The curious case of the privacy sandbox

By Lagna Panda, Chandhiok & Mahajan

In December 2019, the Personal Data Protection Bill, 2019 (PDP bill), was introduced in parliament and was then referred to a joint parliamentary committee for review. Compared to the 2018 version, the PDP bill has undergone significant changes and provisions on sandbox and privacy by design have been introduced. Clause 40 of the bill states that the Data Protection Authority (DPA) shall create a sandbox for “encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in the public interest”. A sandbox refers to an environment where a product or service is tested in a controlled manner with relaxed regulatory norms. This concept stems from the assumption that regulations impede innovation and that there is a need to reduce regulatory oversight albeit temporarily for the sandbox in order to promote innovation.

Lagna Panda
Managing associate
Chandhiok & Mahajan

Recently, the Securities Board and Exchange of India approved a regulatory sandbox for testing new products, services and solutions by registered entities, after introducing a framework last year that set out its contours. The framework allows for provision of datasets to participants, but qualifies this by stating that the datasets shall be historical and anonymized.

The Reserve Bank of India has also allowed for a sandbox and has put in place a regulatory framework, which requires applicants to comply with, among other matters, customer privacy and data protection, secure storage of and access to payment data of stakeholders, and security of transactions. While clause 56 of the PDP bill seeks to mandate consultation by the DPA with regulators/authorities having concurrent jurisdiction, it remains to be seen how a multi-regulatory sandbox framework would play out. Aside from this, there are other issues relating to the working of a sandbox that have to be resolved.

First, the PDP bill does not clearly detail the mechanism or procedure that the DPA would have to follow to create a privacy sandbox. Without any stipulated timelines, the DPA is likely to instead focus on more urgent approvals and decision making as the PDP bill will impose a significant workload on the DPA.

Second, the PDP bill will relax certain provisions for the sandbox including those imposing purpose limitations and restrictions on the retention of personal data. The touchstone of privacy is consent. Personal data should be processed for clear, specific and lawful purposes for which data principals give their consent. To permit enterprises to use personal data without the express consent of data principals would go against the basic principles underlying the PDP bill. Relaxation of other obligations may be justified, but the obligation to seek consent should not be undermined. While it may be difficult for a sandbox participant to set out the exact and specific purpose for which consent is taken, a template or model form can be provided whereby data principals can give consent for use of their personal data in the sandbox.

Third, the PDP bill specifies that any data fiduciary with a privacy by design policy certified by the DPA, would be eligible to apply for inclusion in the sandbox. As per clause 22, every data fiduciary would have to have a privacy by design policy. The clause also sets out the particulars that such a policy should contain and states that the DPA would approve a privacy by design policy adopted by every data fiduciary. Given the number of data fiduciaries operating in India, this process would be protracted. It may be pragmatic to set out the broad contours of privacy by design that data fiduciaries must adopt, instead of having an approval-based regime that would increase the burden on the DPA as well as prove to be a compliance burden on data fiduciaries.

Lastly, the privacy by design clause of the PDP bill is limited to data fiduciaries and does not apply to data processors. This is in line with the European Union General Data Protection Regulation (GDPR), which requires data controllers (the GDPR equivalent of data fiduciaries) to provide for sufficient safeguards. However, in the “data protection by design and by default” guidelines that were adopted in the EU for public consultation in November 2019, it is noted that data processors and technology providers can rely on these guidelines to develop GDPR-compliant products. This raises the question of whether data processors with privacy by design policies should be treated differently from other data processors particularly in the context of a privacy sandbox.

Thus, while the intent of the legislature is commendable in trying to give statutory backing to a concept that promotes innovation, finer aspects of a privacy sandbox would need serious deliberation for it to become a success.

Lagna Panda is a managing associate at Chandhiok & Mahajan.


Chandhiok & Mahajan
C-524, Defence Colony
New Delhi – 110 024

Mumbai | Bengaluru
Contact details
Tel: +91 11 4163 0033
Fax: +91 11 2433 9075