ISAS Briefs

Summary

Before 2019 drew to a close, the Indian government unveiled the much-awaited legislation on data protection and privacy in parliament. The new legislation has been significantly upgraded from its previous version which sought to retain a copy of all data within India. The latest version veers toward greater state control of data with space given for technology firms to retain certain kinds of data abroad with consent.

On 11 December 2019, the Indian government introduced the much-awaited Personal Data Protection bill. Ravi Shankar Prasad, Indian Minister for Electronics and Information Technology, announced that the bill will be sent to a joint parliamentary committee for more discussion, a decision that troubled many who thought, as per custom, the legislation would have gone to the standing committee on information technology where it would have received robust scrutiny. Questions swirl around the bill, given its significance for domestic and foreign firms engaged in India’s digital economy and critics who fear the bill solidifies government control of personal information. The updated data protection bill does little to quell reservations regarding the latter, instead serving as a grist for more. Broadly, foreign firms must adjust to a complicated, undeniably state-heavy, political and regulatory terrain in India around data protection.

Given rapid digitisation and pervasive use of social media platforms by Indian citizens, there was a demand to regulate data collection in India. In its first iteration, the bill sought to create a comprehensive data protection framework that outlined responsibilities for citizens, organisations and firms that hold personal information. The original intent of the legislation was to create rules to protect individual privacy and prevent misuse of personal data. Individuals have to explicitly give consent, notwithstanding questions around whether consent is meaningful or efficacious, before their data was collected and used or monetised. Firms, or data fiduciaries, have to adhere to several rules while collecting and processing data. The previous bill also established a data protection authority, a data regulator, that would monitor regulatory compliance vis-a-vis data collection and protection and impose sanctions when violations occur. This authority, given a sweeping mandate, will have power over tech companies but also any firm across sectors that obtains information from customers.

Three issues come to the fore with the revised bill. First, the legislation enhances state power and control relative to citizens. The legislation gives the government considerable power to collect and hold data that Delhi deems pivotal to state sovereignty and the larger public interest. Moreover, the bill places fewer restrictions on Indian government agencies which already hold sensitive data of Indian citizens, including information gathered through the Aadhar database. In fact, government agencies are exempt from stringent rules governing data provided they can make a case for either national security or public order reasons. The government will also have the authority to demand technology companies like Facebook, Twitter and Google share personal and anonymised non-personal data for policy-making purposes, particularly welfare and social policy. The government’s role vis-à-vis data protection has veered sharply in the other direction from expecting the state to follow data rules, as outlined in the original bill, to exempting it. Unequivocally, the Narendra Modi government appears to have endorsed state control of data over enhanced data protection for citizens.

Second, the revised bill confers considerable power to the new data protection authority (DPA) to draft specific rules, set compliance procedures and settle arising disputes. Critically, the body will shape how consent requirements are framed and applied. Members of the new authority, currently limited to six, will be vested with substantial power to oversee and adjudicate the process of data protection. Membership within the DPA is tilted toward the involvement of high-level government officials. It is not clear how the new authority will evolve as the amount of data online rises exponentially as more and more Indian citizens go online. What also remains vague is whether the seemingly all-encompassing regulator could ably discharge functions under its future remit which could sow uncertainty among firms looking for clear rules and enforcement.

Third, the new bill softens provisions that mandated data localisation or rules that expect firms collecting personal data retain a copy of it in India. The new legislation obliges tech companies to store sensitive data, like financial and biometric data, on Indian servers but allows for data to be processed abroad under certain conditions. Though data localisation is tempered, the new bill contains a critical provision – identity verification that could affect how social media platforms like Facebook operate and how citizens use such content-driven platforms. Platforms like Facebook will be required to offer a way for users to verify their identity and display a public sign detailing verification before they communicate online. With this move, the government looks to stem the spread of fake news and misinformation sprouting out of these platforms.

India’s new data protection bill does not resemble its old version. Revised provisions generate more questions concerning whether India can advance both globalisation, particularly given rapid digitisation, and state control. The trade-offs appear irreconcilable. The new data bill, likely to pass in its current form once parliament reconvenes in February 2020, will increase state power over how data is collected, processed and used that nudges India closer to control, not openness, in terms of internet governance.

….

Dr Karthik Nachiappan is Research Fellow at the Institute of South Asian Studies (ISAS), an autonomous research institute at the National University of Singapore (NUS). He can be contacted at isaskn@nus.edu.sg. The author bears full responsibility for the facts cited and opinions expressed in this paper.