Experts react: India’s Personal Data Protection Bill tabled in Parliament

After two years wait and amid growing friction between the United States and India on thorny digital trade issues, India’s Joint Parliamentary Committee (JPC) on Personal Data Protection Bill was tabled in Parliament on Thursday, December 16, 2021. The JPC report reviewed the country’s first data protection law and offers 81 recommendations, along with more than 150 drafting corrections and improvements in various clauses, in a bid to ensure privacy and by extension, boost the local economy. Below, South Asia Center experts react to the Bill.

JPC Report Outlines a Vision for Indian Data Sovereignty 

India’s parliamentary committee examining the Personal Data Protection Bill has finally released its landmark report outlining a new approach to data governance in the world’s largest digital democracy. This vision is bold and expansive in its scope, stretching far beyond the committee’s original task of safeguarding individuals’ privacy online.

At its core, the JPC report is about power in the 21st century digital economy – specifically, how India can build and wield power to advance its strategic and economic interests. In this sense, the JPC report is perhaps best characterized as a vision of “data sovereignty”legislation, not “data privacy” legislation as traditionally understood in a global context. This emphasis on sovereignty cuts across the JPC report but it shapes two key areas of note: (1) the wide-ranging exemptions granted to government entities and (2) the expansive approach to data localization.

Near carte blanche exemptions granted by the JPC to the Indian government would set up a two-tier privacy regime: strong penalties and restrictions for the private sector, but wide latitude and powers for the Indian state. Of course, all privacy legislation aims to bolster state capacity vis-a-vis corporate actors, but the absence of meaningful curbs on Indian government surveillance are problematic if entirely predictable. Data localization – perhaps the most controversial aspect of the report for global companies – also highlights the JPC’s core focus on asserting Indian sovereignty. In fact, the JPC frames localization as a strategic and economic imperative, granting Indian law enforcement timely access to Indian citizens’ data, ensuring Indian data is always governed by the country’s rules, boosting investment and employment in Indian data centers, and enhancing India’s bargaining power vis-à-vis other digital economies.

This last point cannot be underscored enough. India knows its size and potential give it unique leverage in the global digital economy. It is increasingly determined to use this leverage, often in ways that may cut against U.S. interests and multinationals’ likings. Yet in the absence of real U.S. government pushback or reduced investments by corporates – both of which failed to materialize in 2021 – New Delhi has little incentive to alter its approach heading into the new year. More likely, 2022 could see India double down on digital sovereignty, not discard it.

Anand Raghuraman is a nonresident fellow at the Atlantic Council’s South Asia Center

The importance of privacy developments for India and Global South countries

The parliamentary committee report on India’s Personal Data Protection Bill has been long-awaited and repeatedly stalled. These privacy developments matter first and foremost for India, the world’s second-most populous country with a large and globally influential technology sector—and which currently lacks a comprehensive data privacy regime. They also matter for Global South countries to whom Indian legislators are in part aiming the bill; as a memo attached to the original draft characterized it, there are already three ways of data governance (in the EU, China, and the US), and India is developing a fourth way of data governance that can serve as a model for Global South countries. Lastly, they matter to many US companies and US government agencies interested in how the bill’s localization requirements will play out, as well as other countries watching advancements with great interest. 

The most internationally controversial part of the draft Personal Data Protection Bill is its data localization provisions—vaguely written requirements to force companies with data on Indian citizens to store that data in India. While an older version of the bill had stricter requirements, which appear to have been relaxed because of intense US government and company lobbying, there are still localization requirements in place in the most recent public draft. Related, a key issue with the bill is definitional uncertainty: many terms like “critical personal data” are not clearly defined and thus create more questions than answers about how the Indian government would interpret and enforce the privacy regime. The bill also has troubling exceptions for state data collection and use. Given the Modi government’s numerous rights abuses, including on and through the internet, parliament should narrow or remove these wide carve-outs. 

The US and India are hardly going to be on the same exact page about data privacy at any point soon. But there is still a great, unfilled space for cooperation—where the US and India can both engage in more substantive, coordinated discussions about the design, implementation, and enforcement of data regulations in ways beneficial for both countries.

Justin Sherman is a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative

The new Data Protection Bill? Underwhelming.

The Data Protection Bill, 2021, is the latest attempt by the Indian government to come to terms with the drawbacks of current consent-based approaches to privacy governance (that have found favour with legislators worldwide). The results are underwhelming. The Bill is replete with clauses that undermine user rights and expand exemptions to the government from compliance with the law. The drafters seemingly recognise the inadequacies of current notice and privacy regimes to effectively regulate tech corporations but fail to offer an alternate vision that provides genuine public oversight and accountability. 

Of geopolitical significance, the new iteration by the Indian government could mark a definitive shift in data protection law as we know it. Originally conceived as a tool to enforce users’ rights over their data, data protection statutes have a fairly limited purview. The 2021 Bill by the Indian government on the other hand has larger ambitions. Examples include; expanded scope of the draft law to now regulate both personal and non-personal data, updated Preamble that identifies fostering growth of digital economy as one of the aims of the Bill, and broadened government exemptions to the law to (potentially) allow for more state processing of data. What’s less clear is how all (or any) of these updates prevent and mitigate harms users face online, indeed they might make it worse. Reimagining data governance regimes is undoubtedly a difficult task that is going to require governments not only to demand more public transparency from data processors but to also actually practice it.

Madhulika Srikumar is a Program Lead at Partnership on AI

The South Asia Center is the hub for the Atlantic Council’s analysis of the political, social, geographical, and cultural diversity of the region. ​At the intersection of South Asia and its geopolitics, SAC cultivates dialogue to shape policy and forge ties between the region and the global community.

Related Experts: Anand Raghuraman and Justin Sherman