a very stripped down set of things that people had to do with regard to personal data. And the problem with those rules were that there was no enforcement mechanism, there were no consequences for what would happen to people, if they didn't do that. This framework actually gives you that as well has a set of consequences. It has a regulator in the form of a Data Protection Board, it gives you a end to end framework first, what you should do, what your duties are, what will happen to you, if you don't do it, and who's going to enforce and police it, in case you commit a violation of some sort.

Anirban Chowdhury 7:00
So Rahul, I just want to understand I mean, as a lay man, will these rules apply retrospectively also to data that's already been collected?

Rahul Matthan 7:09
So look, it's a really interesting question. The law doesn't state that it will apply retrospectively. And I don't think any law should apply retrospectively, because that's just not appropriate for the way in which society and business organizes itself. But given the nature of data and the way in which operations are performed on data, it could have the effect of, in a sense, applying to data that's already collected, let me explain how there are two parts to the data protection law. One is the collection. The second is the processing. The collection is the first part, but very often, you collect data for multiple purposes, not just for the initial purpose for which you collected it. And very often, you continue to use it again. And again, just just take the example of a loan, each time you avail the loan, you may want to recheck to see what the quality of your balance is, etc. So in that subsequent processing, in order to process you need consent, then once the law comes into force, that processing, if you don't already have consent for the processing, that processing could be a concern. Now, we also have recognized as I said before, that we are already under a regime, which is the privacy rules. And that regime requires consent. In order to collect information. I said, the privacy rules have been in the statute books since 2011. But it has no teeth. And so you know, quite frankly, it's there are many companies that really observe it strictly, except for international companies that have global obligations. And so they just continue to apply those around the world. So it's not strictly correct to say that you should, that you could have collected data without consent, even now, you need consent to collect data. But you may not be subjected to all the stricter obligations that this new law will impose on the collection of the data. But you certainly will, going forward on the processing of the data that you've previously collected.

Anirban Chowdhury 9:04
So only point is simplicity. One of the critiques to this draft in the last one or two days has been that you know, in a bit to simplify the laws and the text, both have been sort of diluted. So I'll ask you about just one example. This distinction in personal data between general sensitive and critical personal data that was there in the earlier drafts a singular or plural now has been done away with and that's been criticized by some, how do you react to this?

Rahul Matthan 9:34
First, let me give you a general response. So the point here is that it's impossible to please everyone and that sort of the legislative process, I think if we wait till we get a law that just so finally, threads the needle between too complex and too simple will be in the next century, and we'd have different problems. So let's park that for a moment. And let's talk about the well known distinctions between personal data and sensitive personal data by well known I mean around the world. Most legislations have this distinction, personal data and sensitive personal data.

Anirban Chowdhury 10:04
just for our listeners, I was saying that sensitive data covers financial health, sexual orientation, biometrics, transgender status, religious or political beliefs and affiliation. That's what it roughly covers, right?

Rahul Matthan 10:17
Yeah, then. So that's the point, if you think about it in abstract such that personal data is all data that will identify you personally, either itself or in conjunction with any other data that the data controller holds. Personal sensitive data is personal data, that it needs a higher threshold of protection. And so it is categorized is personal sensitive, in order to give it that higher level of protection. And I think a lot of people are concerned that we're not making this distinction, and so some harm is going to befall people. But I would just say that, at this present moment, we're not even protecting personal data and talk about the additional harm that's caused to people because sensitive personal data is not protected is utterly meaningless at this point in time, because that's being caused you now, whether it is personal data, whether it is sensitive personal data. And so to me, getting the ball rolling with protection for personal data is fine. I want to make it clear that we are at a very rudimentary stage in our data protection journey. We don't yet have a regulator where other countries have had regulators for 20 years now. So my strong recommendation is to start simple, and ratchet your way up. And if that means start just with personal data and leave sensitive personal data for later, I don't think much harm has been caused.

