‘Data protection law designed to safeguard citizens’ rights’ | India News

India perhaps has one of the largest population of digital users in the world. How big is this day for our millions of digital nagriks and for protecting their online data?
Prime Minister Narendra Modi has put a very strong focus on democratising technology, whether it is provision of services through digital means, or creating a law where access to justice will be equal to a person living in a big city or in a small far-flung village. This theme has now become a reality. When we say democratising technology, it means equal access to technology, clear understanding of implications, and making sure that services are available in the language that a person understands. Our Constitution recognises 22 languages in the Eighth Schedule. And so we have used that construct and made it mandatory for the social media platforms and all data collection organisations to give the consent notice in one of the 22 languages at the choice of the user.

India may have been a follower when it came to certain legislation. How do you see the case of our Digital Personal Data Protection Act when you compare to laws in the West, especially Europe’s GDPR. Is our law specifically tailored for the needs of a large online market like India which also has numerous use cases?
nThe world has taken India’s law very positively, and certain features have been the highlight. First, we have a principles-based law, instead of a prescriptive law. Second, it is digital by design implementation. Third, the fact that the local languages have been given importance, the fact that access to justice will be so well defined and so democratised, the fact that a very graded approach has been provided. Also, the principles are so well codified that whosoever implements it will find it very clear on what should be the path of implementation. So, those are the things which the world has noticed.
There have been critics to your law, who say the government gets a backdoor entry through ‘exemptions’ so that you can control the platform and narrative, and access citizen data at will?
nWe have had very extensive consultation on this bill. A met around 48 organisations, and had meetings where sometimes over 100 people were present that included senior professionals from a variety of organisations. Everybody appreciated, the precise exemptions that we have kept in the law. GDPR has 16 exemptions, we have only four. So the exemptions are very well within the constitutional boundaries set in the country. These are reasonable restrictions around questions of national security, public order, crime investigation. These are very well-established exemptions in the world and within the framework of the constitution. So, the criticism is unfair, firstly, and secondly, it is unfounded.
We met industry participants, civil society groups, and a significant number of people appreciated the legislation.
Tech giants – global or Indian – and even other data collectors have often been reluctant to follow the privacy rules. There have been cases of manhandling of data. Do you think they obey to the new guidelines and regulations?
They have the accountability of protecting citizens data. And that has to be strictly followed. There should not be any compromise on that. The law has been designed to make sure that citizens’ rights are protected… Rights of citizens vis-a-vis Big Tech have to be very strongly implemented.
The law provides for transfer of data, except countries that government may prohibit. How does this work, especially when sectoral regulators may have a differing view?
We have created a framework in which whether the data resides in India or is outside, the law has to be implemented, its principles have to be followed, and protection has to be given. Over and above the basic principles and the obligations and the rights, there will be sectoral regulations. This is a horizontal law, it applies to all sectors. There will be sectors like the financial services sector, like the health sector, which will have their individual requirements. So, these verticals which sit on this horizontal will be additional regulation. For example, RBI mandates that payment data should be localised. And that’s very much possible within the framework of this law. Let’s say, the health sector says certain data cannot be transferred out, so that’s very much possible.