The assumption that the government is granted open access to personal data solely based on location violates the very right to privacy that it set out to protect.
As part of his fiery Independence Day speech, PM Narendra Modi said that India is poised for record economic growth and is a land of reform, perform and transform. He likened the Indian economy to “an elephant starting to run” (IMF). In stark contrast to this economic vision, the newly released Srikrishna committee’s (SKC’s) draft bill adopts a very bureaucratic, impractical and protectionist attitude towards data protection and privacy. This type of policy-heavy law creates a harsh and inflexible atmosphere for businesses trying to comply with regulations and stay competitive in this global market. Will the Indian economy “elephant” now be forced to run in circles or run backward? A worrisome prospect indeed.
The Srikrishna committee recently submitted their draft Personal Data Protection Bill, 2018, to the ministry of electronics and information technology (MeiTY). The draft bill borrows much from the European Union’s recently released GDPR (General Data Protection Regulation) and this is not unexpected. The general expectation though had been that while adopting the many beneficial aspects of the GDPR, the SKC would strike a golden mean between two extremes—the United States’ market-leaning approach and the protectionist stance of the EU’s GDPR. However, their final recommendations actually add far more onerous layers related to data localisation requirements. Data localisation refers to the obligation for all companies that collect, process or store Indian citizen data to store said data, or a copy of the data, in India. The intentions behind this seem to be two-fold. Firstly, the belief seems to be that physically storing personal data in India will provide access to it and help curb unlawful use of data. Secondly, some optimists believe it will fuel economic growth through the proliferation of data centres across the country. Both assumptions are unfortunately flawed.
The assumption that the government is granted open access to personal data solely based on location is concerning. Lack of restrictions on government policing of personal data may enable an Orwellian ‘big brother’ type surveillance and end up violating the very right to privacy that it set out to protect. Additionally, a progressive alternative approach to localisation (like the APEC Cross-Border Privacy Rules) that permits data flow across boundaries will boost the economy much more than relying on data centres. It has been shown that all types of flows acting together have raised global GDP by 10.1% over what would have resulted in a world without cross-border flows. The value of this in data flows amounted to $2.8 trillion in 2014 alone—a larger impact than goods trade (McKinsey)! For India, data from digital apps are expected to contribute about $270 billion by 2020—or 8% of our GDP (BIF-ICRIER). The Indian IT-BPM (business process management) industry is already 8% of our GDP and is worth a staggering $173-178 billion (IBEF). The big data analytics sector in India is expected to experience a big leap and grow eight-fold to $16 billion by 2025 (Nasscom). This boom is primarily driven by US policies that promote cross-border data flow. This rapid digitisation is expected to unlock $39 billion of export opportunities by 2022 (KPMG). With the proposed new law, is India closing our digital borders and is it just a matter of time before other countries follow suit in retaliation? Will this hamper the ability to achieve our government’s forecast of 7% + annual growth?
Running data centres is a huge undertaking that requires tremendous amounts of power and cooling facilities. Some data centres need as much power as it takes to run a small city—power we cannot afford to redirect from our recently electrified villages and towns. The government has made great strides in providing electricity to villages and towns across India and we have a long way to go before our infrastructure can support running data centres efficiently and safely. Recently, a company announced the setting up of a data centre at a cost `1000 crore in West Bengal. For the data consumption of this country, we would quite possibly need several scores or maybe even a couple of hundred such data centres. We neither have access to such funds domestically nor do we have the time frame that would be necessary to implement this.
It would be remiss not to indicate the positive aspects of this draft bill. In particular, the focus on protecting an individual’s personal data—such as the right to information about what personal data is collected and how it is processed. There is also a section on the ‘right to be forgotten’ but not without conditions and an overseeing officer to determine if data can indeed be forgotten and erased. The requirement for organisations to notify citizens of data breaches in a timely manner is commendable. Such alarms are essential for our national security but imposing heavy penalties may be counter-productive. Throughout history, this type of punitive compliance-driven law has failed to address the issues it was created to solve. It failed momentously in the Indian telecom industry where penalty-related issues neither produced results for government nor resulted in a smooth flow of business for industry. It mostly resulted in a win-win for lawyers and courts with a busy legal system.
Even legal experts such as Srikumar and Mohanty pointed out that the SKC has erred seriously in assuming that forcing local storage of data would ensure access to it. US law bars American companies from disclosing user data to foreign governments.This is irrespective of the location of the data. Data can be shared only upon receiving a federal warrant. Thus, it is totally flawed to assume that localisation of data automatically gives access to it. If the goal is to ensure suitable action against wrongdoers, taking a look at the United States’ CLOUD act could give the Indian government more jurisdiction over violators of data rules across the world. Even the EU’s GDPR enforces compliance without restrictions on the physical
location of data.
The Srikrishna committee, headed by former Supreme Court judge, Justice BN Srikrishna, took a year to consider key stakeholder input. However, the final draft leans heavily in favour of the legal sector and has the potential to adversely impair the vision outlined by the Digital India Initiative and the National Digital Communications Policy (NDCP) and inadequately addresses data privacy concerns. The recommendations are heavily prescriptive and quite bureaucratic, featuring discretionary powers and draconian penalties. The committee has erred in failing to consider the IT and socio-economic ambitions of India and mistakenly adopted inappropriate Western norms in its recommendations. Over 150 citizens, including prominent experts in the field of law, have written to Union law minister Ravi Shankar Prasad about their issue with
this draft bill that includes a lack of diversity of interests represented within the committee.
Is there still a ray of hope? The writer earnestly believes so. MeiTY is now responsible for crafting the final bill after taking a range of feedback into account prior to initiating the process of turning it into a law. It is indeed heartening to note that such a feedback process has been initiated by the government and time has been provided till September 10 for submission of comments.
The Modi government is keen on making enterprise and innovation easier so that India becomes an innovation hub. Prime minister Narendra Modi spoke of the concept of “Vasudhaiva Kutumbakam”, or ‘the world is one family’. At the World Congress on Information Technology 2018, he stated,”In the 21st century, technology is becoming an enabler for this concept. It helps us create a seamless, integrated world. A world where geographical distance no longer remains a barrier in collaborating for a better future.” Is the data protection draft bill in direct opposition to this?
Research inputs by Chandana Bala