Life has come full circle for data protection regulation in India, as the Union government withdrew the Personal Data Protection Bill 2021 from Parliament on Wednesday. The Bill was tabled in Parliament in 2019 as the Personal Data Protection Bill 2019. Thereafter, it was referred to a Joint Parliamentary Committee (JPC) for review in December 2019. The JPC recommended 81 amendments in a Bill of 99 sections, and changed the name of the Bill from Personal Data Protection Bill to Data Protection Bill as it included non-personal data related provisions in the revised Bill.
Also Read | Govt withdraws Personal Data Protection Bill
Considering the large number of changes recommended to the Bill by the parliamentary panel, the government considered coming up with a new Bill instead of amending the provisions in the existing Bill as a better path to follow. The idea is to come up with a comprehensive data protection Bill that will take care of all aspects of regulating the digital ecosystem, be it non-personal data, social media regulations, data localisation or hardware security issues. This is indeed a good idea—coming up with a fresh and comprehensive legislation instead of revamping the existing one, particularly when the previous one was not dealing with many of these issues. However, it may have some repercussions on India’s trade and ongoing free trade agreement (FTA) negotiations.
Data protection regulations and India’s trade
In the post-pandemic world, businesses have increased demand for online delivery of services and use of online facilities. This has created an opportunity for India to leverage its global standing in IT services and increase its services exports through online mode (Mode 1 in trade parlance). However, the challenge to Mode 1 services exports will be data protection regulations. India’s data protection and privacy laws are not considered adequate by many countries. In the absence of data protection regulations, Indian IT industry may not be able to provide IT solutions through Mode 1 in those geographies that insist on robust data protection regulations, such as the European Union (the EU). Even if Indian IT companies are able to provide these services through contractual agreement, such business models will increase the cost of doing business for them. Well-defined data privacy regulations will help Indian IT service providers to showcase their compatibility with privacy regulations elsewhere.
Therefore, if India is to capitalise on the growing Mode 1 opportunities globally, it will need to have its own data protection regulations at the earliest. Also, such data protection regulations need to align with the global norms, such as the EU’s General Data Protection Regulation (GDPR)—bear in mind, this is considered a benchmark by many countries. It may be noted that the withdrawn Personal Data Protection Bill had many similarities with the EU’s GDPR.
Ongoing free trade agreements
India is currently negotiating free trade agreements (FTAs) with a number of countries, including the United Kingdom, the EU, and Canada. Most of these agreements are comprehensive in nature, and have dedicated chapters on goods trade, services trade, intellectual property, rules of origin and other aspects of trade, including digital trade. If we analyse the digital trade chapters that are included in the FTAs worldwide, and especially in the existing agreements of those countries that India is currently in negotiations with, we find that elements related to data protection are important constituents of such deals.
Some of the key articles in the digital trade chapters of these agreements include those on cross-border data flows, data localisation, and data privacy. In the absence of data protection regulations, India may face substantial difficulty in negotiating and concluding these trade agreements, if the negotiating partners intend to replicate the provisions of their existing agreements. The history of India-EU FTA negotiations is a testimony to how data issues could lead to a stalling of the entire negotiations so painstakingly conducted.
India and the EU started negotiating Broad-based Trade and Investment Agreement (BTIA) in 2008; however, the negotiations got stalled in 2013. One of the sticky points responsible for the stalemate was data adequacy issue. India was demanding data adequacy status from the EU to benefit its IT industry, but the EU was not able to grant this status to India as the country did not have similar data privacy laws. This ultimately resulted in the stalling of the negotiations, as is well known. Of course, there were other reasons too for the breakdown. The data issues are also very relevant in the context of India’s trade relations with the United States (the US). The US pushes for exacting rules for the digital economy in various forums, including on cross-border data flows and data localisation.
It is understood that tech companies and trade bodies of the US were having some apprehensions on the provisions of the now withdrawn PDP Bill, particularly on data localisation.
While data localisation is considered to nurture and support the infant digital industry in India, foreign technology companies view data localisation as beinig quite cost-enhancing. Though it is important to take into consideration the suggestions and interests of all stakeholders of the digital ecosystem, the new Bill should not benefit foreign firms at the cost of Indian digital firms that have now started spreading their wings.
The process of drafting and introducing the new Bill may be time consuming as it requires public consultation before tabling in Parliament. Nonetheless, it is in India’s trade interests to have this new comprehensive Bill tabled in Parliament and become an Act sooner rather than later.
The author is Policy Leader Fellow, European University Institute, Italy, and associate professor, Centre for WTO Studies, Indian Institute of Foreign Trade.