How would you gain from India’s Digital Personal Data Protection Act?

I had the privilege of being in a panel discussion organized by ASCI (Advertising Standards Council of India) recently on data privacy, on the back of India passing the Digital Personal Data Protection (DPDP) Act, 2023. To be honest, when Manisha Kapoor, CEO and Secretary General of ASCI, reached out to me to discuss the panel, my first thought was, ‘I have merely heard about the Act, and I don’t know anything about it!’. It seemed like Manisha heard my mind-voice and said that she wants me to focus on the consumers’ (users/people) perspective, about what the Act means to end users/consumers. That is something I can do adequately 🙂

I read up as much as possible about the Act before the event, and spoke to quite a few of my friends, acquaintances, and connections to understand their perspective. But there were extremely limited consumer-centric views out there for me to mull on! So, I looked at the Act from the consumers’ lens myself and all I saw was gobbledygook, jargons, and mumbo-jumbo. Most of the Act and its interpretations flew smoothly above my (consumer-side) head. That I’m bald helped that process too – the flying ‘above my head’, I mean 😉

That’s when I started articulating my perspective on the impact of the Act for consumers without jargon by placing myself as a normal consumer (which I sure am). Here are my six observations (some of which I shared while talking in the panel discussion too) on what the Act could mean to consumers:

1. The duties of ‘data fiduciaries’, the entities that use/process our data

The entities that process data (Government, companies, persons) are called ‘Data Fiduciaries’. They are supposed to,

  • Procure our data only after our informed consent after clearly telling us what the data would be used for, by whom, and for how long.
  • Use our data only for the specific purpose for which it was procured, for a specified period (as we agreed), and remove the data after that purpose is over.
  • Protect the data from bad actors and be accountable (in the form of penalties) in case the security is breached.

So, does this mean any website or app that asks me for my phone number must clearly tell me what the number will be used for, by whom (who all, besides that website/app), for what purposes, and for how long? In simple English (and multiple language options because… this is India!), I hope, and not hidden under ‘fine print’.

This is for data that we share explicitly because we stand to gain something when we do. How about data that is automatically passed on from consumers like us to n number of data fiduciaries? This may include IP addresses as we browse, location data as we use apps, the kind of clicks we generate and what it means, among others. In many such cases, the data fiduciary may be an intermediary like a browser (Google Chrome, Apple Safari, Microsoft Edge, and so on) and not a government or a company. So, how often should a browser clarify to us about the data that it picks up from us and seek informed consent? I assume we will learn about these as the Act comes into force. My co-panelist from Google, Kunal Guha (director, Privacy – Chrome and Android) mentioned that Google has been testing this out on a limited scale (1% of users) and is actively working on making it compliant with the Act (including the European GDPR versions).

The bottom-line is this: the data fiduciaries should assume, by default, that they are like parents who teaching their teenaged wards to drive for the first time. Would they ask them to ‘read up’ on driving techniques and theory, and push their car into the bust street? Or would they go about handholding them? That is the approach data fiduciaries need to take when asking us to share any kind of data, explicitly or implicitly (in the background) and ensure that we are made to understand in the simplest possible language what is happening, and how the data would be used.

2. The rights of ‘data principals’, us… the people

Consumers (users) are called ‘data principals’ under the Act. We, the data principals, have certain rights, under this Act, and this is supposed to go beyond the pointless rights that we already seem to have under Telecom Regulatory Authority of India’s (TRAI) DND (Do Not Disturb) that work in the opposite direction – the minute we register, the system assumes that we are active and the number of spam calls increases!

The rights are:
– The right to access our data, correct it in case of discrepancies
– The right to erase our data from a data fiduciary’s (the entities that process data) database
– The right to grievance redressal. I’m assuming this is about complaining about misuse of our data
– The right to nominate a person to exercise the rights on our behalf in case of death or incapacitation. A data-will of sorts, I gather.

Removed of jargons, would this mean I can get a categorical response from say, Bajaj Finance (from whom spam calls keep coming to me, each time from newer numbers), if I ask them:

  • Where did you get my number from?
  • Tell me what data you have about me – all of it. Where did you get all this data?
  • Can you, for the last time, stop communicating with me?
  • If I still get a call from you after all this, how will you punish yourself after I complain?

