An interesting report emerged from the EU on April 3 regarding the European Commission's plans to slash the EU General Data Protection Regulation (GDPR)-its most famous privacy regulation. Broadly, privacy laws like the GDPR govern how companies doing business in a given region where the law is enacted (in this case Europe) handle the personal data of its citizens. Given that India is on the verge of implementing its own privacy law, the Digital Personal Data Protection Act 2023 (DDPA) it should pay attention.

The EU is considering revising the GDPR because it creates a cumbersome, costly compliance regime. For instance, a study by the German Chamber of Commerce and Industry found that around 75 per cent of German businesses still had to put in high to extreme ef-forts to comply with the law, years after its implementation. A 2022 paper by Oxford University economists found that the GDPR shrank the profits of European businesses by 8.1 percent.

India, for its part, had reservations about the GDPR model. Though the initial draft of our privacy law closely mirrored the GDPR, reports suggest that efforts were made to en-sure that the former was not as compliance-heavy as the latter. For instance, in 2022, then minister of state Rajeev Chandrasekhar suggested that the GDPR was not innovation-friendly, and a little too "absolutist".

Unfortunately, though the DPDPA differs from the GDPR, it is mostly in ways that make it more stringent, less clear, and harder to implement. For instance, the DPDPA omits legit-imate interest as a legal basis for processing data without user consent. Legitimate interest allows data to be used for reasonable purposes such as fraud prevention, system security, or even marketing, without troubling users for consent each time. In the EU, even joumalists rely on legitimate interest to access records for investigative reporting on financial crimes,

Most data privacy laws, including the GDPR, recognise legitimate interest as a legal ground to avoid unnecessarily inconveniencing businesses and consumers, and to ensure the integrity of online systems. As the DPDPA does not recognise legitimate interest as a le-gal basis for data processing, every time a busi-ness wants to notify a customer about a new offer or update their security settings, it will have to seek their consent. Consumers are likely to face a deluge of consent notices as a consequence. This may result in a situation where consumers quickly tire of having to sign off on them, and stop opting in. In tum, such consumer refusal to consent, not out of pri-vacy concems but largely out of annoyance may lead to compromised security settings. 

The DPDPA also does not include contrac-tual necessity as a legal basis for processing data without user consent, making it impossible to fulfil digital transactions or services that involve third parties. Let us consider a hypothetical situation where A wants to send a gift to B. A provides B's name, address, and phone number to BHL (a logistics company) for the delivery. Now, BHL will not be able to complete the delivery because it does not have B's consent to process her data. BHL will not even be able to contact B to ask for her con-sent, because that would also involve process-ing B's personal information-and BHLcan-not do this without her consent. The omission of contractual necessity will bring any busi-ness dealing with the personal data of third parties to a virtual standstill. Aside from logistics companies, and those that rely on these entities to send or import shipments, BPOS may also be implicated.

It seems that India needs to take a leaf out of the EU's book and streamline the DPDPA to better serve consumer and business interests. As a starting point, India must amend the DPDPA to include contractual necessity and legitimate interest as legal bases for process-ing data without consent. Without such course correction, the country risks imple-menting one of the world's most burdensome and impractical privacy regimes.

[This article was first published on the Indian Express website here .]