00:08
Adam Stofsky
Hey, everyone, this is Adam from briefly. I'm here with prover Roy Choudhury, who is calling in from where? Delhi? Bangalore.
00:16
Probir Chowdhury
Bangalore.
00:18
Adam Stofsky
And we're going to talk today about India's new privacy law, which is kind of a big deal. So, Probir, can you introduce yourself and tell our viewers who you are?
00:29
Probir Chowdhury
Yeah, sure. Thanks, Adam. Thanks for having us over on this platform. My name is Prabhi, and I'm a partner at a law firm india called JSA. I've been in practice for the past 19 years. I'm primarily a tech lawyer, which basically means I do all the geeky stuff, but the non fun part of it. I do all the legal part of the geeky stuff. Part of my focus is to help a lot of clients in the tech space who are looking to expand to India, rolling out product services and help them regulate and figure out how to basically work through the laws india, which are constantly changing. And we are a developing country. So that's me in a nutshell, Adam.
01:14
Adam Stofsky
All right, so let's talk about this new law. So, I don't know if everyone even knows that in. We're recording this in late 2023. And earlier this year, India passed a new privacy law. So can you just give us the overview probeer, what is this law called and what does it do and why is it important?
01:35
Probir Chowdhury
Right. So the law is called the Digital Personal Data Protection act. It's a mouthful, and we just love calling it the DPDA. The DPD, depending on, you know, what's your jam? The law really came into play. There's history to the law. The law came into place because in 2017, the Supreme Court, which is our apex court india, came out with a judgment. And this is the first time india that a court of law has given recognition to an individual's right to privacy. Privacy as a concept wasn't well defined, wasn't well laid down. Of course, our Constitution of India recognizes an individual's right to privacy. But this judgment, it's called the Putraswamy judgment, actually talked about an individual's right to privacy.
02:25
Probir Chowdhury
And since then, the government was mandated to come out with a law which actually helps regulate, govern, and gives protections to individuals and their rights towards their personal data. The government came out with many reports. In between, there were committees formed. The Sri Krishna committee report was the most famous report which actually laid down the Genesis overview, the entire plan for which how citizens would be able to control their data. The fail was that big corporations were collecting data processing data. And individuals did not have a right to control what was happening with their data. This was really to empower individuals to, you know, have access to the data, know what's happening with their data, and to have some control over their data. The DPD bill actually went through many iterations. You know, the government came out with a version.
03:26
Probir Chowdhury
They went for consultation, a lot of feedback. Big tech were pushed back, the lobbyists pushed back. But eventually, after many years, we finally came out with a bill. And that bill is what got enacted into law. And that is really what the DPDB is all about. And it's funny, because while you may imagine it's taken us so many years to actually get to a law, we have a law in place. It's been enacted. But if you ask me right now, that is it in force. Is that what currently regulates and, you know, helps me and my colleagues and my fellow citizens have a right to data? The answer would be no.
04:07
Probir Chowdhury
And the answer would be no, because the law actually empowers the government to come out with prescriptive rules which will define how data will be collected, processed, and all of that is yet to be enacted. And as that eventually gets enacted, the law will come into place in a phased manner. So, in a nutshell, there is a framework. You have the guardrails. You know, what is it that you have right over? And now the next phase is the implementation figures. So that's where we are on India's DPD.
04:41
Adam Stofsky
Interesting. So the DPD is sort of a very broad. A broad piece of legislation. And now I'm assuming there's some kind of agency that's going to work on essentially putting forth all the rules, is that right?
04:54
Probir Chowdhury
That's right. So the government has been the one which will actually, you know, have the power to prescribe the rules. We'll have a enforcement board, which will be the data Protection Board, which is the first thing the government is currently looking to set up. Because before this, Adam, believe it or not, that we have been working india, we have companies who have been collecting data, and there is no data protection authority. Other countries have a data protection authority, and we don't really have one. So the first thing which is being done is to set up a data protection board, which will be the authority, which will actually monitor and actually give everyone a rap on their knuckles if they don't actually follow the law. So that's what is currently the status.
05:37
Adam Stofsky
So would you say so when you're advising companies who might want to do business india or sell to indian customers. Is this kind of a good moment? Because this law is. Everyone's on notice. This law is here, but there's still time to develop an understanding of exactly what it's going to require. Yeah, go on.
