India’s proposed data protection law is expected to address the issue of ownership. Image: iStock

India is likely to witness the strongest push for data localization ever as parliamentarians debate a personal data protection bill, Asia Times has learned. If the push becomes a reality, big tech and social media companies like Facebook and Google will have to contend with new rules that will hamper their operations in India.

The plan to go big on data localization comes after two meetings of a joint parliamentary committee that was set up a few weeks ago – after Prime Minister Narendra Modi’s government introduced the Personal Data Protection Bill (PDP) in Parliament in the last session held in December 2019.

“In the first meeting the members of parliament received a broad presentation from the Ministry of Electronics and Information Technology. In the second meeting held on February 18, the members were very keen to ensure that social media and big tech companies ensure data of Indians remains within the territorial boundaries of India. That seems to be the key take away,” a senior official familiar with the proceedings told Asia Times.

This, if accepted by the government and added to the proposed data protection bill, will have major consequences for data flows from India to the rest of the world. It will also mean that companies like Google and Facebook, which depend on content generated by users to sharpen their advertising algorithms, will now have to reshape their business models.

Many companies are also worried about whether the data restrictions will be feasible because the Internet depends on servers placed strategically throughout the globe. As data travels from server to server, it is impossible to ensure it is not stored under different jurisdictions for different purposes.

The need for a data protection law came out of a historic Supreme Court judgment passed unanimously by nine judges in August 2017. The constitutional bench ruled in what is now known as the Puttaswamy judgment that privacy is a fundamental right and therefore, data protection, one of its key elements, must be enshrined in law. This will ensure Indians will have legal protection from other parties having access to their personal data and misusing it. But researchers and advocates of the law are beginning to worry that the government wants to use the proposed law to build a bigger mass surveillance capability and has little interest in protecting citizens’ data.

Amber Sinha, research director of the non-profit Center for Internet and Society, has been following the data protection debate for years. “The movement towards a data protection law is a welcome and much belated development. There is a need for the parliamentary committee to align the bill with the principles enshrined in the Puttaswamy judgment,” he said. However, he is also concerned that key issues like the mass surveillance of citizens are not being discussed as much as they should be.

“On matters of surveillance, the protection of individual privacy is given primacy over all other interests, and should be the mandate of any data protection law. There is also dire need to make the proposed data protection authority more independent and accountable to ensure that the law is effectively implemented and enforced,” he said.

Smriti Parsheera, a lawyer for the National Institute for Public Finance and Policy who has been tracking the bill, agrees with Sinha’s assessment. “The bill needs significant strengthening in terms of the design, independence and accountability of the Data Protection Authority. The Data Protection Authority is going to have a unique remit in terms of covering all individuals, private entities and state actors and across all sectors of the economy. To make this work effectively we need a radical rethinking of regulatory governance practices, but what we have instead is a bill that does not include even the basic checks and balances that we see under existing Indian laws.”

According to top government sources, the committee has so far not even discussed the controversial section 35 of the proposed law. This section gives the government blanket powers to access any sensitive data of Indian citizens in the name of national security. In fact, this goes against the very grain of a comprehensive report that was put together by a government-appointed committee headed by a retired Supreme Court judge, Sri Krishna. In fact, a note prepared by him was also circulated among MPs in the first meeting, along with a comprehensive analysis of the changes made between the draft that was recommended by his committee and the new version introduced by the government in Parliament.

Government sources also suggest that the joint parliamentary committee members currently examining the bill are divided along party lines. “Those from the ruling party, the BJP, seem to have been briefed on pushing for data localization. They are also keen to ensure that social media companies can be regulated in some form so that politicians and their parties can’t be targeted easily,” the official said.

Researchers and advocates of privacy like Parsheera also have other worries that the joint parliamentary committee members have not discussed. “For instance, the bill does not provide for the kind of transparency in regulation making that we see in the case of the Telecom Regulatory Authority of India or the Airports Economic Regulatory Authority of India. It also does not have independence in the selection process that other laws in India currently have,” she said. “In addition to its regulatory and enforcement functions, the bill entrusts the DPA with the duty to address individual complaints, a function that should ideally rest with a separate body like the banking ombudsman,” she added.