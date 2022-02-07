The government has claimed that the Joint Parliamentary Committee (JPC) recommendations on the Personal Data Protection Bill, 2019, are in line with the goal of personal data protection and robust innovation. Ministers entrusted with the digital economy have rightly refused to comment on it, but key government officials publicly defending the Bill seems to suggest that the Centre agrees with the current version.

A review of its key proposals, however, shows that the framework would strangulate commercial decision-making, bury businesses under enormous compliance burdens and perpetuate a hostile environment for innovation. An open and nimble data-governance framework is necessary for India to achieve a $5 trillion economy with the digital economy alone making up a fifth of it.

The government has argued that startups are not subject to additional compliance obligations, which are only for large businesses called “significant data fiduciaries". Yet, the Bill’s provisions related to the consent mechanism, legitimate interest processing and data retention apply across the board, and so they impose huge regulatory costs on startups and established incumbents alike.

Unlike the position in other advanced jurisdictions, the Bill would cramp the space available to businesses for non-consensual data processing and retention. While the EU’s General Data Protection Regulation (GDPR) provides broad legitimate interest grounds for non-consensual data processing, India’s Bill requires these legitimate interest grounds to be narrowed further by a Data Protection Authority (DPA). Under the GDPR, businesses are liable for keeping such processing in conformity with the stated grounds. Once such accountability is provided for, there is no justification for placing restraints on legitimate business freedoms.

The GDPR in Europe permits retention of data in such form that does not identify the individual. Our Bill, however, proposes an inflexible rule that all data be deleted once the prior stated purpose has been achieved. This limits the ability of any new data driven business to use it for data analytics to better their own business models or devise new ones. Businesses are also required to undertake periodic reviews to determine the necessity to retain data. Notably, the Bill also regulates inferences from personal data and the use of anonymized data. These restrictions could stunt innovation in fields like artificial intelligence and machine learning.

The Centre’s stated goal for the technology and electronics manufacturing sector is for it to reach $300 billion in size by 2025, up from $75 billion now. But it is now proposed that all hardware be monitored, tested and certified by an authorized agency to ensure its “integrity and trustworthiness" and to protect against “malicious insertion of software that may cause data breach". This could be an obstacle to growth.

The JPC has ignored the existing testing requirements under the Bureau of Indian Standards and also telecom-equipment testing regimes, resulting in duplication of norms. Applied to a broad swathe of hardware, the proposed certification may result in a cascade of supply-chain delays. This proposal is premised on the manufacturer’s continuing post-sale liability for breaches by “malicious software". This risk is belied by experience, as the Bill ignores real threats posed by the clandestine insertion of such software after hardware is sold through other means, such as unauthorized repairs. This example clearly demonstrates that the Bill is out of sync with the government’s policy objectives.

Under the Bill, the informed consent of individuals obtained by businesses is the primary basis for data collection and use. Businesses are liable for any breach of this, but despite this, the Bill incorporates a third-party “consent manager" registered with the DPA. The rights of individuals with respect to their data are to be exercised through this consent manager—whose involvement, however, only makes the fulcrum of the framework impractical.

Major restrictions are proposed for cross-border transfers of sensitive personal data, including financial and health data. The DPA’s prior approval will be needed for any such transfer. Transfers abroad of a narrower category of personal data considered “critical", as defined by the DPA, will be barred.

The government contends that these are in line with international practices, including the EU’s, but the GDPR does not impose a general data-localization mandate. In fact, it cues the adoption of standard contractual clauses governing data transfers and aims to allow transfers to certain jurisdictions with comparable legal safeguards.

With data localization mandate, India’s government seeks to promote the growth of large data centres. This does not address the basic requirements of favourable tax policies, physical infrastructure and easy access to skilled personnel. On the contrary, aggressive regulation of global data flows is likely to set off a counter-reaction from the US and EU, which could restrict the access of Indian infotech majors to global markets.

The Bill as it currently stands thus looks like the antithesis of a dynamic, open and flexible data governance framework. It usurps commercial autonomy and may hurt business innovation in the digital economy. Startups could suffer over-regulation, wis an advocate based in New Delhi and co-author of ‘Privacy Law: Principles, Injunctions and Compensation’hile incumbents with the wherewithal to absorb its costs may get more deeply entrenched. The ministry of information technology must review the Bill’s proposals in the interest of a robust innovation-driven digital economy. The Centre should consider the Bill afresh.

Sidhant Kumar is an advocate based in New Delhi and co-author of ‘Privacy Law: Principles, Injunctions and Compensation’

Subscribe to Mint Newsletters * Enter a valid email * Thank you for subscribing to our newsletter.