Keeping India open to the world: In current form, data protection law risks positioning India as a protectionist jurisdiction

By Sidhant Kumar

The growth of all the advanced economies in the world was fuelled by embracing international trade. India’s dream of being a $5-trillion economy is built on the edifice of an open economy and global outreach. In line with this vision, the government has been proactively engaged in negotiations to finalise free trade agreements with major players, including the US, the EU, and the UK. Data and technology are the basis of most economic transactions today. The commerce secretary recently said that digital trade is an important part of our trade diallage with the UK, the EU, Australia, and Canada. The data governance framework under the Personal Data Protection Bill is certain to have a far-reaching impact on our trade relationships and engagement with the world.

The Bill raises several concerns requiring thoughtful consideration. First, it moots a framework far more restrictive and costly than even the EU’s GDPR, which is considered the benchmark framework. Second, the Bill erects significant market entry barriers that diminish India’s image as a friendly market for foreign participation and raises the possibility of reciprocal curbs on Indian players in global markets. Thirdly, given that all business today uses data and technology, the compliance burden under the Bill makes Indian players uncompetitive compared to their international rivals.

Given Europe’s large market share, globally, there is widespread compliance with the GDPR. Businesses globally are still struggling to comply with its requirements even today. Our Bill is fundamentally more constricting than the GDPR in crucial respects. Under the Bill, any transfer of sensitive personal data (including financial and health data) overseas is contingent on the relevant authority’s prior approval. Further, a narrower category of personal data considered “critical” is prohibited from transfer outside India.

The GDPR regulates cross-border data flows in two ways: first, by the adoption of standard contractual clauses, and second, by adequacy assessments of legal safeguards where data may be freely transferred. It does not adopt an inflexible rule that the data must be stored in Europe alone. The Bill, unlike the GDPR, requires international transfers of many categories of data made by the same business to be approved by the relevant authority, adding further red-tape. This binds businesses to bureaucratic delays in a world where data flows and synergies constantly change. Mandatory localisation and the broad-based provisions for government access will imperil the adequacy standard required under the GDPR to enable Indian IT companies to service European clients. The Indian outsourcing industry has prospered because of seamless access to markets such as the US and the UK. India’s tech exports are 51% of its service exports aggregating $178 billion. The trading relationship with these friendly actors will be the first victim of these stipulations.

The GDPR allows data use without consent for legitimate purposes. This is on the condition that the purpose falls within the broad outline specified. The Bill, however, requires the data authority to specify narrow purposes that it considers legitimate. This diminishes commercial independence and replaces it with a regulatory fiat. Once businesses are accountable for any breach of the broad purposes specified, there is no justification for the regulator to impose its judgment.

The notice and consent requirements as the basis for collecting and using data are adopted from the GDPR. The consent mechanism under the Bill, however, is complicated by the incorporation of a third-party ‘consent manager’ registered with the authority. The rights of individuals with respect to their data are to be exercised through the consent manager. Under the GDPR, businesses are accountable for the collection and usage of data with consent, and there is no justification to deviate from this approach.

The Bill and the GDPR require Data Protection Officers. The JPC has however gone a step further in recommending that the Data Protection Officer must be senior management personnel. The GDPR, on the other hand, permits the appointment of qualified and registered third-parties to discharge these functions for an organisation. The GDPR regime proactively seeks to reduce the compliance burden and encourage cost-sharing since such third-parties may provide compliance services to several businesses. The JPC has also recommended a hardware and software testing requirement for all hardware and software. This increases the costs for electronics manufacturing and software services-our most valuable exports. Our Bill, unlike the GDPR, also requires third-party audits, further augmenting compliance costs. In addition, the Bill also requires businesses above a certain size to register with the authority. These compliance obligations skew the playing field against Indian businesses and diminish the chance of any Indian business acquiring multi-national status.

The government has clearly outlined the vision of the $5-trillion-dollar economy; exports will contribute a significant proportion in this, with the technology sector being an exports-leader. India’s recent proximity to the Quad formed along with the US, Japan and Australia is a sign of a confident nation embracing the ideal of a liberal and open economy. This Bill risks us being viewed in the same light as protectionist China and is inconsistent with our recent international outreach initiatives. The all-encompassing impact of the Bill across industries, from healthcare to manufacturing, makes engagement with all stakeholders inside and outside the government vital as we develop a data governance framework.

The author is Delhi-based advocate