In the upcoming session of the Parliament, or perhaps before, the government under Prime Minister Narendra Modi is set to introduce a new version of the Data Protection Bill.
First introduced in 2019, the Personal Data Protection Bill (PDPB) was presented to the Joint Parliamentary Committee, which then presented its report in December 2021, citing several amendments.
The government withdrew the bill earlier this year, citing the need for a new document to encompass the suggested changes from the JPC and other industry players.
The PDPB must ensure ease of doing business. While the government would want a law at par with the global regulations, especially the Global Data Protection Regulation (GDPR) implemented by the European Union, three significant differences between the Indian and western markets must be factored in.
One, the size and scale of the market are gigantic. Two, the market is in adolescence, so the law must not constrain businesses, and three, the resistance from the western players to norms catering to India’s interests would be significant.
Implementing the ‘CAT’ combination, the policy must allow for ‘control’ of data by users and ensure ‘accountability’ of the platforms operating in India and ‘transparency’ in all data transactions.
The government’s pursuit of privacy and data protection must not come at the cost of ease of doing business, as the author summed up in his column in May 2018.
Beyond the CAT combination, there are three aspects the government must not compromise on, come what may, and not miss the forest for the trees.
Non-Personal Data Is A Golden Opportunity Being Ignored
One, on the issue of non-personal data, the government must look at the larger interests of the market, but without getting conservative. Simply put, non-personal data (NPD) includes all those data sets with knowledge and information that cannot be narrowed down to an individual or be used for individual profiling.
The NPD sets can aid young businesses and other entrepreneurs, and in a market of 1.3 billion people steadily moving to 5G and metaverse in the future, it is as good as a mine of gold.
The government is right in making it mandatory for any company operating in India to share NPD sets or anonymised data sets to curate evidence-based policies. However, it is conservative in determining its potential by clubbing it with personal data under the same bill.
Ideally, NPD sets’ governance must be done through a separate law, given the difference in personal and non-personal data sets and the concerns around them. However, the government must also not be bogged down by frivolous protests around NPDs.
For instance, under pressure and without a data protection bill, the government went back on its decision to monetise IRCTC data. An NPD created through the user base of IRCTC, of around 8-10 crore users, could have aided policy-making for state transportation units and other private players.
The likes of Zomato and Swiggy deploy the NPD they gain from the transactions on their platforms, between the consumer and the eatery, to operate their cloud kitchens and financially checkmate the poor restaurant owner.
Thus, the government will be tested on the issue of NPD by industry players as they try to play tough, citing concerns around intellectual property. Public NPDs will ensure that the younger plays are not forced out of the market.
While the credibility of the data shared by the big organisations may also be a concern from a competition perspective, the hijacking of NPD by a few big players must also be stopped. NPD sharing is an idea whose time has come, as elaborated by the author in this column from December 2019.
Data Localisation Or No Local Access
Two aspects of data localisation require discussion from personal and sensitive data perspectives. One, can the cross-border flow of sensitive data be allowed, and two, should all the data, sensitive or otherwise, be stored only on Indian soil?
The government, through the application of the decision of the Reserve Bank of India to mandate the storage of payment data in India, has already demonstrated that the global giants can be forced to toe the line. Both Visa and Mastercard, global giants in their industry, complied with the RBI’s decision of 2018.
So, the government can play the hardball when mandating local storage of sensitive data and its copies. On the point of cross-border flow, the government can allow a specific window within which the data can be transferred outside India and then returned, as the RBI does with payment data (24 hours or one business day).
However, security concerns about data usage outside India will always remain. This is another area where the UPI ecosystem outshines the likes of Visa and Mastercard.
The industry argument on the cost of data localisation is also bogus. In June 2021, reports surfaced about Apple’s ‘Goldengate’ Project. As per an investigation by The New York Times, Apple was storing the personal data of its Chinese customers using a state-owned server company in Guiyang.
The report stated that the company had abandoned its encryption technology, employed across the globe after protests from the Chinese government, and employees on the payroll of Beijing were managing the data centres, thus raising concerns against data privacy and integrity. The encryption keys for the data of Chinese consumers were allegedly shared with Guizhou-Cloud Big Data, or GCBD, a state-owned company.
By virtue of how it operates, the Indian government would not want to encroach upon the intellectual properties of any player, local or foreign, unlike China, but it must persist with the data localisation policy, as elaborated in the author’s column here and here.
In the long-term, it could be a catalyst for an entire industry around data solutions, enable more investments in the sector from local and global players and create employment opportunities. Once the private sector complies with data localisation, discussions can be held on cross-border data transfers.
The issue of cross-border data transfers also raises another question; how much can the central government get involved? Ideally, this is where separating personal and non-personal data would help, given the latter would not require any governmental approval before cross-border transfer.
However, on the issue of personal data, the government needs to define a clear line; to either go the RBI way or categorise it by data type or business. To think that a private company must approach the government before every cross-border data transfer is wrong.
A Fine Line Between Accountability and Punishment For Social Media Platforms
The fact that social media companies must cooperate with governments worldwide is no surprise. Facebook and Google publish quarterly reports on the requests made to them by sovereign governments and what action was taken.
However, one area where some social media companies have created a trap is the removal of individual or organisation profiles, the most infamous case being that of Twitter and President Donald Trump. This is where the bill must draw a fine line.
To begin with, social media platforms operating in India, irrespective of their origins or global operations, must declare themselves as either intermediaries or publishers. If they are the former, then the content, profile, and page removal policy must be made public.
If they want to identify as the latter, they must be held accountable for every single bit of data uploaded on their platforms, irrespective of who publishes them. For long now, platforms like Twitter have conveniently identified both to suit their agenda. Not anymore.
There is also the question of Data Protection officers, one the government or private individuals can reach out to in case of cybercrime, false news, or provocative literature.
However, given the time-sensitive nature of these episodes, the law must include a provision where a set number of data protection officers or ombudsmen are present for a certain number of users on the platform. For instance, the bill must warrant a set number of officers for every one-million users.
The fine print of the data protection bill, when updated to add the amendments, will be a subject of scrutiny, but moving forward, the government must adopt a strong stance on the above aspects to begin with.
As with GDPR in Europe, the Modi government must set a threshold until all companies operating in India must comply with the new law.
It must also be noted that a data protection bill for a market as complex and scalable as India will not be without subsequent tweaks and feedback, and thus, to expect the perfect document in one go would be incorrect.
However, the national interests must remain paramount whatever shape the final version takes and whatever course corrections come along.
Read More at https://swarajyamag.com/ideas/indias-data-protection-bill-2022-the-three-non-negotiables