Anirban Chowdhury 11:37
Rahul, I wanted to ask you about deemed consent, which is a term in the draft and quite important, it's obviously different from explicit consent. So what is the significance of it?

Rahul Matthan 11:47
I think the choice of the of the term deemed consent is unfortunate. It seems to imply that our consent is being presumed where we could have provided it and for some reason, it's being presumed upon, I think that's not what the substance points to the substance is a lot more benign. Essentially, what this means is that having provided consent for the data to be used for one thing, it can also be used in the legitimate interests of the data principal for ancillary or allied purposes. Look at the example, in the bill itself, it says that, if you make a reservation at a restaurant, and in order to make that reservation, you provide your mobile number, it would be assumed that you have given consent for that mobile number to be used to call you to cancel the reservation or to check where you are. And they are saying that that is deemed consent. And so that sort of a use of data is essentially smoothing the road for just the ordinary motions of commerce. If you have given your mobile number to the restaurant, you can't subsequently stand up and say, when you call me to tell me that my reservation was canceled, you violate my privacy, because you yourself have provided that information for this purpose. Now, if they call you later, to, you know, sell you some kind of a promotion or cross sell something that is, it will be outside of the deemed consent paradigm, and you can go against them for invading your privacy by doing or, you know, if they if they sell your mobile number to some marketing agency or something like that, you can go after them.

Anirban Chowdhury 13:28
I wanted to understand what do you think of the fact that compensation to victims of data breach? does not find a place in this draft?

Rahul Matthan 13:37
Yeah, look, I think there are things that the draft misses. And that's one of the things that I think we could well include in the draft. And I say that not just from a data breach perspective, because that once again, is very narrow. I think we all get hung up with data breaches. But if you think about data breaches, in most instances, they're quite innocuous. If you looked at all the data breaches that have occurred, even in India, they've been things like, you know, your username and password and Zomato, how that's going to affect you. I really don't know someone else is going to look at what you like, and, you know, order a pizza on your behalf. I don't know. So when we think about data breaches, we've got to think about practically what really happens with data breaches. Some data breaches are extremely dangerous, but the vast majority of them are benign like this. But I think the point you make on compensation is a good one. I think we really need to think about compensation for harms. I think in this law, we've got a good definition of harms, I think harms has been defined in a sort of a balanced way. But I think it could do with the inclusion of some sort of a compensation mechanism, I would be in favor or something like that.

Anirban Chowdhury 14:38
Right, coming to the data fiduciaries. Now. Would you say that this draft is much fairer to big tech.

Rahul Matthan 14:46
I have no sympathy for big tech, because the thing with big tech is that they're big and so you can throw whatever regulatory framework at them and they will throw the money at it and comply. My concern with the increasingly onerous obligations of Every subsequent draft is the impact that it would have on small businesses who don't have the resources to be able to put in place the kinds of compliance mechanisms that big tech could. So to me complex compliance, heavy data protection regulation or data protection framework, in a sense, radically unfairly affects small business, and in a sense, deepens the moat between bigger businesses and their potential competitors, because it's only the big businesses that have the resources to, you know, build large compliance teams that can deal with everything that a data protection law requires, or, quite frankly, flout the law with impunity, because 500 crores is pocket change for big companies for them. Yes. Right. So to me, I think all you're doing is you are strengthening their hand, because you're now making it impossible for people to legitimately participate in the market, because they just don't have the resources. You know, they never had the resources to do the things that big tech could anyway, now, by adding this compliance layer, you're making it completely impossible for them to function.

Anirban Chowdhury 16:10
Coming to the contentious, very contentious issue, actually, of the exemptions given to the center, in previous drafts. And in this. I mean, one would say that the government collects tremendous amounts of data from us and is a data fiduciary too in that sense, and the exemption has been critiqued quite a bit. What do you say to that?

