By V Sridhar*

Data protection regulations in India have recently suffered several setbacks. The Personal Data Protection Bill was introduced in India’s lower house on December 11, 2019. But the government withdrew the bill after India’s Joint Parliamentary Committee came up with 81 amendments and 12 recommendations. A new bill with a more comprehensive framework, including modern digital privacy laws, will be released soon.

The Indian government needs to consider some challenges and opportunities before the new law comes to fruition. The first challenge is to reform the strict but ambiguous data localization regulations proposed in the previous bill, which restrict cross-border data flows from Indian residents using servers located in the country.

New Delhi says data localization protects consumer privacy, improves state access to sensitive data to protect national security, and ensures law enforcement has access to data to detect financial fraud. But general restrictions on cross-border data flows affect the provision of digital services to consumers.

Strict data localization regulations can reduce the international competitiveness of Indian service providers by hampering their ability to provide consumers with best practices and technologies. India’s IT industry benefits from the free flow of cross-border data. Data localization can create a “data honeypot” – a concentration of information in one geographic location that increases the risk of data breaches and cyberattacks. Concerns about over-tracking and government data surveillance are also not unfounded. The negative impact of data localization on the export of information and communication technology services is well documented.

The Indian government should review data localization regulations so that they do not hinder digital commerce. One way to address this issue is to create a “trusted network” of countries with which India can engage in cross-border data transfers, including signing bilateral or multilateral agreements with the European Union, US States and Quad countries.

Exemption clauses in the old legislation allowed the state to access personal information in the name of national security, subject to proper authorization. But more often than not, these disclaimers tend to be overused. Data subjects often have no recourse to remedy the misuse of their data other than legal recourse, as shown in the Puttaswamy vs. Union of India case in 2012.

The exemption clauses of the original bill must be clarified. Ambiguity in the definition of the terms ‘grossly offensive’ and ‘threatening’ in clause 66A of the Information Technology Act 2000 led to the arrest of two girls in Mumbai. The Supreme Court of India struck down Term 66A in the Case of Shreya Singhal v Union of India in 2015. Well-defined privacy principles should mean that the state is treated like any other data trustee to protect the privacy of data subjects.

There is also a lack of enforcement of data laws and regulations in India. Although the bill specifies penalties for misuse of data like the European Union’s General Data Protection Regulation (GDPR), Indian regulators often lack the capacity and resources to verify the regulatory compliance of data trustees and apply sanctions in case of non-compliance.

The Personal Data Protection Bill has also been criticized for its proposed Data Protection Authority (DPA). The DPA was to be made up of government officials only, with the Cabinet Secretary as chairman. This would make the DPA inseparable from the executive branch of government.

It is time for the Indian government to put in place adequate privacy audit capacity, either by itself or through public-private partnerships, to ensure the protection of data subjects. The DPA should be an autonomous entity composed of a diversity of privacy experts from government, academia and industry. The GDPR requires its supervisory authority to be financially and administratively independent from the government, with members having no conflict of interest in the operation of the authority.

India’s governance framework for non-personal data (NPD) is also important. NPD is loosely defined as data that does not identify specific individuals. Many countries recognize NPD as a digital public good to be made available to the public and private sector. India was one of the few countries in 2020 to provide a legal basis for establishing NPD rights – defining possible NPD sharing models for social and economic value creation and associated regulatory mechanisms.

India’s Joint Parliamentary Committee has proposed to regulate personal and non-personal data under one law. Although there has been resistance from data trustees about information sharing and the right to use NPD, the government should include an appropriate NPD governance framework to unlock the value of NPD for the safety and well-being of society.

Possessing one of the largest Internet subscriber bases in the world, India wasted valuable time enacting an omnibus privacy and data protection law. This is one of the reasons why India is not on the list of countries that meet the European Union’s data protection adequacy standards. For data trading to thrive, New Delhi needs to fast-track the Privacy and Data Protection Bill, bringing India closer to complying with the European Union’s GDPR data protection requirements.

*About the author: V Sridhar is a professor at the Center for Computing and Public Policy, International Institute of Information Technology, Bangalore.

Source: This article was published by East Asia Forum