05:56
Probir Chowdhury
No, it's a good question. And, you know, it's interesting because a lot of the global conglomerates that we work with, they've already been working in Europe. And if you are a global company and you've been in Europe, you know, the GDPR prescribes. So most companies have a sense of what it is to work in a country, be regulated by, you know, personal data protection laws, consent. These are not alien concepts. The only difference is india now, you have to now look at the differences and start figuring out what you need to comply with. Because it was a wild west india, right? People without really following process and procedures. And now they just need to understand that even for India, there is a process, there is a consent mechanism, there is a process you need to follow.
06:44
Probir Chowdhury
So my advice to most of my clients is if you are GDPR compliant, agreed. Let's do the gap analysis. If you're not, let's figure out and see where you are, how you're collecting data. And what does the DPG regulate? It basically regulates personal data. And unfortunately, this version of the law does not have a categorization or a list of what is personal data, because I'm sure your next question would have been trobed. What do you mean by personal data? Like, is that a catch all provision? And unfortunately, the answer is yes. Personal data is anything to do with me or any of the individual. There is no subcategorization.
07:25
Probir Chowdhury
And that's why it becomes even more tricky, even more important for organizations to realize that, you know, it's not that they only regulating a subset of personal data like the GDPR, but it's everything about an individual. All the more reason for you to be more aware of what the law says.
07:43
Adam Stofsky
So let's assume for a moment our viewer doesn't know what the GDPR is. You're just, in very broad strokes, explain what exactly this law does and requires companies to do with respect to that. Personal data very generally, yeah.
08:00
Probir Chowdhury
So what does it say? The law says that if you're an organization and if you are offering products or services to India, or you're india and you have a presence india, and you end up collecting data of citizens of India. When you say data, it would mean my name, my phone number, my email address, my bank details, my credit card details. When I make a purchase, you have my address, you have my preference. Anything about me which you collect, you need my consent. You need my consent to connect it. That consent has to be very specific. It can't be broad. It can't be vague. If you plan to use my data for cross selling, you better ask me and you take my consent for that.
08:48
Probir Chowdhury
If you want my data to analyze and subs and sell me another product offering that you may have, you take my consent. So the consent has to be specific. You use my consent, you collect my data, you tell me how you're going to process it, and yet you allow me the right to come back and check that data is accurate. You allow me the right to come and withdraw my consent and say I want my data deleted. That's what, really the law is all about.
09:16
Adam Stofsky
That was a great summary of just general privacy law concepts, actually. I like that. Thank you, proveer. So a couple more questions on this. Just about applicability. So you said this applies to people selling to customers india or companies that have operations india. So can you be on the hook for this law without really intending to, like, let's say I sell some kind of digital product. I sell a SaaS subscription or maybe I sell, you know, some kind of digital file something or even a physical product. And, you know, just up on the Internet and people are buying it. And some customers India buy it. And I have their data. I have their credit cards, I have their name. Maybe I have other data. Am I on the hook potentially for this? Can the agencies india reach my company?
10:03
Probir Chowdhury
So there are two aspects to your question, Adam. If you're a company and you are selling your services to another company, which is mostly b two B, then you potentially could be out of the hook because you are actually transacting with another company and you don't really end up collecting personal details because the law protects individuals. Right. So if you're a b two B company, you know, and of course there are nuances which probably should do the latest stage of, you know, if you are doing a b two B business, do you end up still collecting data of citizens of India? That's not. I think it's just too complicated. But the idea is b two B or exempt.
10:43
Probir Chowdhury
But yes, if you're a company in the US and you may not have a presence india, you allow someone like me to come and buy a service or a product. Yes, it applies to you, even though you may be unaware the law would apply to you.
10:57
Adam Stofsky
Right. This is why it's a big deal. This is the second biggest market in the world.
11:01
Probir Chowdhury
A lot everyone is looking at India, so definitely. Yes.
11:05
Adam Stofsky
Yeah. Wow. Well, very interesting. Thank you so much pro beer for this introduction to the DPD, which is, like we said, it's going to be a big deal over the next few years. So thanks. Thanks so much. Really appreciate it.
11:19
Probir Chowdhury
Yep. All right. Thanks, Adam. Thanks for having.
<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/914869149?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="12034_Overview India's Privacy Law: The DPD"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>