By Sidhant Kumar
As India evolves alongside the world into an information society, privacy and innovation are at the core of progress. In line with this, the government recently released the Digital Data Protection Bill 2022. This is the fourth iteration of a proposed data privacy law formulated after an unprecedented, wide-ranging, and transparent consultative process. It seeks to balance the interests of data protection and individual privacy with the advancement in technology and the development of a digital economy. This assumes pivotal significance given the government’s vision for a $5-trillion economy, of which about $1 trillion will be contributed by exports (with a large proportion from the technology sector).
The previous versions of the Bill included substantial restrictions on commercial autonomy and global data flows. This requirement was in conflict with the fundamental principles of value creation in the digital economy by creating efficiencies across physical frontiers. Further, it imposed a broad-based requirement to store data in India. These restrictions created widespread concern regarding the impact on the innovation and start-up ecosystem. Alive to these fears, the government withdrew the Bill from Parliament in August 2022, and revisited the contentious provisions. The new Bill seeks to allay these fears by presenting a balanced outlook on data privacy.
Also Read: Tech Bytes: What is Apple’s Advanced Data Protection and why it’s a big deal for iPhone security
Policy formulation in the digital economy challenges conventional notions of sovereignty and law-making. It requires governments to engage with and co-opt multiple stakeholders, including private players, to develop effective safeguards. The government, in this instance, proactively responded to deep-rooted concerns in relation to previous versions of the Bill by enhancing engagement. Rajeev Chandrashekhar, one of the key decision makers as minister of state, set the tone on these consultations by underscoring the importance of innovation and smooth data flows in the digital economy. He also outlined the objectives of the Bill as data protection for the citizen, ease of doing business for industry, efficient governance, and national security for the larger public interest.
The Supreme Court in KS Puttaswamy versus Union of India, speaking through a bench of nine judges, found privacy to be fundamental to human dignity. It is in this context that privacy was held to be a fundamental right, and Parliament was called upon to enact a data protection statute. The Bill now seeks to establish a consent- and rights-based data protection regime that does not sacrifice commercial autonomy or innovation. It also provides for corresponding obligations on entities that collect data christened data fiduciaries under the Bill. The Bill significantly narrows the exemption to government actors that process data for security and upholding sovereignty. This is a notable departure from previous versions of the Bill that exempted any state body carrying out state functions. There is also a proposal to establish an independent regulator for framing codes and enforcement.
The Bill enhances the control individuals have on the collection, use, and storage of their data. It makes consent-based collection of data the norm with few narrow exceptions. This consent is required to be meaningful and informed. Entities that collect data (christened data fiduciaries in the Bill) are required to collect and use data only for the purpose consented to and also secure the data with appropriate safeguards. A grievance redressal mechanism is also required to be established that is overseen by a regulatory body formed under the Bill.
The Personal Data Protection Bill that was recently presented to Parliament and then withdrawn imposed a broad-based requirement to store data in India. This requirement was in conflict with the fundamental principles of value creation in the digital economy by creating efficiencies across physical frontiers. Contrary to this approach, the present Bill embraces global data flows. The introduction of an adequacy assessment for global data flows—a feature of the EU data protection law—is a notable step forward. This change in stance has saved the Indian market from the possibility of getting isolated from the global digital economy fueled by free flow of data. This is a departure from the imposition of restrictions on data flows from India, as previous data protection proposals envisaged.
Also Read: The new data Bill & India’s trade goals
This new approach has enabled the government to respond to the potential fallout of the regulatory chokehold that appeared imminent under previous versions of the Bill. This multi-stakeholder process has enabled the formulation of a framework that fosters an open digital economy while effectively defining the rights of individuals. The ministry of electronics and information technology has adopted this approach in other areas as well, including semiconductors, cloud computing, and the national data center policy. These developments bode well for the future of tech policymaking in India through multi-stakeholder dialogue.
As a result of this process, a new Bill has been formulated that is based on clear and broad principles governing the collection and use of data. This principles-based approach is in line with the progressive manifesto of this government to unleash the animal spirits of the innovation economy through dynamic and nimble data protection architecture.
The author is a Delhi-based advocate