As India is Set to Implement its Data Protection Law. What to Make of It?

Last month, the Indian Ministry of Electronics and Information Technology (MeitY) closed its consultation for public feedback on the much-awaited rules under the Digital Data Protection Act. Now, in the final phase before notification and implementation, the act represents the culmination of several years of rulemaking aimed at establishing a data protection regime in India.

A long and fraught history

For a country that has been positioning digital governance and infrastructure as the center of its global story, it is more than curious that India is still formalizing its personal data protection governance framework. Other than the United States, India has until now been the most significant country, economically and politically, not to have a comprehensive data privacy law. These new rules come at the end of long years of legislative and political push and pull.

India’s latest legislative efforts began in 2017 amid legal uncertainty over whether a constitutional right to privacy existed. As legal disputes over the Aadhaar Identity Program intensified, the Supreme Court convened a bench to settle the issue. Ironically, it was the government's own argument—that a constitutional right to privacy was unnecessary and that the government could instead safeguard citizens’ privacy through a data protection law—that triggered this legal clarification. In the end, the court dismissed the government’s stance and affirmed that the Indian Constitution does, in fact, recognize a fundamental right to privacy. As a consequence, the Indian government’s commitment to establishing a comprehensive data protection law emerged as an unintended but beneficial outcome.

MeitY established a 10-member committee chaired by retired Supreme Court judge B.N. Srikrishna in July 2017. A year later, on July 27, 2018, the committee submitted a draft of the Personal Data Protection Bill, 2018, along with a report titled A Free and Fair Digital Economy. MeitY later introduced a revised draft in the Indian Parliament in December 2018, which was promptly referred to a Joint Parliamentary Committee (JPC). After nearly three years of deliberation, the JPC presented an extensive draft to Parliament. These recommendations came to nothing as, eventually, the government withdrew the bill and introduced a new Digital Data Protection Bill in 2023, which was passed in the legislature shortly after.

It is worth noting that this was not India's first attempt at enacting data protection legislation. Over the past decade, several efforts and bills have failed to materialize. In 2012, Justice A.P. Shah led a committee that provided detailed recommendations on the subject. Before MeitY took charge, the Department of Personnel and Training had been responsible for privacy legislation, producing at least two drafts in 2011 and 2014. Additionally, private member bills were introduced by Manish Tiwari, Shashi Tharoor, and Jay Panda, but none progressed. Civil society organizations also contributed with proposals such as the Citizens Privacy Bill by the Center for Internet and Society and the Indian Privacy Code by the Internet Freedom Foundation.

However, every version of data protection legislation after the draft prepared in 2018 by the Justice Srikrishna-led committee has been worse than the previous one, diluting privacy rights and increasing executive control. The final version of the law fails on multiple counts: it does not establish a dedicated regulator, lacks standard safeguards against government access to data, and grants excessive regulatory authority to the Central government.

Assessing India’s data protection approach

When the 2023 law was passed, it left several questions unanswered to be defined later through the Central government’s rulemaking. With the release of the first draft of these rules, we’re starting to see a clearer picture of how India’s data protection law is likely to be implemented.

The departure from the previous failed legislative approaches was supposed to be in favor of a simpler law with lower overheads and compliance costs. However, rather than reflecting a constitutional vision of privacy as both a positive and negative right, the Indian law forsakes these values for an ideological flexibility, where the rules of data protection can be relaxed to serve expedient objectives.

For example, the law grants broad exemptions to the central government and other government bodies, with the extent of exemption varying based on their functions, such as law enforcement. Additional exemptions apply to most publicly available personal data, data processing for research and statistical purposes, and the processing of foreigners' personal data by Indian companies under contracts with foreign firms (such as outsourcing companies). Certain processing activities by startups may also be exempt if designated by the government.

The Act further authorizes the central government, upon notification from the Board, to request access to any information from entities processing personal data, intermediaries (as defined by the Information Technology Act, 2000), or the Board itself and to order restrictions on public access to specific information. Additionally, the Central Government has the power to establish various “rules” similar to regulations under US state privacy laws, shaping the law’s implementation.

Section 17(2), tucked away deep within the statute, grants a broad exemption from its provisions for personal data processing. This exemption applies not only to state entities designated by the Central Government in the name of India's sovereignty, security, foreign relations, public order, or preventing incitement to certain offenses but also extends to the Central Government when handling personal data provided by such entities. Moreover, it seemingly applies to the state, its agencies, and even other parties if the data processing follows prescribed standards, is not used for individual-specific decisions, and is deemed necessary for research, archiving, or statistical purposes. Given the broad wording, it is easy to imagine that numerous data processing activities could be classified under these exemptions.

The Promise of RegTech

The simple and rudimentary nature of the law coincides with an emerging discourse that attempts to position the need for India to take its own approach to data regulation—one that diverges from existing models such as the EU’s GDPR. This view was framed as an opportunity for regulatory innovation that would support India's domestic tech ecosystem and shield it from compliance costs that may have emerged from a GDPR-like regulation.

