Meet the expert: Sriya Sridhar to speak at Last Thursday in Privacy

Broadcasting on January 26, Last Thursday in Privacy is a livestreaming experience that takes international audiences to the edge of today’s digital landscape.

Based in India, Sriya Sridhar is a lawyer with a focus on Tech, Fintech, Privacy, InfoSec and Regulatory Compliance. Sriya will appear exclusively at Last Thursday in Privacy to discuss India’s Personal Data Protection Bill (PDP) and its implications for business.

We caught up with Sriya for more about her professional journey and the issues up for debate in her forthcoming session at  Last Thursday in Privacy.

Could you outline your career pathway so far?

I grew interested in IP and technology law during my undergraduate degree in India. I was fortunate enough to be able to take this interest forward through research assistantships with professors working in the field, a summer program in International IP Transactions at Bucerius Law School, Hamburg, and internships at boutique law firms specializing in these areas. 

At the time, India’s regulatory ecosystem governing technology law was seeing a lot of change (and still is), and consequently, a lot of debate on key issues like intermediary liability, platform regulation, and indeed the effectiveness of such regulation when a large portion of the country (especially women), continue to be left out of access to basic technology like internet access. 

The chance to investigate these issues from a corporate and social perspective solidified my desire to become a technology lawyer. Upon graduating, I spent two years at a leading law firm, where I got to advise some of the largest corporations in India on how to keep up with the fast changing regulations governing emerging technologies including GDPR compliance. 

I also had the chance to assist in advising governmental committees constituted on the improvement of e-courts and surveillance reform, as well as assist a state Government with the drafting of its Cybersecurity Policy. This gave me invaluable insight into the ground realities of the digital divide, and the limitations of traditional legal concepts in the regulation of new tech. 

Subsequently, I moved to an in-house role at Setu, a fin-tech API infrastructure company, where I am gaining significant exposure into the business and product side of the tech space, in what is possibly the most regulated industry in the world. 

The interaction of law, business, tech and regulation is fascinating to me, and I’m now working on some cutting-edge issues unique to the Indian fintech ecosystem such as the Account Aggregator framework, which I hope will give me a more holistic understanding of how innovation and regulation coincide.

Could you summarise the implications of India’s Personal Data Protection Bill for data protection standards in India?

It’s key to note that we don’t know the final form that the data protection law in India will take, which makes any answer speculative based on the contents of this draft and previous iterations. 

A big change in this draft is that it is less prescriptive, with a lot of detail left to subordinate legislation and standards which may be prescribed in future. As a result, the short answer is that there is a significant amount of ambiguity regarding the implications for data protection standards in India. 

There is definitely a higher standard in relation to the gathering of explicit consent, privacy notices (including the requirement to make these available in all Indian languages) and restrictions on the processing of personal data unless a purpose is clearly specified. 

However, there has been criticism that these have been diluted when compared to previous drafts of the Bill, especially when one looks at the provisions in relation to the processing of children’s data and employee data. There is definitely a need for more clarity and detail in the Bill - however, on the flipside, one may argue that this provides different industries with more freedom to adopt standards which they deem appropriate depending on their use cases.

Could you identify some of the main challenges and opportunities this bill presents for business?

Among the key challenges this bill presents, is the creation of a balance between the individual right to privacy, and the access to personal information that businesses need for product development. 

Of course, some sectors like fintech and financial services have a more focused approach to data collection than others, which are already also governed by sectoral regulators (such as the Reserve Bank of India). 

Navigating this fine line, while also keeping track of subsequent notifications and requirements flowing from this Bill, will definitely pose a challenge from a compliance perspective. Doing away with classifications of personal and sensitive personal data, and navigating the new concept of ‘deemed consent’ and the increased compliance requirements for ‘Significant Data Fiduciaries’, will also be challenging, among other provisions. 

As far as opportunities go, several businesses, especially in highly regulated sectors like financial services, have long been requesting for any regulation at all to make operations and compliance requirements clearer. The fact that we may have a regulation in the first place, is in itself an opportunity for less friction in the market and measured innovation. 

Several businesses are also viewing the reduced prescriptiveness of the latest draft as an opportunity for industries to be able to arrive at the standards which suit them. An interesting take I’ve heard in terms of opportunity, is also that businesses in sectors such as health-tech and fintech would also be using this Bill as a chance to market their services as the most compliant and as prioritising consent over others - which will be an interesting turn in the Indian market.