Now that the law is done and has got presidential assent, everyone is thinking of the rules because that is really where the rubber hits the road. Where are we with the rules? When can we see them?

The rulemaking is going on in parallel. The rules will also be in very clear language, they will be agile and with an ability to change with technology. They will be as straightforward and simple as the law is. Our prime minister has democratised technology by taking it to the poorest of the poor person and to the far-flung areas where digital services are being given to people at the bottom of the pyramid. The implementation of the law and the rules framework will follow the same Principle.

Also Read: Legal framework for privacy as RS clears digital data bill

You should be able to see the rules in Parliament within the next few months. Work is also going on for the digital-by-design implementation structure, and also on setting up the independent Data Protection Board. In the coming few months, you’ll see a lot of activity on the implementation.

Tell us a bit more about the board’s selection.

If you look at the provisions (in the act), they make it (the board) very independent. I’ll give you an example: TRAI (telecom regulatory authority of India). Many say that’s the golden example of an absolutely independent body. Its chairperson and members are appointed by the government, but its terms and conditions, and everything it has to do is clearly written in the law itself — the letter and intent. Both these are also clearly specified in the case of Data Protection Board. [Also specified are] the counts of the member, the period for which they are appointed, the obligation to disclose if they have dealt with any particular subject, the cooling off period. Mostly it will have people who understand digital economy and understand the nuances of digital economy, those are the type of people that will be selected.

Also Read| Explained: Digital Personal Data Protection Bill

So you’ll have to look outside [of government]?

Of course.

Is there a sector-specific or nature-specific classification of fiduciaries or data processors you are looking at when you lay down the rules?

The Puttaswamy judgment basically puts a test of proportionality. An ordinary data fiduciary, a significant data fiduciary, a startup which is trying a new product, and let’s say a fiduciary dealing with children’s data — they will all be treated as separate classes.

There is a set of principles which apply to everybody, and then there are over and above that certain extra principles which have to be followed by these classes. So, that will be reflected in the rules. But we must keep in mind in our constitutional and parliamentary structure, every rule that you make has to be within the four walls of the law.

The protections for children includes clauses on behaviour tracking, which is a privacy concern. This has also been a legitimate concern for adults when it comes to Big Tech. Are you planning additional obligations on these players, or significant data fiduciaries as you classify them, on behaviour tracking for adults in this regard?

The seven principles very clearly lay out what data can be taken, what data can be used, how much of it can be used, and for what period it can be used. If some behaviour tracking data is being collected which is not required for the purpose for which data was collected, then that will become illegal.

Anything beyond the consent framework for which a citizen has given data will be illegal. So, there will be big accountability that will come for Big Tech, all social media companies.

One of the problems that people face during consenting to sharing data is that they are presented with long texts with a mere ‘I agree’ option at the end. And most tend to accept what are often broad terms. How do we expect this to be addressed?

The consent framework has been dealt in good detail in the law. It has to be fair and reasonable. It has to be in simple and plain language. And when we write the rules, we’ll make it itemised so that you don’t read a long list, a long text and do get to find out exactly what data is being taken.

Then the need to construct notices in 22 languages because our Prime Minister believes in democratizing technology. So, a person who understands only Tamil should also be able to get the entire construct in Tamil, or a person who understands only Maithili should be able to see in Maithili what information is being asked.

When you had your consultations, what was the response of data fiduciaries?

Most data fiduciaries basically said we are well prepared for this law because we have implemented this law in other geographies already and after the Puttaswamy judgment, we are also prepared for India. But there will be significant behavioural change. People will become more careful. Business processes will change, accountability will become very stringent.

On protection of children, when we say verifiable consent and age verification, do you have feasible options that can be implemented?

Yes, certainly we have feasible options. This is one problem that many other countries also faced but we are fortunate that we have such a good digital public infrastructure, which started with the launch of Digital India, and the further development of so many constructs like Aadhaar, online authentication, Digilocker. These are constructs that gives you an ability to do any verification online, seamlessly, which many other countries cannot. So that’s why they were facing this entire problem of verifiable parental consent.

In case of children, there’s another important point that we have kept graded regulations. So, for a child using educational applications, the regulation on those apps will not be as stringent as let’s say, on online games apps, in which the element of violence that can be put in is such that children’s behaviour can change.

Will there be a white-listing of apps?

Everybody has to follow basic principles and over and above that, certain extra obligations are put in for certain classes. And some exemptions are being made for some classes. For example, somebody wants to set up a new digital credit solution. Now that person can make it in a regulatory sandbox and once the algorithm is prepared, and the service is launched, then all obligations kick in. So, we leave that window for innovation open so that the innovation economy is not strangulated.

Tell us a little about the thinking behind Clause 37, that has to do with blocking of a fiduciary held in violation of provisions of this law by the Board. This is also one of the points of contention and is an entirely new clause after the 2022 draft. Why was its need felt?

There will always be people, platforms that might repeatedly violate citizens’ privacy. If somebody violates citizens’ privacy first time, you put a penalty, the penalty is paid, some rectification has happened but then again there are violations. And let’s say this company has an ability to keep paying a lot but it does not want to protect citizens’ privacy — what should be the recourse? There has to be a recourse to this situation in which, after hearing the company and after having followed all principles of natural justice, there has to be a stronger option where such service is disallowed or blocked. Otherwise, how will you protect citizens?

You mentioned how India’s law has fewer exemptions than Europe’s GDPR. But one important ring-fencing the GDPR does is qualify all exemptions with the need for them to be “necessary and proportionate”– a principle also contained in the Puttaswamy judgment. Is that something in consideration for the rules?

It’s there in the law itself. It put the principle of proportionality in good enough words, exactly in line with what Puttaswany judgment asked us to do. Legality, legitimacy and proportionality. All the three principles are clearly defined in the law itself. Rules cannot go beyond the law.

Continuing on this proportionality aspect, the fear is that the exemptions given especially for government purposes, are sweeping.

The exemptions given for government purposes are exactly in line with our Constitution. Constitution has carved out national security, friendly relations with the countries, public order and investigation of crime, incitement of crime — those things are carve-outs in the Constitution itself. For every society, these kinds of reasonable restrictions will have to be put in place to protect citizens. And since the Kesavananda Bharati case, there is a whole bunch of case laws, a whole bunch of Supreme Court, high court judgments that define how reasonable restrictions will be implemented. That is the philosophy that we have gone by.

So, this is a big legislation done after a long wait. The next ones are Digital India and amendments to the telecom bill. Can we expect those before the 2024 elections?

Yes, there is good progress there. Digital economy needs a new framework. Our Prime Minister’s objective is to create a framework that can take into account the changing technology and which should be able to adapt itself even when technology changes. And the focus is always on democratizing technology so that access to all these services is available to every person in every strata of society. Democratising technology is a very important theme that runs through all these legislations.

The new law has easier data localisation norms than what was originally conceptualised.

Every sector will have its own requirements, health sector will require some type of regulations, financial services will require another type of regulations. Other services which are of different nature will have their own set of regulations. So, we have created a basic framework in which the principles are applicable to all over and above that if you want something sectorally then you get those regulations in place.

What is the response of the multinational firms?

We found generally very high level of acceptance to the principles-based approach rather than a prescriptive approach. And all the principles laid out are well accepted. The framework of an independent Data Protection Board was highly appreciated. In fact, many participants of the Indian IT industry said they will get a very powerful lever for growing India’s IT sector. Because they felt that in the absence of a law, many countries don’t want to have their data processed here. Now, they will also feel very comfortable getting the data processed here