Since the EU tightened the protection of personal data with the General Data Protection Regulation (GDPR), calls for implementing measures reducing data vulnerability and preventing erosion of user privacy have been resounding worldwide.
A series of allegations against tech giants for misuse and mishandling of personal data was a major turning point in how people look at the issue of data privacy breaches. Many jurisdictions subsequently overhauled existing laws to pave the way for stricter regulatory regimes.
India is no exception – and is also making efforts on this front.
Currently, this space is regulated by the Information Technology Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Section 43A of the IT act entitles a data principal to seek compensation for unauthorised disclosure of sensitive personal information. Section 72A is the penal provision under which a person, including an intermediary who discloses sensitive personal information without consent, can be punished with imprisonment or a fine.
However, these laws are considered inadequate as their scope is quite limited. Therefore, a comprehensive draft law, the Personal Data Protection Bill, was introduced in 2018 to reshape the regulatory regime. It is aimed at providing the right governing mechanism and deploying the right data infrastructure so that the power of data could be unlocked for India.
But the bill has been hit by a series of controversies – and has already been amended thrice.
On referral to a Joint Parliamentary Committee (JPC) comprising members of both Houses of the Indian Parliament, the JPC report was published along with the revised Data Protection Bill on 16 December 2021. The new bill seeks to regulate both personal and non-personal data, which means that the scope of the proposed law has been widened.
As regards the foundation of the proposed legislation, it is based on the principle laid down by the Supreme Court of India in KS Puttaswamy v Union of India, according to which anything that restricts the right to privacy of a person should be sanctioned by law and must have procedural safeguards against abuse.
The most controversial element of the bill is virtually carte blanche exemptions for the government. Clause 35 exempts the government from compliance with all provisions when necessary for protecting the sovereignty and integrity of India, national security, friendly relations with foreign states, and public order. Despite sharp criticism, the JPC has retained this provision.
To limit the surveillance powers of the government, it has added an explanation saying the procedure to be followed by the government must be “fair, just, reasonable and proportionate”. Although adding this qualifier to exemption is a welcome move, it may not be sufficient.
Judicial oversight is critical to avoid arbitrary government actions – government requests for availing of exemptions should be sanctioned by courts. Moreover, the broad procedural mechanism providing for enough safeguards should be captured in the bill itself. Also, as suggested by some JPC members in their dissent notes, “public order” should be deleted for the purpose of narrow tailoring of the provision.
Another issue surrounds the composition of Data Protection Authority (DPA), which would be responsible for monitoring compliance and enforcement of the law. According to the 2019 bill, all DPA members need to be appointed by the central government, on the recommendation of a selection committee comprising the cabinet secretary and two secretory level bureaucrats. After the original provision attracted criticism, in the 2021 bill, the JPC has now included the attorney general as a member of the committee. To make JPC abundantly independent, judicial participation needs to be considered – and a senior judge (preferably someone who has delivered a few notable pronouncements on data privacy) should be made a member.
The provision on data localisation is also one of the most contentious. The original 2018 bill had a blanket data localisation provision that was severely critiqued. In subsequent versions of the bill, this was relaxed a bit because of heavy pushbacks from other countries. The Data Protection Bill of 2021 now provides for soft localisation, requiring the mirroring of sensitive personal data and mandatory local processing for critical data. In other words, it permits the transfer and storage of sensitive personal data outside India, provided that a copy is stored locally.
Sensitive personal data includes data relating to health, religion, sex life, political beliefs, biometrics, genetics, finance, etc. Such data can be transferred outside the country if certain conditions are met – exactly along the lines of the GDPR’s adequacy mechanism. However, there is a bar on the transfer of critical data outside the country. It must be processed and stored exclusively in India. But the precise definition of critical data is awaited. Hence, there is not enough clarity as to what kinds of data it would cover.
The government has given quite a few reasons as to how data localisation would be beneficial for India. India is a huge data market, a large amount of India’s data is physically stored on servers located in the US, Ireland, etc. Mandating local storage would lead to the emergence of large-scale data centres in India, thereby aiding employment generation locally. It is believed that boosting the country’s overall IT or data infrastructure in this manner would fuel economic progress and help make India a global data processing hub.
While this protectionist vision on cross-border transfers of data seems to be good, the calculation of net benefits is important before implementing it. To ascertain if this regime would produce net profits or not, it would be crucial to assess if it would risk losing a considerable number of foreign businesses that offer data-based services in the country due to the added burden of complying with data localisation requirements. And the possibility of retaliatory actions by foreign governments against Indian companies should also be factored in.
Better law enforcement is another advantage which is touted by many. Enforcement agencies in India face constraints in accessing data stored in other jurisdictions. For instance, if a serious crime is committed and investigated in India, and critical evidence lies with some US-based service provider, the government would have no option but to use the data gathering mechanism provided under the India-US Mutual Legal Assistance Treaty (MLAT), which is quite cumbersome.
The US government seeks a court order before accepting a MLAT request from India. A US court determines if the Indian request satisfies relevant legal requirements under US law before passing the order accordingly. Once the order is granted, the US service provider produces the requisite data and shares it with the US Department of Justice to review for legal compliance before finally releasing it to India. This is a time-consuming process that generally takes several months – and the lack of timely access to data might frustrate any investigation.
Data localisation would offer a solution and ease data access by Indian government agencies. However, measuring and analysing as to what extent it would reduce India’s reliance on MLAT systems is crucial. We may look at the percentage of data or evidence required by enforcement agencies, which would be easy to access if the proposed soft variant of data localisation that requires mirroring of only sensitive personal data (and not all personal data) is adopted. Localisation is expected to supplement MLAT systems and other bilateral executive agreements with countries for direct access to data. But it is important to assess the risk of the local storage mandate hitting India’s eligibility to sign such agreements – and hence proving to be counterproductive.
Various thoughts on this are flowing in from different quarters. A recent report by India-based global think tank (Observer Research Foundation) argues that India’s local storage mandates may be an obstacle in negotiating an execution agreement with the US under the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), an enabling US law that opens the way for international cooperation on data access by foreign governments for investigating “serious crimes” when national data laws are in conflict.
If India was a CLOUD agreement signatory, investigating a crime with related data stored by a US-based service provider, then no US warrant or court order would be required to access that data. An Indian court order could be used for that purpose. Indian government agencies could directly reach out to this US service provider and ask for the requisite data. But, to qualify for CLOUD Act agreement, India must have adequate domestic data protection laws. The CLOUD Act lists out factors to be considered in ascertaining adequacy.
India has not yet shown any interest in signing the CLOUD agreement. But nonetheless, it would be important to keep in mind that, in the future, if India considers signing the agreement, localisation mandates and wide surveillance powers of the government under its domestic law may affect the country’s adequacy status.
India is envisioning using its leverage in the global data economy, because of its huge size and number of internet users. But the Data Protection Bill is super critical to making a holistic assessment of the proposed law and the risks that some provisions carry – particularly those on cross-border transfers – to ensure the eventual law doesn’t go contrary to the stated vision.
Given the complexities of the issues at play, fine-tuning the critical provisions and reaching a consensus is indeed a challenge. Therefore, it may still take more time before the law finally sees the light of the day.
Data is the oil of the information age. Despite the varied and complex socioeconomic and political landscapes, many Asian jurisdictions are taking giant strides in strengthening personal data safeguards. Writing in Asia Business Law Journal, Manisha Singh and Simrat Kaur provide an in-depth review of the data protection measures in India. Currently, this space is regulated by the Information Technology Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.