Indian IT to become more attractive after data law: Ashwini Vaishnaw

Union Minister Ashwini Vaishna in an interview with Business Standard said that DPDP bill will bring about behavioural changes in internal business processes in alignment with principles of privacy

The Digital Personal Data Protection Bill, 2023, recently cleared the test of parliamentary approval. Ashwini Vaishnaw, the Union minister for communications, electronics and information technology, who was instrumental in the passage of the legislation, tells Sourabh Lele in an interview in New Delhi that the law will bring about behavioural changes in the internal business processes in alignment with the principles of privacy. Edited excerpts:

The final version of the Bill has switched to a blacklisting approach from the earlier concept of trusted geographies. What led to this change? 

A. Don’t read it as whitelisting or blacklisting. In the digital world, there are no boundaries. In today’s connected world, close to $600 billion worth of export and import are happening [from India]. With every item of goods and services exported or imported, a lot of sensitive information like bank account numbers and addresses are exchanged across boundaries. So we have created a framework in which we can meet the sector-specific requirements.

India’s IT industry will become more attractive (after the law comes into effect), because there were some geographies which were saying ‘if you don’t have a data protection law in place, then we cannot outsource our work to you’. But with this data protection legislation in place, our IT industry will now be able to pitch that ‘yes, we have a strong law in place’ and they will get more work.

Will compliance costs for businesses increase after this Bill comes into effect?

I don’t think that it will be a major factor because we have had extensive discussions with the industry, with all the stakeholders. About 48 organisations we met and consulted in formal consultations -- and everybody -- are prepared for this kind of law. Most of the time, the processes are already in place.

Yes, there will be a significant behavioural change. There will be a significant change in the way the internal business processes are aligned. They will now focus on privacy by design, they will now focus on making sure that Indian languages are given their due, and they will now make sure that the agreements address a grievance redressal system that is properly in place. Those will be the additional things they have to do. But overall, the industry has given us the feedback that there won’t be any major increase in compliance burden.

What happens to the data localisation norms prescribed in other existing regulations?

Firstly, all the basic principles of privacy encoded in the law will have to be followed, irrespective of whether data is kept in India or outside. We have created a framework in which a particular sector can create the rules over and above whatever we have given. This is a horizontal law, which applies to all sectors. The vertical sectors can build (regulations) above it.

For example, the RBI has some special requirements about the payment system. Or, for example, tomorrow the health ministry can have some special requirements about health data.

But what are the provisions to stop the transfer of personal data to any blacklisted geography if it is stored outside India?

A. The law has followed the principle of accountability, which means that the person who has collected the data, that person, that entity, that organization is responsible. Regardless of where the organisation is located, anywhere in the world, responsibility has to be there to see that all the provisions of the law are implemented.

That is why we didn’t keep joint liability for data processes. There is a reason why we put the entire onus on the data fiduciary because once we have it on the data fiduciary, then that data fiduciary cannot make the excuse that one of the processors has made a mistake. So we have put the entire accountability on the data fiduciary.

The Bill requires platforms to take clear consent from users before collecting any personal data. But how will this be different from the checkboxes we see for website cookies? 

A. There are very good international established practices. We will be following many of those practices and we have already started interacting with the industry on the implementation part. So it will become a very seamless implementation. The language very clearly says consent should be fair and reasonable. We have now legislated that the consent form and notice have to be very specific. So those things we have learned from the experience of other countries.

In case any individual withdraws consent, will the data processors also need to erase the data of that user?

[In case of withdrawal of consent], the personal data has to be erased from everywhere the data fiduciary has shared it.

What led to the introduction of powers to issue blocking orders against data fiduciaries in the final version of the Bill?

It is Section 37, which very clearly gives the intent of the provision. The intent is, if somebody is repeatedly violating the privacy of a citizen, not rectifying it despite penalties, then there should be something stronger for protecting the citizens’ rights.

A lot of checks and balances have been kept, such as the principle of natural justice and the right to be heard. After considering all the facts and circumstances, an order can be passed. But the law intends that somebody who is repetitively violating citizens’ privacy, then there is a provision for further severe action. It is only for repeat offenders.