India's Data Protection Law namely The Digital Personal Data Protection Act or the DPDPA has been a topic of much discussion and debate in recent times. This Act aims to regulate the collection, storage, and processing of personal data in India, and ensure the protection of individuals' privacy rights to some extent. However, I feel India may be overprepared for the implementation of the DPDPA . Already in the budget, The Indian government has allocated a sum of Rupees Two crores to set up a dedicated Data Protection Board.
This is a beginning data protection space budget, this current allocation may be allocated only for the first 6 - 7 months of salary and expenses as major work would be carried out online. The DPDPA rules are just on the corner, money allocation is just the impetus but rules would be the bloodline. Parliamentary discussion on the rules would be fascinating and those students of data protection should follow these discussions and it would be the important point of Data Protection jurisprudence in India.
I also see many people undergoing training and certification for LLM in Data Privacy, CIPP from IAPP, ISO 27701 LA or LI courses for PIMS certification, DSCI Privacy Course, and other online courses and certifications.
I feel Data Protection Law and Compliance in India will see more qualified professionals, than the required demand shortly and there will be saturation in the profession for the following reasons:
1. The Data Protection Law of India was on the horizon for many years, so preparation had begun with professionals.
2. Presence of CIPP and ISO-certified working employees.
3. Employees already working on GDPR compliance in privacy or assurance departments.
4. Indian GRC companies and traditional audit and compliance organizations like CA firms are taking over the data protection space.
5. Availability of AI-enabled GRC tools for compliance.
6. LLB will also have the DPDPA as a subject or part of a subject in the regular course. The DPDPA as a subject or part of a subject would be in the syllabus of BE, BTech, MSc, and MBA programs syllabus.
7. The basic DPDPA as a law unlike GDPR, section-wise is very small and has around 20-25 effective sections for compliance while the rest are procedural. With no specific case laws, the interpretation and applicability in various scenarios is yet to be ascertained.
8. Infosec people handling privacy assignments and CISO people donning the DPO hat and I feel that’s a natural progression in this initial period of 4-5 years.
9. No criminal action of corporate defaulters and penalties are by the Board which in turn would be politically appointed, so Maybe less application of judicious mind or jurisprudence values. The deterrence and legal risk perceived would be low, now the seriousness is corporates are comparing legal risk with GDPR cases and fines but this is India, remember here crores of rupees tax and fine for violation and loans are written off.
10. Law penetration and awareness in a big country like India takes time and this Indian Government knows it very well so lots of time would be granted so easily in the next five years we would have many professionals in the data protection space and not to forget AI
11. The DPDPA has introduced a new concept called "deemed consent," which is further narrowed down to the process called "certain legitimate uses" in Section 7 of the Act. The whole business here changes as organizations or data custodians might have the authority to handle the personal information of individuals for the explicit purpose for which the individual willingly shared their data unless they have expressly withheld consent for such use.
So where would be the zing and major application of mind and law?
Answer could be In higher courts, when the appeals and writs would start if the disputes are not settled in the board. When a question of a law arises or corporations would want to fight for their image and if they really trust their cybersecurity guys or vendors to prevent the leak or if they trust their consultants for actually doing great compliance.
As time passes by, any further rules & guidelines issued by the government will further strengthen the implementation of the regulatory and safeguarding mechanisms. Overall, India's Data Protection Bill is widely seen as toothless and ineffective in its current form. Without stronger enforcement mechanisms, clearer definitions, and provisions for cross-border data transfers, the law is unable to effectively protect the privacy and data of Indian citizens. It is crucial for the government to address these shortcomings and strengthen the DPDPA to ensure that individuals have control over their personal information and that companies are held accountable for their data practices.
Comments