I hope so!

3. The need for user education

The onus is on the Government and the industry to educate consumers about privacy, the role and value of ‘their’ data, and consent, in their own interest. They cannot put it on the consumers to proactively know about these things. User education is a huge part of bringing the Act alive and I hope this doesn’t happen retroactively, the way it is happening with digital frauds, UPI frauds, etc., after enough people have been taken for rides by bad actors.

Most Indians lack any understanding of privacy, but COVID helped set the tone with ‘social distancing’, perhaps the first organized effort in India that created context for ‘personal space’ (out of a contingency). Digital privacy is an extension of that concept. Most people are still in the zone of, ‘So what if some company has my phone number? All they can do is spam. No harm can be done, right?’. With email IDs, it’s even worse: “I can block that sender, right?”. That’s how we consider even the most egregious spam – as a simple obstacle. So, there is a need for the user education to start with user rights around privacy and consent.

4. What is ‘informed consent’?

‘Informed consent’ is not hard to understand. But since we have never seen it in action, it may be a challenging thing to imagine. Plus, in a country like ours where even the concept of personal space is an alien concept, it is all the hard to imagine.

Consider the recent viral clip from The Drew Barrymore Show featuring Dwayne ‘The Rock’ Johnson, for instance.

Drew asks him to do five squats while he is holding her on his back! Dwayne doesn’t get to it straightaway by assuming that her ask is enough ‘consent’. He tells her exactly what he is going to do, where he is going to touch her, and seeks explicit consent again, afresh. She understands his perspective of how he’d go about this, and consents. This is informed consent.

How would such informed consent manifest in say, a new D2C website that we sign up for? For example, if we use our phone number (along with OTP) to create a user account, before it processes the phone number, it must clearly spell out that the phone number will be used only once, to send us that OTP. After this use, the phone number would be removed from their system, and we need to add a unique mode of communication (either a phone number or an email ID) to our profile.

Just because we used the phone number to get an OTP, the brand should not take that as consent to add that number to our profile. It must seek consent specifically for those two actions.

5. The role of the Government

I would like to see the Government of India following the Act’s principles in letter and spirit, as an example to the private sector. It’s a hard ask, at least going by the recent baffling spam by the Government in the name of seeking suggestions for ‘Viksit Bharat’, an outright spam on WhatsApp that went to many people even outside India. Such transgressions would mean that the industry would be callous about data privacy too, hiding behind the Government’s lackadaisical attitude.

6. First-mover advantage

The Act offers a fantastic opportunity to progressive brands and organizations to be first movers in how they seek consent and process data. Considering that we users only know bad/substandard examples of our data being handled, a brand could take the lead and offer newer, more thoughtful ways in which it handles our data, and in ways it seeks permission to do so.

This is limited only by the brand’s (or its agency’s) imagination. But there are examples of this in other areas already. Think of food brands that highlight ingredients up front, instead of them being hidden in small text on the back. Or products that proudly display their low sugar content, against the tide of food brands that not only overload sugar but also hide it under complex jargon.

This is not hard to do. At a coffee store, the barista could proactively tell you that the cup of coffee that you are going to pick is extremely hot so that you are better prepared. They could do this because they genuinely care, or they could do this because they want to avoid a lawsuit (more common in the US than in India) after a customer burns their finger/tongue. The former is an example of good, thoughtful training.

Similarly, privacy by design is good practice when it comes to the Act. It would start with brands and Government if people do not want their numbers to be used or sold for any other purpose than what it is sought for. Right now, the default is perhaps the extreme opposite – have data, will abuse it, and sell it to all and sundry.

To be sure, the full implication of the Act will manifest only after it is fully enacted, and all the details released in public domain. And it is just around the corner:

The Government and brands would then need to align themselves in ways that they are compliant. We, as data principals, should see tangible differences in how data fiduciaries seek our consent and process our data. It may not be smooth in the beginning, or for a long time, given how callous India has been in this area. But it would definitely be interesting, with a lot of exceptions, use-cases, outrages, mistakes, and first movers making a lot of news!

Comments

comments