This vision first took shape through the Consent Layer of the India Stack architecture, a set of open APIs built by industry consortium iSpirt and blessed by the Indian government. The primary pitch for this form of regulation was that informed consent, the foundation of most data protection frameworks, was severely broken. In addition, it was argued that emerging economies like India could not afford to adopt a burdensome GDPR-like law. Instead, to achieve data regulation that would empower consumers, one would need to design consent into the technological architecture of data collection and data exchange systems.

Over time, the Consent Layer evolved into the Data Empowerment and Protection Architecture (DEPA), a techno-legal solution that allows users to share their data on their own through a third-party entity, Consent Managers. Starting with India Stack, the idea is that DEPA would be integrated into the emerging Digital Public Infrastructure (DPI) projects being created by groups like iSpirt in coordination with the parts of the Indian government.

While these solutions use distinct Indian language and branding that is crucual to presenting them as homegrown solutions , they resemble Personal Data Stores (PDS) familiar to those following developments in privacy-enhancing technologies. What sets India’s efforts apart is the scale at which these PDS-like solutions are being trialed across sectors such as finance and healthcare in India.

DEPA and PDS

PDS has been proposed as a solution that allows users to collect, store, and give granular access to their data instead of blanket consent. A working PDS should allow the user to easily control the flow of data and manage fine-grained authorizations for third-party services. Typically, PDS solutions work as platforms and protocols to support unified repositories of user data that could be managed locally by the user or outsourced to a trusted third party.

India's DEPA applies the solution within the National Health Stack, a federated application programming interface (API)–enabled health information ecosystem. One of its key components is the federated personal health records (PHR) framework. It is this part of the framework that would act as a Personal Data Store and could be used to provide “an integrated view of all data related to an individual across various health providers, comprising of medical history, medication, and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats such as age and weight, demographics and billing information, and multiple health apps.”

The PHR framework relies on a patient-controlled repository where data may be accessed from multiple nodes within the system. Importantly, the Strategy Paper for National Health Stack also envisions health data fiduciaries to facilitate consent-driven interaction between entities that generate the health data and entities that want to consume the PHR for delivering better services to the individual. While these solutions are often presented as transformative and novel, it is important to remember that such solutions have been tested in the past too.

A critical review of decentralized personal data architectures by Barocas, Narayanan, Toubiana, and Nissenbaum shows that ‘the search for alternatives to centralized aggregation of personal data began in the late 1990s.’ In the much-celebrated 1999 book Net Worth, the authors imagined a future in which privacy problems could be solved through a mix of decentralized storage and private contracts without requiring robust privacy laws. Yet, the excitement around these solutions quickly receded, only to resurface another decade later with renewed enthusiasm about solutions such as Personal Data Stores.

A Personal Data Store or PDS essentially helps you gather, store, manage, use, and share the information you need to manage your life better. It provides you with tools to control what information you share with which people and organizations and when. Similarly, PHRs are defined as an “electronic application through which individuals can access, manage and share their health information, and that of others for whom they are authorized, in a private, secure, and confidential environment.” A PHR includes health information managed by the individual. This can be contrasted with the clinician's record of patient encounter–related information, EHR, which is managed by the clinician and/or health care institution.

In the Health Stack model, the PHRs are intended as an API–enabled federated health data architecture relying on a complex ecosystem to query all nodes in the network to receive periodic updates from wearables, diary entries, pharmacists, doctors, hospitals, diagnostic labs, imaging facilities, and payment systems. The control that individuals would have over the data store in such cases would be limited, as they do not personally host the PHR but access it through an API.

Also, the ability to control and access information in the PHR in this framework is highly dependent on several pieces in the stack ecosystem working using open APIs in an interoperable manner. While looking to create an industry-driven stack ecosystem of this nature, an economic analysis of the various factors is necessary. Given the state of the health data ecosystem in India, creating a stack architecture with so many levels of dependencies for access to data sets is a very high bar to meet before it is fully functional and meets its promises.

Conclusion

At the core of India’s approach to data protection lies the philosophy that digital systems are better governed at the design stage. If systems are designed to enhance privacy, additional rules and regulations are only minimally needed. However, this simplistic approach ignores both on-ground realities in India, as well as inherited wisdom from past regulatory experiences both in India and abroad.

First, merely designing for privacy in the emerging DPI projects in India will not extend these practices to a majority of services and products that will not adopt this paradigm. Second, the openness and transparency of these DPI projects leave a lot to be desired, as has been captured by several commentators, thus compromising their rights-preserving claims. Third, the adoption of DPI-based solutions falls significantly short of parallel examples of data exchange systems such as X-Road in Estonia and Finland.

Fourth, on the regulatory approach, recognizing Lawrence Lessig’s dictum that code and architecture are law, can strengthen regulatory strategies in an emerging economy with limited state capacity like India. However, the outcomes that we expect these technical architectures to achieve require legal and regulatory mandates against which digital systems can be held accountable. It is hard to imagine that even the most optimistic policymaker in the Indian regulatory state believes that consent architecture in India’s emerging DPI solutions can substitute for a robust data protection regulation.