Highlights of India’s Personal Data Protection (PDP) Bill, 2019 and its compliance requirements, from an industry specialist.
India is home to 1.3 billion active online platform users, the second largest in the world, and the Government has been working on a data protection law that will impact them all. Its implications are however not well understood. This article seeks to clarify and examine some of the aspects of the proposed law.
The Government of India has been working on a data protection law as the nation houses 1.3 billion[1] active online platform users, second largest in the world. In 2018, the Ministry of Electronics and Information Technology (MEITY) released a draft data protection law (2018 Bill) which was drafted based on the recommendations of the Expert Committee convened on Data Protection chaired by Justice B.N. Srikrishna in 2017. The 2018 Bill spelled out mandatory data localisation requirements, bifurcating data into the categories of sensitive, critical and personal; and was seen impacting large MNCs, while protecting domestic companies and Indian citizens. However, this version of the bill was never introduced in Parliament. In early December 2019, a revised version of this law (2019 Bill) was introduced and sent to a 30-member Joint Select Committee (JSC) review.
What does 2019 PDP Bill talk about?
Data Localisation
Indian Government is highly concerned about the storage location of the data for security concerns of the citizens. Currently, under the 2019 Bill, sensitive personal data (SPD) can be processed anywhere but should be stored in India whereas critical personal data (CPD) (the scope of which will be notified by the Central Government in due course) can be processed only in India.
Though the localisation requirement is diluted in the 2019 Bill in comparison with the 2018 Bill, industry and global corporations operating in India believe that a final decision on localisation of data should be made only after a cost-benefit analysis is undertaken to determine which approach would be most beneficial from a security as well as business concerns.
They advocate that, as far as possible, law should retain the free cross-border flows of data as locating data locally will also directly affect businesses that are heavily reliant on cloud technology and therefore increasing the cost of doing business.[2] While the impact on local businesses will be direct, the outcomes of localisation could also affect foreign investment in India generally.
Cross-border data transfers
Despite the dilution of localisation requirement under the 2019 Bill, SPD can be transferred only on the basis of explicit consent and other requirements (as approved by the Data Protection Authority, the DPA). CPD can only be transferred abroad for emergency processing or pursuant to an ‘adequacy’ decision. Businesses believe that caution must be exercised before formalising the requirement of an adequacy decision. Primarily, there is no substantial body of evidence to validate efficiency of the adequacy test in governing cross-border data flows. The final decision on adequacy status could also have political ramifications & economic impact.
United Nations Conference on Trade and Development (UNCTAD) holds a different view on cross border data flows. UNCTAD’s Trade and Development Report 2018 warned that the potential benefits to developing countries of digital technologies risk being crowded out by the rent-seeking of digital monopolies. The global e-commerce market was estimated at US$29 trillion in 2017, with a growth of around 32% since 2015. The flow of data now contributes more to world’s GDP than flow of physical goods. In 2017, India ranked ninth in terms of global e-commerce sales.
Sharing of Non-Personal Data with Central Government
Under the 2019 Bill, the Central Government has been given unfettered powers to direct a company to share its anonymised or non-personal data (if required) to better target policies and services made available by the State. This is problematic for many reasons: as the non-personal data, referred to as ‘anonymised data’, needs significant investment from the company into resources such as data analytics tools, making this anonymised data the company’s private property?
More often than not (apart from in China), empowering the government to use this data is tantamount to letting the government appropriate private property, which has continued to be a controversial subject, especially since it is an absolute power, without any safeguards built in. Secondly, this provision has been added without scope for more discussion on the kinds of data that are actually be useful for policymaking. It is opined that such a vast power should not be available to the State without adequate checks and balances as it poses threat to the ‘Right to Privacy’, a fundamental right as declared by Supreme Court of India.
Dilution of 2018 PDP Bill gives virtual carte blanche to the Government to access personal and non-personal data of individuals and other entities on the mere declaration of critical circumstances such as national security, criminal investigations etc. This opens the door to misuse and makes it a cakewalk for government surveillance and the profiling of citizens, both of which are anathema to civilised governance and constitutional democracy.
The 30-member JSC has some difficult issues to grapple with and ensure there is no abridgement of the fundamental right to privacy of Indian Citizens guaranteed as under Article 21 of the Constitution.
[1] McKinsey Global Institute analysis- Active users of online platforms
[2] See: https://www.pwc.in/assets/pdfs/publications/2018/at-a-privacy-crossroads.pdf
