The wait for a meaningful legal protection of digital privacy in India — a fundamental right long under ever-increasing attack — has just gotten longer!
The Personal Data Protection Bill 2019 [PDP 2019], in the works for over 3 years, which sought to protect data over cyber space and regulate the accessibility to personal data by companies and the government, was withdrawn by the Union Government from the Lok Sabha, after a joint parliamentary committee suggested 81 amendments to it. The PDP 2019, with elements of the UK GDPR and the US CPRA, sought to bring in a slew of changes, such as expanding the scope of the law to cover personal and non-personal data as well. Both types being a point of contention.
Many digital rights activists, Internet Freedom Foundation being one, argue that this decision, and the government’s consistent failure to advance a meaningful, people-centric data protection law, comes with a steep cost to human rights in the world’s largest democracy. The lack of a data protection law is especially dangerous given the government and tech sector’s unabating efforts to collect, retain, and utilize an increasing amount of people’s personal data (Aadhar, NRC etc.) – including allegations of potential misuse.
One of the key issues surrounding PDP 2019 was that it exempted government agencies from the law “in the interest of sovereignty of India”, which can be potentially abuse access. With the absence of a data protection law, the attacks and leaks will increase causing harm to India’s internet infrastructure and people’s privacy. India is the third most-impacted country by network security attacks in the world, with dramatic increase in the number of data leaks and breaches. There are even suggestion of a complete overhaul of the technology sector subject to the preparedness – blurring the horizon even further. Here you can know more about this issue.
Another factor which will impact the future of data privacy is the non-personal data element being introduced. As the relevant parliamentary panel was of the view that non-personal data should be included in the purview of the privacy bill, it appears that the GoI has a larger privacy law plan of 2019 with inclusion and regulation of “non-personal data” (a term for data viewed as a critical resource by companies that analyze it to build their businesses). Unsurprisingly, this has met with corporate reactions – both domestic and international. PDP 2019 proposed stringent regulations on cross-border data flows and offered power to the GoI to seek user data from companies. This, of course had internal and external geo -political and geo-economic ramifications and speculation on whether the government will be able to strike a balance of being a surveillance state and hence like China or whether it was a democratic business friendly regime.
Recently, the GoI had faced some negative publicity, tech giants including Facebook, Twitter and Google raised concern with other separate regulations India has proposed for the technology companies as intermediaries. Sometimes even straining relations between New Delhi and Washington. An uncalculated tech sector regulation could, potentially derail the government plans of promoting India as a global business hub, leaving the government to balance competing interests without jeopardizing the technology sector capabilities or letting foreign play benefits more greatly.
Finally, it is evident that the hesitancy to pass a federal privacy and data protection framework exemplifies the government’s approach of putting the horse before the cart. The GoI first needs to build data friendly infrastructure and ecosystems which would address the issues placed by the current iterations of the PDP 2019. In its current form it would potentially prove detrimental to the country. Un-answered issues pertaining to data localisation, categorisation of data types, cross-border transfer and storage, regulation with due consideration for commercial operations while balancing individual rights remain for litigators to address.
While most created nations like Singapore and Canada have picked the omnibus regulation model of the EU, it may not be ideal for India. Dissimilar to these nations, India has a high prosecution pendency rate. Instead working on ancillary regulations which provide clarity on aspects such as regulatory processes – ecommerce for digital markets and services, data centres like the one in Noida and broadband connectivity – 5G need to be addressed through a cyber-code collectively with data privacy.
Recent media reports citing government sources have indicated that the GOI will shortly commence work on a new law to replace the Information Technology Act, 2000. As part of this process, it appears that the government may introduce policies on data governance and cyber security, a “Digital India Act” to replace the IT Act and new regulations to replace the PDP 2019 – before the 2024 general elections. Any new act would ideally have to be compatible with international data privacy regimes.
This is only for informational purposes. Nothing contained herein is, purports to be, or is intended as legal advice and you should seek legal advice before you act on any information or view expressed herein. Endeavoured to accurately reflect the subject matter of this alert, without any representation or warranty, express or implied, in any manner whatsoever in connection with the contents of this. This isn’t an attempt to solicit business in any manner.