Rahul Matthan 16:30
My response to this is that every data protection law in the world has exemptions, and it is inconceivable that you will have a data protection law anywhere in the world that doesn't provide exemptions for the sorts of things that section 18 provides for if you look at article 23 of the General Data Protection Regulation In Europe, you'll find almost identical language in that provision as well. So to say that we can expect to have a data protection law without exemptions is daft. It doesn't happen anywhere in the world, it certainly will not happen in the Indian Indian context. We're always worried that government would misuse the freedom that they have under the law. But I keep telling people that this law is subordinate to the Constitution, and a more importantly, it's subordinate interpretation of the Constitution under the right to privacy judgment input to Swami. And so no matter what we write, or don't write in the law, the government is still bound by the Constitution.

Anirban Chowdhury 17:26
Right. My next question about the Data Protection Board, again, as a layman, I mean, I just wanted to understand who's the sort of investigator adjudicator implementer here? Is it just one body? Which is the Data Protection Board doing everything

Rahul Matthan 17:41
Yes. The Data Protection Board, is the entity that would listen to complaints would perform this judicial administrative responsibility? Would you know investigate non compliance, and I'm assuming that it would be a whole host of other powers and functions that will be delegated to the board. But essentially, this is the single authority that will do that. And I think it's interesting to see that even in the text, they've actually said that the board will be digital by design. And that's really interesting, because it's a response to some of the questions that were asked in the context of the previous drafts, which is that we need to have more offices, every state would need a Data Protection Authority, as it was then called. And by making it digital, I think we allow ourselves the ability and the flexibility to be able to rethink the way in which this is constituted where things are, are actually being leveraging technology to regulate technology. That to me would be a very interesting forward thinking concept.

Anirban Chowdhury 18:40
Well, the draft has been heavily criticized as well, a separate set of experts on data privacy, and a whole lot of lawyers have said that the government has removed a lot from earlier drafts that it should have retained in this one. They say that there should be a firmer Ring of Protection around sensitive data, that deemed consent isn't really consent, and can be exploited. They have also said that these set of rules leave too much to delegated legislation, which means that a large chunk of the rules come from the central government, not the parliament. And they have said the government should be within the rules, not outside of it. NS Nappinai, a Supreme Court lawyer & Founder of a safety group called Cyber Saathi has been one of the strongest voices critiquing the draft. She is in fact called it the worst of the three drafts. She is our second guest today. Thanks Napinai, thank you so much for joining us on the morning brief.

NS Nappinai 19:38
Thank you for having me here.

Anirban Chowdhury 19:40
So just wanted to ask you this basic question. The data protection bill has one job, which is to protect our data. Does it do that in its current form?

NS Nappinai 19:51
Unfortunately, Anirban No.

Anirban Chowdhury 19:53
What do you think are the key problems with the draft?

NS Nappinai 19:56
One is specificity it does not set out Clearly, what are the rights that are being protected in terms of personal data? How is it protected? And why should it not be violated in a particular manner? In the sense, I'll give a small example. Now, we already have the GDPR from 2016, it became effective from 2018. One of the critical aspects of that because they understood that all of us as users are being given the Hobson's choice of take it or leave it. So GDPR clearly built into it an opt out mechanism, which is not to opt out of the service, it is to opt out of the consents that we give for the collection of our data. So whenever you visit a website, you would have seen the two options will be given accept all cookies and customize. And when you ready to customize, there will be one button which you cannot change, which is the very basic requirement. And then there'll be three or four more where you can then decide whether you want to allow sharing or not. And when you choose those other options, then you cannot be deprived off or denied the service. This was the issue we had with WhatsApp also when they gave a discriminatory privacy policy between the European Union and India, where they gave this opt out whilst continuing to use WhatsApp for you. And they said for India to take it or leave it. Now, this current draft, which comes after the government has clearly taken a stand before the Delhi High Court saying that we will not allow WhatsApp to give us this kind of a differential treatment actually just permits that it effectively says that WhatsApp is a service provider, it can put down whatever privacy policy it wants, but it has to set it out very clearly. And it's open to the user to accept it or not. And if the user refuses to accept it, it's open to the service provider to take away the service. So how is it really a robust data protection enactment?

