Over the next 10 years, you will see the growth of a privacy Bar in India: Mathew Chacko

The Central government recently released its draft Digital Personal Data Protection (DPDP) Rules which provide for enforcement of the data protection law. The draft Rules are open for public comments till February 18..In this exclusive interview with Bar & Bench's SN Thyagarajan, Founding Partner of SpiceRoute Legal Mathew Chacko shares his insights into the Act and draft Rules. Chacko reflects on the significance of the legislation, its pragmatic compromises and its potential impact on businesses and individual privacy. Using his extensive experience in technology law, Chacko delves into the challenges posed by the new law, its alignment with global standards and areas requiring further refinement.Edited excerpts follow..Do you think the data protection law is a step in the right direction, considering the criticisms it has attracted?.Yes, I believe the new data protection law is a significant step forward. While it has faced backlash and objections from commentators and civil society, many of these criticisms stem from an expectation of perfection. The current Indian law is hopelessly inadequate. The new law is not aiming to be the gold standard of privacy and data protection, as seen in Europe, but it seeks a balance. The government had to weigh the interests of emerging businesses and the economy against personal privacy and constitutional rights.For instance, the first draft in 2017 was very pro-individual, with high compliance requirements akin to the European Union's General Data Protection Regulation (GDPR). However, such stringent regulations have been criticised globally for imposing heavy compliance costs on startups and tech companies. In an economy heavily reliant on tech, like India - especially in hubs like Bangalore and Chennai - the government understood that jumping from no regulation to extremely high compliance would cripple startups. The result is a well-thought-out compromise that pushes businesses to enhance privacy protections without overwhelming them.There are issues such as child privacy, but these can be addressed as the law evolves. Overall, I view this as a positive step forward..What additional compliance requirements do the DPDP Rules impose on data fiduciaries?.I recently discussed this at a panel, and the consensus was that while compliance under DPDP is not overly expensive, it will still feel burdensome because companies have done very little so far. The law requires data fiduciaries to:Obtain clear, specific, and unambiguous consent from individuals before collecting their data. This process will involve notices and a consent requisition process, which some worry might lead to user drop-offs.Implement reasonable security measures to protect data from theft or hacking.One concerning requirement is holding data fiduciaries liable for the actions of all data processors to whom they provide data. However, the processors themselves are not directly held accountable, which is likely to reduce their regulatory burden. This could be a mistake but is likely too late to correct..The DPDP rules introduce the concept of consent managers. What role do they play?.A consent manager can be thought of as a technology-enabled "trade union" for individuals managing their data. These organisations will offer tools, likely apps, allowing individuals to track where they’ve given consent, manage the duration of consent, and withdraw or modify it as needed.For example, if you've given consent to an app, the consent manager could help you revoke it or update details without having to navigate each app individually. This is inspired by India’s account aggregator framework, which has already been successful in the financial services sector.I believe this concept could revolutionise consumer data management globally and serve as a model for other countries..The draft DPDP Rules restrict children from creating accounts without parental consent. Is this practical and enforceable?.The intent is commendable, but implementation is challenging. For instance, ensuring that no child accesses an account without parental consent would require ID verification for every user. This could create significant procedural hurdles for everyone, not just children.To make this practical, the government might need to adopt a tiered approach, similar to the Children's Online Privacy Protection Act (COPPA) in the US. Instead of applying blanket restrictions, they could target companies that specifically cater to children or pose potential harm to them. We’ve suggested to the Ministry that more detailed rules are required here, but it’s a tough problem to solve..With the suggestion deadline approaching, what improvements would you propose?.Broadly, we believe the law is well-conceived, but we’ve identified about eight or nine tweaks that could make compliance easier without compromising the law’s goals. For example:The current draft Rules mandate encrypting all data, both at rest and in motion, which is prohibitively expensive even for large organisations. We are planning to suggest limiting this to sensitive or harm-prone data initially, with stricter requirements phased in over time.Overall, I feel the law is a net positive. It's not the greatest pro-privacy law, it's not the greatest pro-company law, but it's a good first step. Over the next 10 years, you will see the growth of a privacy Bar in India.