Since the Personal Data Protection Bill (PDP), 2019 was tabled in the Parliament, it has sparked conversations and concerns about data governance, privacy, non-personal data, compliance costs, and more. The Joint Parliamentary Committee (JPC) was then created to study and consider these implications and offer recommendations and amendments to the bill. Two years later, the JPC submitted its report, suggesting several far-reaching changes to the original Bill, one of which is changing the name and nature of the bill to the Data Protection Bill and expanding the scope to include non-personal data. Additionally, the committee has also submitted a version of the bill that they think should be presented to the Parliament.
However, some recommendations and amendments in this version of the bill are contentious in nature, and will pose challenges for businesses in India, affect the citizen’s right to privacy, and impact other stakeholders in the ecosystem.
In light of this, The Quantum Hub, in partnership with YourStory, held its third stakeholder discussion on ‘Reshaping India’s Data Landscape’, a series of discussions on PDP 2019. Moderated by Aparajita Bharti, Co-founder, The Quantum Hub, the panel featured Priyanka Chaturvedi, Rajya Sabha MP, Shiv Sena; Ashish Aggarwal, Vice President – Public Policy, NASSCOM; Kailash Nadh, CTO, Zerodha; Nehaa Chaudhari, Partner – Policy, Ikigai Law; and Sijo Kuruvilla, Executive Director, Alliance of Digital India Foundation (ADIF).
With multiple stakeholders who are heavily invested in the outcomes, challenges and changes that this bill will create, the panel discussion covered everything from the regulation of non-personal data, proprietary rights and disclosures of algorithms, cross-border transfers and how all these factors will affect the ease of doing business in India.
You can watch the entire panel discussion,
Ease of doing business
Prime Minister Narendra Modi recently discussed the burgeoning culture of startups in India. India is a global leader in the tech space, said Priyanka, which is why it is imperative that this growing ecosystem be encouraged and that the growth be regulated. “The ease of doing business means that while we’re facilitating businesses to flourish, we are also expecting some kind of compliance…we should make the rules in such a manner that it’s not a hindrance to businesses, especially small businesses. On the one hand we’re talking about Startup India and the unicorns we’re creating but at the same time we’re burdening them with so much compliance that makes it non-viable for them. Any law that comes into place can lead to outcomes which are unintentional but can also prove harmful in terms of job creation, economic growth, etc.” she stated.
For the law to be truly effective, it needs to maintain a delicate balance of facilitating the growth of India’s tech and electronics manufacturing ecosystems and ensuring compliance with global best practices.
For instance, the Data Protection Authority under the Bill proposed by the JPC could mandate disclosures of algorithmic methods and processes to check for their ‘fairness’. Businesses risk losing their competitive advantage, while India risks being seen as an unfavourable investment destination, due to such provisions.
The Bill in its current form could also unintentionally hurt the Indian startup ecosystem. According to ADIF’s Sijo, young startups should ideally be focused on their customers and building their business. However, today early-stage startups already have enough regulatory worries in terms of paperwork, funding, and other factors. The Data Protection Bill will add to their woes and many of them also may be unaware of the obligations they must fulfil.
Additionally, startups these days compete in a global market and use services by companies located in foreign locales. A startup that signs up on GSuite or other such services will inevitably use foreign servers. This business model could come under the Bill’s scanner due to restrictions on cross border data transfers, and create hurdles for Indian startups.. As a result, these businesses may be forced to incur higher costs in India and ultimately become uncompetitive. Sijo also mentioned that onerous regulations may also prompt Indian founders to register their companies abroad instead of India to avoid this level of compliance.
The challenge of cross-border transfers
Cross-Border Data Transfers (CBDT) remain another point of concern. About 80 percent of India’s IT/ITeS industry is export-focused, said NASSCOM’s Ashish. India continues to process data from over 100 countries, and the new law threatens to upend this arrangement by making the Indian market less competitive.
India must also fulfil data adequacy requirements, with a strong digital privacy regime. This will determine whether other countries recognise India as a country that has ‘ an adequate level of protection’. Ashish cited recent talks between India and UK on Free Trade Agreements, stating that a digital chapter will form an essential part of the FTA. In light of these negotiations, to include hard-coded provisions into the Data Protection Law that make cross border data flows difficult would be disastrous for both the government and industries.
Echoing this concern, Nehaa shared, “There is some language here that seems to import new restrictions on Cross Border Data Flows. It’s important to be a part of the global economy and CBDF is critical to ensuring that that happens.” The bill indicates that it will become harder for businesses to engage in these data transfers, and that it is the DPA, in consultation with the Central Government, that will authorise these transfers. This power to deny approval for CBDT of sensitive personal data on grounds of ‘public policy’ and ‘state policy’ is worrying.
Furthermore, under the Data Protection Bill, the government can ask for transferred data to be shared with them. This will become a problem for Indian entities who want to trade with Europeans and other entities.
Another ambiguity that the bill presents lies in the fact that although Cross Border Data Transfer restrictions will apply to foreign data being processed in India, the government can exempt certain transfers under Clause 37. However, there is no clarity on how these exemptions will be implemented or on what basis they will be granted.
In terms of Cross Border Data Transfers – be it exemptions or restrictions – the Bill and amendments remain unclear on how these will be carried out.
The blurred boundaries of non-personal data
Despite heavy pushback from multiple stakeholders, the JPC made a surprising and contentious choice by suggesting that along with personal data, even non-personal data (NPD) be brought under the ambit of the proposed Data Protection Bill
The regulation of NPD, which is any set of data that does not contain personally identifiable information, or is anonymised personal data, has been a contentious issue. The panel was unanimous in its opinion that NPD should be regulated under a different law. Including it in this Bill will only increase the uncertainty that businesses face. Even though the JPC has made this recommendation, various issues such as consent, data localisation, codes of conduct, data principals’ rights over NPD, etc. remain unanswered. Similarly, while the current law discusses the problem of an NPD breach, the context for the breach is not established.
Kailash of Zerodha expanded on this point by offering the example of creating a non-personal dataset of weather forecasts for a particular region. He stressed that data principals will not face harm in the same manner in case of NPD, as in case of personal data, adding, “Let’s say, I accidentally share this giant excel sheet, which I think is really valuable to my business, with somebody else. Now, this could constitute a breach. What is the harm being done here? Who are the affected parties? Who is the data principle? These things are all undefined. We’d like to say this is the data economy and that data is oil, but most information out there is junk. So, what exactly are we protecting? Just undefined bytes that do not affect the state or sovereignty?”
Nehaa also added to the ambiguity around regulating NPD by stating that the discourse around NPD was in its nascent stages, both in India and globally. Heavy-handed regulations at this point would be a premature move. Without clarity on NPD regulations, businesses again remain unnerved. This ambiguity could cost India, leading to a brain drain as startup founders look to other jurisdictions to set up their businesses.
The panel suggested that the only way forward was a slow and steady approach. Presently, the bill and its regulatory bodies were biting off more than they could chew. Instead, the Data Protection Act should operate from a place of trust, conducting awareness and capacity-building campaigns when it is up, instead of expecting immediate and strict compliance and becoming an obstacle for normal business processes. The panel also suggested that the number of compliances expected of small companies should be reduced. The approach to data protection should be to first get the basics right which is protecting the data of Indian citizens and building trust in the digital ecosystem. Overall, the panel advocated for a leaner model to regulate businesses and hoped for a more industry-friendly version of the Bill to be presented in Parliament.
