Anyone outside government who tries to predict the outcome of India’s proposed “data protection” legislation can be forgiven for feeling at sea, lost in a political and legal fog – even though the bill is due to come up between now and mid-July. What’s nevertheless a good bet is that the Narendra Modi government with its absolute parliamentary majority will get what it wants.
Although the Cabinet has not yet decided precisely what the government wants, an “expert committee” advising the government supports introducing the highly controversial policy of data localization – a requirement that data, and especially data that impact government operations, be stored on servers that are physically inside the country. Much of industry worries that localization will lead to multiple jurisdictions with different legal frameworks, adding to the complexity of data protection in the digital age.
Technology companies have lobbied Indian policymakers to roll back any proposal for data localization. A closed-door meeting last week called by the union minister for commerce, Piyush Goel, saw many industry representatives expressing concern.
Rama Vedashree, the CEO of the Data Security Council of India, a body that actively represents the technology industry was among those who made interventions. “The global technology industry is clear that data localization is not justified,” she told Asia Times.
Interestingly, she was also part of the expert committee headed by Justice Sri Krishna that made recommendations to the government on the data protection bill. “We made strong submissions from the industry but we have no idea what the government did with them,” she said. “We have no clarity so far. When we pointed out that the draft bill is not in the public domain for us to send in our views, the minister suggested that after it is introduced in the current session, it could be sent to the relevant standing committee of Parliament. He assured us that if that were to happen, we can make our submissions to them,” she said.
“Data localization is a proposal that is clearly on the top of everyone’s mind,” a senior public policy official from a global technology company told Asia Times. “Even major payment companies like MasterCard and Visa are extremely worried and are in discussions with the US government to leverage its clout with the Indian government over this.”
Localization is not the only issue. The new law is expected to address, as well, the question of who owns data – the user or the technical platform. Meanwhile the proposed legislation controversially so far fails to address how new technologies such as IOT devices like ‘Alexa’, create new challenges by collecting ambient data.
The proposed law, once passed by Parliament, will have major consequences for technology companies hoping to build businesses that access user data. Most technology companies like Google, Facebook and others now thrive on data generated by their users to earn billions of dollars worldwide. Mukesh Ambani who heads Reliance Industries, India’s biggest firm working in the energy, telecommunications and retail space, pointed out in January this year that “data is the new oil“.
However, while the cabinet is yet to clear the final draft of the data protection bill, technology and privacy experts are concerned about the implications of the proposed new law. Many companies, including the technology giants hoping to tap into India’s massive markets, are apprehensive about what this entails for their core business models.
Here’s the background for this potentially momentous legislative push: In August 2017, a nine-judge constitutional bench of the Supreme Court overturned decades of jurisprudence to rule that privacy is a fundamental right for all Indian citizens. The Puttaswamy judgment came as part of a slew of petitions that had challenged India’s decade-old ambitious program to ascribe a digital identity to every Indian.
The program, known as the “Aadhaar project” was launched in 2009, and immediately gave rise to fears of surveillance by the state. Petitioners went to the Supreme Court challenging the program. In 2017 the Modi government argued in the court that privacy was not a fundamental right. However, the Supreme Court ruled otherwise, and sparked off an intense debate to frame data protection rules as the first step to enshrine a comprehensive privacy framework for India.
This has major implications for technology companies and startups that are hoping to improve their profits by cashing in on data generated by users.
In 2018, the Supreme Court finally settled the challenges against the Aadhaar digital identity program. By a majority of four to one, the Supreme Court upheld its constitutional validity, but added some riders, including a ban on private companies from using any citizen’s data generated by the program.
For years, cybersecurity researchers have been pointing out major lapses in the digital identity program security. This increased pressure on the government to come up with a data protection law. The government set up a committee of experts under a retired Supreme Court judge, Justice Sri Krishna, to come up with a draft law.
“In our submission to the Sri Krishna Committee, we had suggested that the government must ensure a principles-and-rights-based approach towards protecting personal data in India,” Kazim Rizvi, the founder director of the technology research group The Dialogue, told Asia Times. “Any data that is collected, processed, or shared in India should flow and be governed from the principles of consent, purpose, storage limitation, and grounds for lawful processing [and] the Bill is a welcome step forward towards protecting digital rights,” he said. However, “surveillance, data localization, extra-territorial applicability and the lack of an independent regulatory structure are key challenges.”
Lapses in data regulation
Nikhil Narendran, a partner in Trilegal, one of India’s biggest law firms, who specializes in technology laws and regulation, has been keenly contributing to the policy debates around data protection in India. He says the bill in its current form poses major challenges to technology firms in India. “From what we have gathered so far, the proposed law lacks clarity on the ownership of data. The Puttaswamy judgment ruled that privacy is a fundamental right. But the law needs to clarify who owns this data.”
Narendran also pointed out that there are several constitutional challenges to the proposed law. “The bill that is likely to be presented in Parliament has one entity to enforce and adjudicate as well as frame policies on data protection. However, this could be challenged on constitutional grounds and tie up the law in knots. Also, there is a lot of ambient data being collected by new technologies such as the IOT devices. We need to understand how these will be tackled.”
Rizvi added, “Data localization will significantly impact the progress of a digital economy as forcing local storage will hurt jobs, growth of IT infrastructure, as well as a trade barrier and challenge the free market economy. Studies have stated that localization could affect up to 1% growth of GDP and eventually increase the cost of services to the consumers,” Rizvi said.
In its current form the proposed data protection law could also impact the rights of citizens. Anupam Saraph, an expert on designing complex systems and future technologies has been a vocal opponent of the Aadhaar digital identity program for years. He fears that the proposed law will do little to protect citizens and, instead, will fundamentally alter the relationship between citizens and the government.
“The proposed law moves our rights to our relationship with our government or service providers to these data fiduciaries and in the case of grievance to “adjudicating officers” or further to “appellate tribunals”. This creates a totally new bureaucracy,” he said, who will not do anything to curb the misuse of data, since they profit from it. “The Personal Data Protection Bill, far from protecting India from private interests, enables digital economies to use it as their Trojan horse to invade privacy and destroy our rights.”
The use of data that was collected under the Aadhaar digital identity program has been fiercely contested and remains deeply controversial. However, despite the Supreme Court’s having struck down any such usage, the government passed an ordinance to allow private companies to continue using this data. The proposed data protection law is all set to allow the private companies to continue using this data until a fresh challenge is mounted in the Supreme Court.
Global technology companies and businesses dependent on the use of big data are gearing up to see how the law impacts their future business in India.