The government unveils an ambitious data framework
The Digital Data Protection Bill 2022 embraces the notion of the flow of data across borders, largely doing away with data localisation requirements in previous versions.
The government released the latest iteration of its draft data protection law, the Digital Data Protection Bill 2022, on Friday. The draft comes on the heels of a rocky legislative process that started with the recognition of privacy as a fundamental right by the Supreme Court in 2017.
The Digital Data Protection Bill 2022 embraces the notion of the flow of data across borders, largely doing away with data localisation requirements in previous versions. The 2022 bill empowers the Centre to notify territories outside India where companies may transfer data after assessing factors it considers necessary. The provision is reminiscent of the concept of Data Free Flow with Trust (DFFT), an idea first proposed by Japan.
Initially, India critiqued DFFT as a construct not in sync with the interests of developing nations seeking to secure value from data generated within their borders. DFFT entails greater cooperation among nations to decrease friction against data transfers across borders. While rules for data transfer abroad will evolve, it is reasonable to expect that the Indian government will consider how data is protected in other jurisdictions.
The inclusion of a mechanism to permit cross-border data flows in the new bill reflects a broader strategic trend in India’s outlook towards trade, namely a recognition that greater openness is in its interest. Contrary to the caution exhibited earlier, India is aggressively pursuing bilateral arrangements with a diverse set of trading partners. It recently concluded a Free Trade Agreement with the United Arab Emirates and an interim Economic Cooperation and Trade Agreement with Australia, expected to be ratified shortly. It is negotiating with the United Kingdom and Israel and will begin talks with Canada. The move towards specialised, liberalised trading arrangements with trusted partners indicates that India recognises that it must embrace the world to gain economic might. The new draft bill will help enable pathways to achieve that by unlocking innovation and lowering costs.
Despite praiseworthy upgrades consonant with India’s new posture towards trade, there is some scope for improvement in the new bill. The bill adopts a consent-based privacy framework, in line with the European Union’s General Data Protection Regulation. Such frameworks require data processors to obtain consent from users before they use the latter’s data for any purpose. The problem with consent-based frameworks, however, is that they presume a significant amount of knowledge and awareness on the part of the user.
The Digital Data Protection Bill 2022 defines consent as freely given, specific, informed and unambiguous permission to process user data. However, privacy notices and policies are cumbersome. A 2008 study by researchers at Carnegie Mellon University found that users require a college degree to understand them. Another at Purdue University established that it would take a user 244 hours annually to go through the privacy policies of the websites they visited.
Consumer protection laws, of which consent-based data protection frameworks form a subset, often fail to achieve their objectives because of the level of agency they expect from consumers. Experts and decision-makers in some parts of the world have agreed to move beyond consent to safeguard user privacy. These developments beg the question: How do you build consumer trust in a post-consent world?
India’s G20 presidency presents an opportunity for developing a multilateral position on this. The answer lies in greater user awareness. A model is presented by the Energy Star labelling programme, introduced by the United States Environmental Protection Agency in 1992, to promote and help customers identify energy-efficient products. A 2015 review of the programme revealed that the Energy Star label had 85% brand recognition and saved consumers $430 billion in utility bills while reducing greenhouse gas emissions by 2.7 billion metric tonnes since its inception. India’s Bureau of Energy Efficiency has also done a stellar job at improving consumer awareness via Star Labels.
The G20 can be leveraged to trigger a similar global movement on consumer-friendly online privacy and safety. It can define a road map for certification of privacy protection. Such a mechanism may also serve as an incentive for the private sector to begin to use privacy protection as a competitive advantage, rather than a compliance obligation. This is the type of win-win that India can drive with this new legislative framework.
Meghna Bal is a fellow at the Esya Centre, a Delhi-based think tank
The views expressed are personal