Opinion | Don’t stifle our digital economy with overbearing regulations4 min read . Updated: 27 Apr 2020, 11:20 PM IST
Our proposed data protection law could stymie digital value creation without enhancing privacy in any meaningful way
India’s place as a leading digital economy received resounding validation through Facebook’s $5.7 billion investment in Jio Platforms. This is in addition to a collaboration between the two data behemoths on an e-commerce offering through Facebook’s all-pervasive WhatsApp messaging service. This is the largest foreign investment in the digital and technology space in India till date. On another note, the Personal Data Protection Bill—which, if enacted, will redefine the entire functioning of the digital economy in the country—is pending before Parliament. It is, therefore, an opportune time to review our approach to data-protection regulation and the future of our digital economy.
There are major areas of concern in the present formulation of the Bill that is before a select committee of Parliament. The pivot of the framework appears to be a domineering mandate to be given to a data regulator, structurally geared to intervene rather than facilitate. Second, the Bill has broad-based restrictions on the transfer of data overseas from India, which could hive our market off from the global digital economy. Third, the Bill seeks to protect privacy by way of what looks like a regulatory sledgehammer that imposes extensive compliance requirements with little aid to data protection. Fourth, the Bill sets forth an inflexible framework that is bereft of any formal consultative rule-making process, which is likely to stifle innovation in the sector. Lastly, substantial portions of the Bill are out of sync with international data protection practices, which could blunt India’s competitive advantage as a digital market. These aspects of the Bill require substantial changes for it to not only achieve its objective of privacy protection, but also to avoid stunting the growth of our digital economy.
India has made enormous strides in the digital space, and the Reliance-Facebook deal is a watershed event in that journey, but we have a long way to go. Each Facebook user in Asia (except China) generates only $11 of advertising revenue a year, while one in North America racks up $112. We clearly have vast potential for growth in terms of purchasing power, an overarching policy goal.
In its present form, the Personal Data Protection Bill could result in the largest expansion of the regulatory state in India since economic liberalization in 1991. It envisions the creation of a Data Protection Authority with the power to impose penalties to the tune of 4% of a company’s global turnover. With sweeping powers to frame rules and virtually disrupt business operations, the Bill’s default setting seems to be regulatory intrusion.
The Bill contains substantial restrictions on the transfer of sensitive personal data (including financial and health data) outside India. The Authority’s prior approval would be needed for any such transfer. Further, a narrower category of personal data that is considered “critical" would be entirely prohibited from transfer outside India. The Bill also requires large players to have data protection officers physically located within India. These proposals could have an adverse impact on our digital economy, the basic characteristic of which is connectivity beyond barriers.These restrictive proposals could thus deprive India of the full fruits of the global digital market while failing to enhance privacy. The outside world is likely to see these measures as less about protection and more about protectionism.
The Bill would also make it difficult for the law to adapt to a dynamic environment. Instead of specifying broad legal standards, the proposed framework requires the Authority to lay down regulations of the one-size-fits-all kind. A glaring example of this is the Authority’s remit to define what constitutes “reasonable purpose processing". This permits companies to process data without obtaining consent for certain purposes, such as fraud prevention and research for a larger collective interest, subject to safeguards. Unlike the European Union’s General Data Protection Regulation, India’s Personal Data Protection Bill requires specific grounds for reasonable purpose processing to be specified in the law. This approach looks restrictive and short-sighted, and could hamper innovation, without which a digital economy cannot hope to prosper.
The Bill contains extensive compliance requirements, including the conduct of audits and impact assessments to be filed with the Authority. This approach of breathing down the neck of digital businesses is unknown to any data protection regime across the world. The compliance burden is likely to act as a potent deterrent to fulsome participation in the Indian market, as most digital businesses run on lean business structures. Also, technology companies that thrive on acquiring a competitive advantage will be reluctant to share information on their processes and business models. These proposals would give companies a reason to pause as they seek to grow in India.
Facebook’s bet on India underscores India’s enormous potential as a market. The fulcrum of the Reliance-Facebook deal would be the transformation of WhatsApp, a messaging platform, into a one-stop platform for a large number of everyday transactions. Such evolving businesses are the norm in a digital economy. Value generation here requires an open, nimble and innovation-friendly regulatory environment. We need a regulatory regime based on commercial prudence rather than regulatory fiat alone. Parliament must therefore be circumspect in enacting a data protection law. It would be unfortunate if India’s prospects for digital value creation were to suffer without any meaningful enhancement of privacy protection.
Sidhant Kumar is a practising advocate at the Supreme Court of India