Data localisation can create a ‘honeypot of data’ — a concentration of information in one geographical location that increases the risk of data breaches and cyberattacks. Concerns over excessive tracking and data monitoring by the government are also not unfounded.

By V Sridhar

Data protection regulation in India has recently faced several setbacks. The Personal Data Protection Bill was introduced to India’s lower house on 11 December 2019. But the government withdrew the Bill after India’s Joint Parliamentary Committee proposed 81 amendments and 12 recommendations. A new bill with a more comprehensive framework, including modern digital privacy laws, will be released soon.

There are some challenges and opportunities for the Indian government to consider before the new law comes to fruition. The first challenge is reforming the stringent but ambiguous data localisation regulations proposed in the earlier Bill, which restrict the cross-border data flows of Indian residents using servers located within the country.

New Delhi claims that data localisation protects consumer privacy, improves state access to sensitive data to protect national security and ensures law enforcement agencies have access to data to detect financial fraud. But blanket restrictions on cross-border data flows affect the provision of digital services to consumers.

Stringent data localisation regulations may reduce the international competitiveness of India’s service providers by hindering their ability to provide consumers with the best practices and technologies. India’s Information Technology industry benefits from the free flow of cross-border data. Data localisation can create a ‘honeypot of data’ — a concentration of information in one geographical location that increases the risk of data breaches and cyberattacks. Concerns over excessive tracking and data monitoring by the government are also not unfounded. The negative impact of data localisation on the export of information and communication technology services is well-researched.

But regulators lack capacities

The Indian government should revise data localisation regulations so that they do not hinder digital trade. One way to address this issue is to create a ‘trusted network’ of countries with which India can engage in cross-border data transfers, including by signing bilateral or multilateral agreements with the European Union, the United States and Quad countries.

Exemption clauses in the old legislation provided the state with access to personal information in the name of national security, subject to appropriate authorisation. But more often than not these exemption clauses tend to be excessively used. Data subjects often have no recourse to address the misuse of their data besides judicial appeal, as demonstrated in the Puttaswamy versus Union of India case in 2012.

The exemption clauses in the original Bill need to be made more precise. Ambiguity in the definition of the terms ‘grossly offensive’ and ‘menacing’ in Clause 66A of the Information Technology Act 2000 led to the arrests of two girls in Mumbai. The Supreme Court of India quashed Clause 66A in the Shreya Singhal vs. Union of India case in 2015. Well-defined privacy principles should mean that the state is treated like any other data fiduciary to protect the privacy of the data subjects.

There is also a lack of enforcement of data laws and regulations in India. Though the Bill specifies penalties for the misuse of data like the European Union’s General Data Protection Regulation (GDPR), Indian regulators often lack the capacity and resources to audit data fiduciaries for regulatory compliance and enforce penalties for deviation.

Privacy auditing. Societal safety, welfare

The draft Personal Data Protection Bill was also criticised for its proposed Data Protection Authority (DPA). The DPA was to be constituted solely by government representatives, with the Cabinet Secretary as the Chairperson. That would render the DPA inseparable from the executive branch of government.

It is time for the Indian Government to build adequate capacity in privacy auditing, either on its own or through public–private partnerships, to ensure the protection of data subjects. The DPA must be an autonomous entity staffed by a diversity of privacy experts from government, academia and industry. The GDPR requires its supervisory authority to be financially and administratively independent of the government, with members having no conflict of interest in the functioning of the authority.

India’s governance framework for non-personal data (NPD) is also important. NPD is loosely defined as data that does not identify specific individuals. Many countries recognise NPD as a digital public good to be made available to the public and the private sector. India was one of few countries in 2020 to provide a legal basis for establishing rights over NPD — defining possible models for sharing NPD for social and economic value creation and associated regulatory mechanisms.

India’s Joint Parliamentary Committee suggested regulating personal and non-personal data under one Act. Though there has been resistance from the data fiduciaries on information sharing and the right to use NPD, the government should include an appropriate NPD governance framework to unlock the value of NPD for societal safety and welfare.

Having one of the largest Internet subscriber bases in the world, India has lost precious time in enacting an omnibus privacy and data protection law. That is one of the reasons why India is not on the list of countries that meet the data protection adequacy norms of the European Union. For data trade to prosper, New Delhi must expedite the proposed privacy and data protection law — moving India closer to meeting the European Union’s GDPR data protection requirements.

V Sridhar is Professor at the Centre for IT and Public Policy at the International Institute of Information Technology, Bangalore.

This piece has been sourced from East Asia Forum.

Image: Hippopx: Licensed to uses under Creative Commons Zero – CC0