What’s next on data security?

Withdrawal of Personal Data Protection Bill from Parliament Came as a surprise, especially after a lot of effort has been put into this in the last five years. Between August 2017 and July 2018, a 10-member committee headed by a former Supreme Court judge drafted the bill. The committee included four senior government officials. The bill was then amended by the government, approved by the cabinet, and introduced in Parliament in December 2019. Thereafter, a Joint Parliamentary Committee, or JPC, comprising a majority of BJP members, reviewed the bill and submitted its report in December 2021. The withdrawal does not reflect well on the government, the whole process played out under his rule. This also adds to the uncertainty about the future of privacy regulation in India.

One way to understand this decision is to go back to the origins of this law, which arose from justiceKS Puttaswamy vs Union of India Case Where The court observed that the right to privacy has both positive and negative aspects., The former implies the need for the state to actively take measures to protect the privacy of an individual. Thus, the government was more or less forced to draft a data protection law. This experience also tells us something about the limits of judicial inducement to regulation, which requires the active effort of the other two branches of the state. Delay and dilution options are always available.

scope of law

The growing importance of the digital economy and the wide scope of the proposed legislation also contributed to conflicts among stakeholders as the legislation was being discussed. Shaped by differing interests and incentives, the state, industry and advocacy groups all have very different expectations of what data protection legislation should look like. For example, for the domestic industry such a law represents a compliance hurdle that could put it at a disadvantage. However, a law can also promote regulatory certainty, opening up the potential for increased data flows and growth of the data processing business. For the state, a law may limit intrusive data processing by state agencies, but it may also promote geopolitical, strategic or regulatory interests. Similarly, individuals may benefit from restrictions on harmful data processing, but on the other hand, poorly designed legislation can legitimize some intrusive practices.

Each version of the law – the Srikrishna Committee’s 2018 Bill, the 2019 Bill introduced in Parliament, and the JPC’s version in 2021 – faced different types of criticism from various stakeholders. For example, law enforcement interests were seen as being hampered by the 2018 draft, providing broad exemptions to the 2019 bill.

However, what appears to be shocking is the continued weakening of the focus on data privacy since the 2018 edition. From being a focal point of the law, privacy protection was increasingly seen as one of several purposes. This was most clearly seen in the recommendations of the JPC, which sought to significantly modify the ambit of the law. The JPC recommended moving from a personal data protection law to a law governing the entire data ecosystem. It further suggested the imposition of several broad restrictions on social media and other entities. In this effort to address the many problems in the digital ecosystem, the already comprehensive legislation has been transformed into an all-encompassing bill. This made the ability to apply it properly a question. In addition, the provisions relating to several issues were lacking in detail. For example, provisions relating to the processing of data by the state, governance of non-personal data, and regulation of social media may be juxtaposed with more realistic and procedural detail than is necessary to balance complex competing interests. ,

way forward

Looking ahead, there are two important issues – the form that a new law will take, and the nature of the protection it will provide.

On the first issue, the government has suggested that it introduce a number of laws with a new comprehensive legal framework. This is the right approach, as it would be a mistake to try to fit all the objectives related to digital ecosystem or even data governance into one bill. It is healthy to maintain some multicentrism in the governance of a complex digital economy, and different laws and agencies must co-exist. It would be ideal if each bill addressed a coherent set of objectives: for example, a personal data protection bill should not be burdened with other objectives. Similarly, separate laws may deal with issues related to state surveillance, or issues in the data economy such as those related to competition arising from the monopoly of data by certain entities. Over time, such a system can lead to more balanced and beneficial results. However, in the short term, the government would do well to enact a specific personal data protection law – given the effort already dedicated to it (and significant areas of agreement among stakeholders).

editorial | A new opportunity: on the rollback of the Personal Data Protection Bill

The second issue is the nature of the privacy protection that any new legislation would provide to individuals. The 2018 law, on which future drafts were based, borrowed heavily from the rights-based European General Data Protection Regulation. However, the framework was criticized by some for its perceived impracticability in the Indian context. In India, for example, creating a cross-sectoral data protection entity with the power to take significant punitive action is seen as problematic given the rule of law, capability and regulatory constraints. Some of these issues could be addressed in creating a new data privacy law.

Read also | Consider global learnings for new data protection law, NASSCOM urges government

First, it must build in a risk-based approach to data protection, so that regulatory attention is directed toward addressing the sources of potential harm. Second, based on risk assessment, legislation may enable co-regulation and self-regulation (the regulator is acting as a backstop). These can reduce the compliance burden on entities without significantly affecting the protection of rights. Third, the current version of the law on accountability measures for the data protection regulator was weak. The new bill should include more provisions to ensure that the regulator exercises its powers well. These include provisions relating to appointments, counselling, reporting etc. Fourth, even as the law is being drafted, the government should invest in building some administrative capacity to implement it, so that when the law is finally passed, implementation can begin soon after. This has already been done with SEBI and PFRDA. Lastly, it is important that any new legislation is framed on the basis of transparent and fruitful consultation with all stakeholders.

Rishabh Bailey is a lawyer and technology policy researcher with xKDR Forum, Mumbai; and Suyash Rai is Deputy Director and Fellow at Carnegie India