Sign in

Protracted data bill saga has key policy takeaways

The Data Protection Bill, aimed at regulating the collection of personal data, is set to be introduced in Parliament after a long drafting process.

Published on: Jul 19, 2023, 22:36:00 IST
By
Share
Share via
  • facebook
  • twitter
  • linkedin
  • whatsapp
Copy link
  • copy link

After being cleared by the Cabinet earlier this month, the Digital Personal Data Protection Bill is set to be introduced in Parliament, marking the culmination of a long-drawn-out drafting and consultation process spanning two terms of the National Democratic Alliance (NDA) government. With this legislation, India is attempting to regulate the collection and processing of personal data that can be used to identify individuals. Strikingly, the prospective data protection law will constitute the only standalone information technology (IT) legislation enacted since 2000, despite our preoccupation with digitalisation. Even by the usually protracted standards of law-making — four iterations of one bill — is a lot of time and effort to devote to a piece of legislation. Hence, it is pertinent to examine why this process has taken so long and what lessons can be learnt to improve digital governance.

Calls for data localisation are reflected in all iterations until the 2022 bill, putting network infrastructure operators at odds with millions of apps that operate seamlessly across borders. (Stock)
Calls for data localisation are reflected in all iterations until the 2022 bill, putting network infrastructure operators at odds with millions of apps that operate seamlessly across borders. (Stock)

In August 2017, a nine-judge Supreme Court Bench held that privacy is a fundamental right. The government subsequently constituted a committee to draft a data protection framework, chaired by Justice BN Srikrishna. The Srikrishna Committee proposed the first iteration of a data protection bill in 2018. The draft was reworked and introduced in the Lok Sabha in 2019, when it was vociferously opposed for its prescriptiveness. It was then referred to a joint parliamentary committee where it lay dormant for two years, before a subsequent iteration was released in 2021. But it is hard to make meaningful changes to a bill once drafted. The government, therefore, decided to entirely overhaul the 2021 bill, and released the draft Digital Personal Data Bill in 2022.

Could the repeated back and forth on the legislation have been avoided? The Srikrishna committee borrowed heavily from European law, using the European Union’s (EU) General Data Protection Rules (GDPR) as a template. A sense of urgency in public discourse on privacy also hurried the transplantation of GDPR’s foundational principles to India, but not with enough forethought. India used GDPR’s principle of user consent as a cornerstone for businesses to responsibly collect and process data, taking a dictum that originated in health care. But little attention was paid to the differences between health and information markets. Naturally, consent cannot work without informed users and strong institutions that guarantee it is obtained freely. Even in Europe, less than three in 10 citizens were aware of their new rights one year after GDPR was implemented. Research later showed that users provided consent rather mechanically. This should have prompted more foundational and institutional legwork before drafting the bill.

To make matters worse, some telecom and internet network operators advocated that online app data be mandatorily stored in India. Network infrastructure players tend to advocate for data localisation as an inorganic market expansion strategy. They see data centres as commercial real estate with large returns, and naturally want protections that help them. For instance, listed telcos across the Asia Pacific traded at four to nine times their earnings before interests, taxes, depreciation and amortisation (EBITDA), whereas data-centre businesses traded on multiples of 20-40 times EBITDA, at the height of the pandemic in 2020.

Calls for data localisation are reflected in all iterations until the 2022 bill, putting network infrastructure operators at odds with millions of apps that operate seamlessly across borders. This raised intergovernmental concerns when coupled with the fluid scope of previous bills that extended beyond personal data. A United States Trade Representative 2022 report characterised the prospect of data localisation as a market access barrier, which would invoke retaliatory trade measures. Data localisation also pitted network infrastructure companies against consumers who would eventually bear additional costs.

Going forward, India should move towards an empirical policy-making approach for the digital economy that is user-friendly and evidence-based. Empiricism will serve the country’s IT strengths well because it will respond to market realities, not special interests. Consider the fact that Mumbai emerged as a veritable data centre capital in the Asia Pacific region, only behind Shanghai and Tokyo.

It is the result of burgeoning demand for data services in India, and not supply-side protections such as data localisation. The positive correlation between user demand for online services and the supply of data centres in other parts of the world was always evident. The Indian State has limited capacity and should, therefore, augment legislative capacity via transparent and dynamic public-private research partnerships. We must not rely on government committees that operate in silos, especially when in a hurry.

Reflecting on the many such lessons from the protracted saga for future laws such as the proposed Digital India Bill and Digital Competition Bill, will prevent history from repeating itself.

Vivan Sharan is partner, Koan Advisory Group. The views expressed are personal