Anirban Chowdhury 22:07
Okay, Miss Nappinai? What do you think of the fact that this draft has removed the distinction between sensitive critical data and other personal data?

NS Nappinai 22:16
Yes, Anirban, it is necessary that sensitive personal data was given a stronger protection. So when you're doing away with a special category, the assumption will be that the general category will be elevated to the special category. In terms of the protections that are warranted, there is a higher threshold both in terms of the mode and manner in which data is collected, the time period for which sensitive personal data could be retained. Most importantly, the technology protections that are mandated when you're collecting sensitive personal data, and the deletion of the data upon completion of the purpose. Therefore, you're retaining sensitive personal data for a very short period of time. So if you're doing away with that category, then it is necessary that general category which is personal data, will stand elevated to the position of sensitive personal data and protections. See your question, is it not there? Now? There are two ways of looking at it. One, when you look at the draft that has been circulated, no, it is not there in it. There is a counter argument, some people have come up with saying that it will be covered under delegated legislation. But why if you want law to be really a deterrent, if you law, what law to protect and not just be punitive, then it can't act like the policeman who will stand after the signal and then try to catch you instead of standing at the signal and making sure that you will not violate it. So what we needed was specificity in the law. This is the parliament enacted law. We can't have things move to delegated legislation every time to say that we will take care of it later.

Anirban Chowdhury 24:05
Right. Okay, so you've raised some concerns about deemed consent. Why do you think it's problematic?

NS Nappinai 24:13
So deemed consent is what we call a legal fiction, which means you either do something explicitly, like in the consent provisions, if you look at this draft itself, they mandate that you will have a list that the service provider will set out a list of what are all the things that they're taking your data for, and by either clicking even if it is just online or physically etc, the minute you accept, then it amounts to consent. Whereas when your act itself amounts to consent, without you doing that explicit act of TiC marking, that is deemed consent, so for instance, and they give this illustration and that illustration itself worries me immensely. The illustration they say is you go to a restaurant or you give your mobile number to a restaurant for booking a table, then that's deemed consent because the restaurant cannot give a list over there of what are all the things they will use it for? Now, the problem that I have over there is if the illustration was meant to explain that the consent is only for the purpose of booking the table, then with that booking our requirement is completed, then there is no question of deemed consent or the data being used for processing etc. Right. So the fact that it has been put down as an illustration under deemed consent means that the legislator intends or rather the draftsman intends that this consent allows the restaurant to then process your data, which is impermissible and goes completely against the grain of, as you said, Puttaswamy's judgment, and also everything that they understood as falling within the consent framework. So if you really, if you really want and this is one more reason why I'm saying this draft does not protect it is a data enabling act at best, you know, it enables all the service providers to now use our data more freely and with more gusto.

Anirban Chowdhury 26:22
Right? How do you react to the fact that there is no compensation in this draft for victims of data breach?

NS Nappinai 26:30
Yes, it's very, very important, whatever you have raised. So when we talk about financial penalty, one aspect is to penalize the Violator, the other is to compensate me for my harm that has been caused to me. So the very breach of my personal data should be deemed to be harmed, not just damage that is caused due to the breach. So for instance, if my credit card or debit card details have been breached, the very breach is considered a violation even under this draft. But what is the remedy? In law, unless you have a remedy or right is ineffectual? The remedy cannot be a penalty, because that doesn't really help me as the person who's being made to run from pillar to post to then get an alternate credit card, etc. Right. So that aspect of compensation to the victims, and through the Data Protection Board was critical. And for one more reason, this draft says that 43, a will stand deleted. Now 43 A falls within the chapter which could be adjudicated upon by the adjudicating officer under the information technology act. So if you had a breach, you could have approached the adjudicating officer for remedies all this while and till date, the adjudicating officer remains the very ineffectual Secretary Ministry of IT, good, bad or ugly, at least you had a remedy, now with 43A being deleted, and with no compensation being provided for under this draft, that means you have denied the victim an easy methodology of gaining compensation from both laws

