India’s Data Protection Bill–the long wait continues

India, arguably the largest global market for Big Tech (and other tech companies), is moving closer to finalizing a data protection regime after a consultation process that has spanned over four years. In December 2021, a Joint Committee of Parliamentarians (JPC) in India submitted to the Parliament a report and a revised Bill that was referred to it two years ago. Amongst the many changes suggested by the Committee, the most significant was changing the name of the legislation–the 2019 version was called the Personal Data Protection Bill, while the 2021 version is called the Data Protection Bill. Changing the name in and of itself is a signal that tells an essential story of India’s evolving approach to and its politics towards data.

India’s quest for a data protection regime started with a 2017 landmark judgment of the country’s Supreme Court–Justice K.S. Puttaswamy (Retd.) v. Union of India. It recognized the right to privacy as a fundamental right primarily emerging from Article 21 (Protection of Life and Personal Liberty) of the Indian constitution. During the course of the hearing in Puttaswamy, the government constituted a committee of experts chaired by Justice B.N. Srikrishna to review data protection norms in India and make recommendations–in 2017,the Committee released a White Paper on Data Protection. After comprehensive consultations, it submitted its final report along with a draft law in July 2018 and a  version of the Bill was presented to the Parliament in 2019 by the Ministry of Electronics and Information Technology (MeitY), which was then referred to a committee of parliamentarians, which released its final report and the revised Bill last month. 

During these four years, the Bill has changed significantly in content and scope. While the 2018 draft by the expert committee only dealt with “Personal Data,” the 2019 version introduced regulation of non-personal data within its ambit (although in a limited scope). The 2021 draft legislation  builds on this trend and seeks to expand regulations of non-personal data (NPD) and wants the Data Protection Authority (which will be constituted in the future) to regulate both personal and non-personal data. This is why the name has been changed. 

This makes India’s proposed legislation unique–no other major jurisdiction has tried to regulate non-personal data in this manner. In fact, we do not even have a descriptive definition of the term. It is defined by ‘exclusion’ in the Bill–non-personal data is anything that is not personal data! The reasons for the inclusion of NPD given by the drafters of this legislation are that it is essential for the growth of the digital economy and the delivery of government services. Data is the new oil has become a term thrown around by India’s leaders and private conglomerates alike. In simpler terms, it is implied that this data is a sovereign good over which the state ought to have control. Fostering the “growth of digital economy” and “sustainable growth of digital products and services” is enshrined as an objective in the preamble of the new draft. In essence, the legislation  is no longer just about protection of the personal data of Indian citizens. It is about maintaining sovereign control of all the data that Indians generate.

Another fundamental deviation in the three versions of the proposed legislation  is on the issue of government exemptions. The 2018 draft allowed for exemptions to the state for the processing of personal or sensitive personal data for national security purposes. However, it recommended that any restriction must be necessary, proportionate, and narrowly tailored to the stated purpose. It also recommended that the central government expeditiously bring in a law to oversee intelligence-gathering activities. In contrast, the 2019 draft recommended providing blanket exemptions for national security purposes bereft of any necessity or proportionality tests. The 2021 draft  proposed by the JPC recommends amendments to reflect the need to strike a balance by adding qualifying terms “just, fair, reasonable, and proportionate” to the procedure that needs to be followed by the government for exemptions. This is a welcome change, but the new legislation still retains many amendments from the 2019 version that have the potential to be grossly misused by the state. Exemptions can be granted in case the government believes there is a threat to “sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order.” These terms are extremely open-ended, and various governments (past and present) have been notorious for misusing them to curb dissent and target political and ideological rivals. India has a colonial-era sedition law and has a history of allegations of illegal surveillance. The latest is the alleged use of Pegasus by the ruling government on activists, journalists, opposition leaders, and leaders of the ruling party itself. 

This tension is captured in various dissent notes filed by opposition party members of the JPC. Chief amongst them is Parliamentarian Manish Tewari, an experienced litigator, who says: “The Bill as it stands creates two parallel universes–one for the private sector where it would apply with full rigor and one for government where it is riddled with exemptions, carve outs & escape clauses. In my limited experience of three decades as a litigator, I have always been taught and made to appreciate that a Fundamental Right is principally enforceable against the state. A bill that seeks, therefore, to provide blanket exemptions either in perpetuity or even for a limited period to the ‘state’ and its instrumentalities, in my estimation, is ultra vires of the Fundamental Right to Privacy as laid down by a 9-judge bench of the Supreme Court of India in Re Puttaswamy (2017).” Experts have also opined these blanket exemptions will make it difficult for India’s data protection regime to receive adequate status with the GDPR and thus impinging on the government’s attempt to make it interoperable with other regimes.

Lastly, where the draft legislation does strike the right chord is in its approach to regulating Big Tech. Technology companies such as Google, Facebook, Amazon, and others have come under the scanner in India, like in other geographies, due to their wide-ranging impact on society, economy, and polity. The scrutiny has been particularly aggressive due to their impact on free and fair elections, rising hate speech, and potential to spark violence. The draft legislation does seek to place reasonable restrictions on how companies collect, store, process, and use the data of subjects. It makes user consent paramount and suggests several useful mechanisms and architectures to prevent harm to citizens. It also proposes a strong Data Protection Authority that can reign in Big Tech and protect the government and individuals from their unchecked power. 

However, even in its approach for Big Tech, certain proposals have been heavily criticized. All three versions of the legislation propose a strict data localization regime (and places restrictions on even intra-group transfers)–the jury is still out on the benefits of these clauses to the digital economy. Secondly, the proposed legislation takes a technologically regressive approach to protect children’s data, proposing an age-gate of 18 years and several other provisions that are inconsistent with global practices. The companies may even find it challenging to comply with the non-personal data provisions (when they are inserted in the future) or the widened definition of personal data that includes “inferences.” The JPC report also recommends making social media companies liable as “publishers” for the content on the platform from unverified users. While this recommendation does not make its way to the proposed legislation, it could impact the revisions underway in the Information Technology (IT) Act currently being framed by MeitY. 

In conclusion, this is a landmark effort despite its flaws. India has the largest addressable market for tech companies after China, and any law that the country passes will set off ripples in the global digital economy. Other countries may also want to pass similar laws. It could usher in a tug of war over digital sovereignty that may or may not benefit the global order. Data is essential for creation and improvement of digital products. Businesses currently operating in India or those currently considering entry into the Indian market should care about this proposed legislation. While MeitY prepares to place a revised version of the legislation in Parliament for passage and consideration, it is likely that companies, industry associations, and even foreign governments will advocate for changing contentious provisions. While the report places a timeline for its application as 24 months after its passage, it is likely we may be in for a long haul. 

Adnan Ahmad Ansari is an Associate Vice President at 9.9 Insights, a Policy and Strategic Advisory firm based out of New Delhi, India. Opinions are his personal.

The South Asia Center is the hub for the Atlantic Council’s analysis of the political, social, geographical, and cultural diversity of the region. ​At the intersection of South Asia and its geopolitics, SAC cultivates dialogue to shape policy and forge ties between the region and the global community.

Image: Code on computer Monitor. February 2017. Markus Spiske/Unsplash