The government of India has a target of reaching a $5 trillion economy by 2024, which will be fuelled by the growth of an interlinked and interdependent digital ecosystem. As per news reports, the Personal Data Protection Bill, 2019 might be tabled in this winter session of Parliament, an important milestone towards protecting user data while enhancing innovation.
The bill will not only enhance the level of data privacy offered to Indian citizens, but it must also protect their data from snooping and illegitimate access, as well as securing it from hacking and illegal surveillance, which is especially important in light of the Pegasus hacking scandal.
A tight framework with heavy criminal liabilities would act as a deterrent to investments in the digital economy. The Personal Data Protection Bill framework must be evolutionary and incremental in nature, so as to adapt to fast-paced changes in technology. Moreover, a wide range of functions of the proposed Data Protection Authority (DPA) and the power of the government to pass binding directions on the DPA with respect to policy is a concern. There must be scope for parliamentary and judicial oversight with respect to the adjudicatory powers and decisions of the DPA. The heavy-handed provisions providing the DPA with almost police-like powers and the 30-month incubation period is a red-flag.
Additionally, the bill, under reasonable purposes, will allow exemption of an individual’s consent for processing data. Such exemptions must be narrowly and well-defined within a tight framework, which might include national security, fraud, whistle-blowing, etc. The bill must not allow a back door for agencies to access data in lieu of exemptions just because such exemptions might be defined vaguely, as that could be a recipe for surveillance. In cases where an individual’s consent is bypassed and her data is accessed by law enforcement agencies, such a process must also have clear checks and balances to prevent misuse of such power by authorities.
Interoperability with global privacy standards while allowing free flow of data
Countries globally are working to develop and implement data privacy frameworks that can adequately protect data of their citizens, while also allowing data to own across borders in ways that support trade and innovation. These frameworks encourage convergence across the region, which enables data to flow while maintaining a similar level of protection. One such example is the EU-US privacy shield, a framework that protects the privacy of user data in both jurisdictions, based on the principles of adequacy and reciprocity. India must look at enacting similar frameworks with the EU, US and other nations, to allow free flow of data across borders while protecting user privacy.
With the new law, however, India’s data protection standards are expected to be enhanced, which will bring India closer to an alignment and harmonisation with international standards and laws on data protection, taking a step forward towards making India eligible and compliant to enter into such frameworks. This could subsequently allow India to be a part of another cross-border multilateral privacy framework, the APEC Cross-Border Privacy Rules (CBPR), that allow free flow of data between member states while ensuring that user data is protected and privacy is maintained.
The APEC-CBPR system is a fast-growing cross-border transfer mechanism for the entire APEC region, which comprises 21 member economies and more than half of the world’s population and economy. With the new law, India will be in a position to negotiate and agree on a transfer mechanism to enable future interoperability with the APEC region. However, such interoperability aspects must adhere to adequacy and reciprocity measures for both negotiating parties, which means that India will have to deploy strong privacy standards that allow free flow of data, and its important that the data protection bill complies with such reciprocity measures.
Bilateral and multilateral agreements for data access for criminal investigation
Moreover, for law enforcement agencies from India to access data, the new law will allow India an opportunity to engage with countries such as the US under the CLOUD Act, which is also based on certain adequacy requirements, such as “robust substantive and procedural protections for privacy and civil liberties in light of the data collection” and “sufficient mechanisms to provide accountability and appropriate transparency regarding the collection and use of electronic data”. A similar engagement under the Budapest Convention can also be looked at, which seeks to address cybercrimes through harmonisation of laws of member nations.
Data sharing, a better and more productive alternative to data localisation, allows for an increase in transparency, for creation of dependable sources and channels of data sharing between law enforcement authorities and foreign service providers.
Non-personal data in Personal Data Protection Bill?
A new addition that seems to be emerging in the latest iteration of the bill is access to non-personal data for ‘planning’ purposes. First, the bill seeks to regulate personal data, so asking regulators to regulate non-personal data in the personal data bill is procedurally flawed. Second, the IT ministry has already constituted a committee to regulate non-personal data in India, so to bring it within the ambit of personal data bill amounts to an incoherent approach in policymaking that could confuse businesses and investors alike.
If the policymakers are seeking greater access for law enforcement and ‘development’ purposes, then it is critical that a due process of law is in place to facilitate access through defined mechanisms, including checks and balances to prevent misuse of such data.
Don’t fix what’s not broken
In their hot pursuit to unleash data for public good, the government risks discouraging innovation and investments in India’s digital sector. On one hand, there is free data that is available for fiduciaries to process the same. For example, geospatial data, soil data, etc, are available in the public domain and can be accessed by any institution, processed and used to create and deliver services.
On the other hand, data that is collected and processed by organisations is an IP. The real point lies in developing services for Indian customers and providing an enabling platform for micro-entrepreneurs to thrive. While doing so, companies collect and process data, develop better insights, and subsequently, provide better services. Such insights, therefore, are a unique, valuable asset to any company that generates it. Now, if the government is mandating companies to disclose such insights, it could send a negative message to investors conflicting with IP rights. Therefore, any access framework of non-personal data must be outside the ambit of data protection law, voluntary in nature, with a proper methodology for data exchange.
The present bill is the second iteration having been revised based on the consultation process carried out in 2018 when the first draft was released in public domain. The government should allow another round of public consultation before the bill goes through in Parliament. Moreover, if the bill is indeed getting introduced in the final session of 2019, then it must go to a parliamentary committee for further discussion, analysis and consultation. Data protection is an extremely complicated policy issue that cannot be enacted into law within just a few days of discussion. Instead, it is imperative that such a cross-cutting area of law and policy, which will have significant economic, constitutional, geopolitical and commercial implications, is analysed to the core by experts and government officials, and it is only after that it gets enacted into law.
Internal harmonisation of data bill with other laws and government departments
While the data protection bill will soon become law, the next big step up must be the internal harmonisation of the law with other domestic laws and government departments in India.
With around 50 statutes and regulations being identified by the Srikrishna Committee, which have a potential overlap with the proposed data protection law, the process of amending these to operate in tandem with the new overarching law will be an important process to streamline data protection within India’s legal jurisprudence, policymaking process that will subsequently bring much needed uniformity and simplicity in the country’s data governance systems.
Harmonisation will reduce operational costs for businesses and consumers operating within India, simplify treatment towards consent requirements, bring about a strong channel for redress, awareness and identification of privacy risks as issues that will enhance user confidence in the online environment, and will reduce gaps and inconsistencies in matters of police and judicial cooperation.
(The author is founder of The Dialogue, an internet and data policy and advocacy think tank. Views are personal.