Anirban Chowdhury 28:13
carrying on in this train on the say, the liability or the culpability of the data principle, which is you and me. I mean, the people who share the data, what is I think, termed, there as the duties of the data principle. So among those, it said that we shall not register a or frivolous complaint of data breach with the board with the you know, the authority, and there's a fine, I think of rupees 10,000 on us if our complaint is proven to be frivolous. Now, while I understand that it's probably important to maintain checks and balances, do you think this will make people scared to complain or flag when they think that, you know, I don't know whether this is a data breach or not? Should I complain? Do you think that'll happen?

NS Nappinai 28:59
Well, it is actually unfortunate that this draft, and everybody seems to be missing it, because it's kind of stuck between the multiple provisions which are for penalties against service providers, but now it is against data fiduciaries. So there is this one provision for 10,000 rupee fine, which everyone has been missing or misunderstanding it to apply to the data fiduciaries, no, it applies to each one of us. But the real chilling effect is not that if you look at Section 16 sub clause one, it is as open ended as can be. A data principle shall comply with the provisions of all applicable laws, when exercising rights under the provisions of this act. So you're putting such a huge, such a huge burden for this nominal rights with barely any rights are set out for me now. And now in addition to that, I also gain a burden under this new draft. How wonderful is that? And the applicable laws are not as per this law, all applicable laws. Right? Before I do even every act, I'm supposed to sit and evaluate, what are all the laws I should comply with in this process? How open ended is it? Again, first principles, I don't understand why the current draftsman have forgotten first principles. Whether it is drafting of a law, whether it's implementation of that law, or defending a law, first principles apply. And the very first principle and laws that you will not be penalized for something that you can't even understand what you're violating.

Anirban Chowdhury 30:43
Right. Also, speaking of the exemptions, I mean, the government is one of the biggest collectors of our data or I mean, the biggest one of the biggest data fiduciaries, so to speak. So, you know, the exemptions go to the extent of almost undermining the law, right, or the spirit of it

NS Nappinai 30:58
It negates the law completely. It's not just undermining it effectively, it tries to say that it can. So this, again, is the other reason why I'm saying it's completely outside the remit of constitution. You know, why I'm saying that is, so you have a law that is effectively supposed to be what has been asked by the parliament. And then you have a provision under that law, which says the central government can exempt and do away with the compliance of this law, effectively, then what you're trying to say is the central government can override parliament. How is that even permissible?

Anirban Chowdhury 31:40
I wanted to present a flipside that I heard, you know, the supporters of these exemptions say that it's being done exactly like every data protection law globally, for example, we are following GDPR quite a bit, I heard a discussion that the article 23 of the GDPR is very similar to 18. Here, which deals with the exemptions. Would you agree?

NS Nappinai 32:00
So here is where it's important to nuance it 18 has sub clauses 18 One is what is similar, not 18 Two.

Anirban Chowdhury 32:10
So 18 One and two are the exemptions to the rules. 18. One says that the rules will not be applicable in case of court proceedings or investigations and the like 18 Two says that the central government may exempt some agencies and bodies from these rules.

NS Nappinai 32:26
And that's where the problem is, the problem that I have is where they say that the central government can exempt from the application of the provisions of the Act the processing of data for ABCD reasons. That is what I'm saying is not permissible, because whatever the exemptions set it out in the act, you cannot do it later. You can then set down rules, which will explain how you will implement ABCD but you can't have EF GH, to be decided by the central government later. That's the part which I'm nuancing.

Anirban Chowdhury 33:02
Right. Do you think children's rights have been diluted in this draft?

