Like the EU, India must regulate data effectively
The European Union’s General Data Protection Regulation (GDPR) is considered a game changer in the technology policy world today. It has pushed several countries, including India, to adopt a regulatory stance towards personal data. The Justice Srikrishna Committee deliberations, leading up to the Personal Data Protection Bill (PDP Bill), is a reminder of the vast powers that this stance can vest with the bureaucracy. The proposed Data Protection Authority can investigate and adjudicate contraventions, formulate rules and monitor compliance, and evaluate ex ante whether a proposed processing of personal data merits course correction.
But while celebrating the might of the State against hitherto unchecked technology giants, it would serve us well to remember that better regulation is not coterminous with micromanaged legislative prescriptions. Often, such prescriptions are counterproductive, and especially so when regulating new technologies or domains that demand greater scientific expertise. India’s current experiences with food safety and the environment testify to this fact. Elaborate legislative prescriptions have led to unwarranted licensing and controls, while acute shortage of testing labs and qualified personnel persists.
Amid GDPR conversations, we tend to look beyond advances in the EU towards “better regulation”. This initiative over the past few years aims for regulatory outcomes at minimal cost. As part of the exercise, policy design and preparation, adoption, implementation and monitoring, evaluation and revision are subject to stringent evaluation. This evaluation involves fitness checks on how prior interventions advanced policy goals, impact assessments that deliberate upon alternative choices and their projected consequences, and collective consultations when the subject matter involves multiple regulatory or policy actors. Such collective consultations are particularly relevant to the Indian experience on regulating data and emerging technologies.
Take, for instance, the data localisation debate here. RBI’s April 2018 directive on storing financial transactions data locally hit the payments industry like a bolt from the blue. But this was only the beginning of episodic interventions that soon revealed how chequered policymaking can affect the borderless and free nature of the Internet as we have come to experience it over the years. The PDP Bill came next, stipulating server localisation for an undefined category of “critical personal data” which could be carved out ad hoc from a broader category of defined “sensitive personal data.” A new (and now redacted) e-commerce policy followed, prescribing a sunset period of two years within which all e-commerce data ought to be localised in India.
Oddly, none of these interventions exhibited consistency or clarity over the underlying policy rationale. Did the rationale emanate in a heightened ability to access data for law enforcement purposes? If so, no actual figures were forthcoming on cybercrimes where law enforcement suffered because of the server being located elsewhere. If, on the other hand, the rationale was to bolster investments in indigenous artificial intelligence technologies like China did, it was unclear how mere data residence in Indian servers would help when a significant chunk of such data continued to be under private control, or how the various other parallel initiatives China had embarked on could be conveniently forgotten when making this case.
Similarly, with the drone industry, conflicting positions struck by ministry stakeholders — civil aviation, home affairs, defence, telecommunications — resulted in significant delays before a set of regulations that can be characterised sufficiently “innovation-friendly” came into effect. Today’s digital economy demands mediating interests of both the Centre and states as it operates in domains that fall within the state or concurrent list under our federal scheme. It also demands a vibrant consultative process between multiple regulators to avoid turf war. The telecom regulator has been excessively expansive, transgressing into domains traditionally within the purview of the competition commission or ministries of electronics/information technology, and information and broadcasting. As the digital economy grows, such regulatory incentives to overstep are but natural.
To address comparable concerns, the EU has tightened its “better regulation” approach with the “innovation principle.” This principle requires assessing innovation effects of policy positions, thus ensuring that regulatory tools and design promote rather than hinder innovation. Thus, proportionality assessments to determine least burdensome solutions, temporary and experimental regulations, and the opportunity for industry players to challenge prescriptive norms and present alternative frameworks, work within a framework that keeps in mind the centrality of health, environment, and consumer safety for any well-formed regulation. India must work towards a similar regulatory culture, prioritising collective consultation over siloed responses and a unifying innovation impact principle when evaluating regulatory interventions.
Ananth Padmanabhan is a research fellow, Centre for Policy Research. This is the first in a series of articles presented for the CPR Dialogues starting shortly in New Delhi. Hindustan Times is the print partner for the event. For more: www.cprdialogues.org. The views expressed are personal