NS Nappinai 33:08
Certainly, yes, I personally believe that children's rights have been diluted under this draft. If you look at the earlier draft protection against profiling of children was sacrosanct, you could not profile children. Whereas under the current tact, you have a provision which permits processing of personal data of a child obtained with verifiable parental consent. And then it goes on to say under sub clause three, that a data fiduciary shall not undertake tracking or behavioral monitoring of children or target them for advertising. However, under sub clause four the above rights stand diluted, because for says provisions under sub clauses one and three, which is what I just elaborated, shall not be applicable to processing of personal data of a child for such purposes as may be prescribed, which means, again, the central government is ascribing it to itself the right to override a parliament law and to set out as and when it pleases what will be the exemptions to profiling of children or for processing of that data without parental consent?

Anirban Chowdhury 34:26
Finally, do you think the draft will undergo several changes after comments from stakeholders?

NS Nappinai 34:31
Is this a draft which can even be repaired? This is Something which you know which changes because if I look at it changes means you have to replace the entire draft. We were better off with the 2019 draft, which had only a few problems in it. And even over there, the JPC came out with 80 Plus inputs. You know, instead of evaluating what is it that you could do with that you've come out with something which neither protects me nor protects the industry. So that is another thing I wanted to pinpoint all this while I have been speaking from the perspective of the individual or the data principle, I don't believe that this law even protects the interests of industry. Because unlike perception, when you have specificity when you have regulation and can actually enable businesses, but look at the draft as it is, do you think after reading it 10 times you are in a position to build an app and you will know what are the things you should avoid and not avoid? You can't, because every second page, you have something saying the central government will some come up with something else. So when you give that kind of power in the hands of the executive, the risk that you run is without it going to Parliament, that rule can be changed time and again. So you're going to be living in continuous uncertainty.

Anirban Chowdhury 35:57
So the good news, India finally has a set of rules to protect its citizens data, tons of stuff that you and I share every single day, without realizing how sensitive they can be. India is really vulnerable when it comes to data. Our frequency of data breaches is among the highest in the world. We need rules, and they're almost here. The not so good news. The draft leaves a lot of very basic questions unanswered and issues unresolved, only some of which we discussed in this episode. Is it beyond repair as Miss Nappinai? I sure hope not. Meanwhile, the government has asked for comments on the draft. It will take them until December 17. Will the comments and interventions complicate this draft like previous ones? Will it be a case of too many cooks one more time again, hopefully not. Whether India's data protection rules have enough teeth remains to be seen. But as Rahul says these are rules on training wheels, which hopefully will undergo amendments and become stronger with time.

Anirban Chowdhury 37:05
You've been listening to this episode on the morning brief. This was produced by Vinay Joshi and sound designed by Indranil Bhattacharjee, executive producers Anupriya Bahadur and Arijit Barman. Do listen to our episodes as they drop every Tuesday, Thursday and Friday on any of your favorite audio platforms. We also hope you like our new bells and whistles like the mint fresh signature tune you've been listening to for the last few episodes. A big shout out to the musicians at BCS raga soul for that. Do please also listen to our two brand new podcasts business to sports. We just dropped its fifth episode with Nikita Luther and Dhaval Mudgal on how to become a professional poker player and ET startup school, which dropped its first episode on the 19th of November with Satyen Kothari from Cube there's lots happening. Do keep listening. This is your host Anirban Chaudhary. Signing off. Have a good one. All clips used in this episode belong to their respective owners. Credits are mentioned in the description.

Transcribed by

This transcript has been automatically generated. If by any chance there is an error please send the details for a correction to: We will do our best to make the amendment as soon as possible 

Web Title:

Podcast: In depth analysis of the New Data Handling Bill

(English podcast on ET Play)

Rate article

Subscribe to our newsletter today

India's new audio destination for business news and more. Brought to you by The Economic Times.

@2024 BCCL. All Rights Reserved