What direction will data privacy take in India? The Quantum Hub, Manish Tewari and experts discuss

In a surprising move on August 3, 2022, the government of India abruptly withdrew the Personal Data Protection Bill, 2019, and indicated that a ‘comprehensive framework’ for data protection and privacy is in the works. The Quantum Hub (TQH) and YourStory had, in the last few months, launched a series of discussions titled ‘Reshaping India’s Data Governance Landscape’ on the PDP Bill 2019, discussing its ramifications on a variety of stakeholders and digital entities. Now, Union Minister for Electronics and IT Ashwini Vaishnaw has committed to submitting the draft of the new Bill no later than the next budget session.

In light of these developments, TQH in partnership with YourStory, held a discussion on the direction that India should take with this new bill. Panellists for the discussion included keynote speaker Manish Tewari, Member of Parliament, Lok Sabha; Nehaa Chaudhari, Partner - Policy, Ikigai Law; Amol Kulkarni, Director, Research, Centre for Competition, Investment and Economic Regulation (CUTS); Trishee Goyal, Research Fellow, Vidhi Centre for Legal Policy and moderated by Aparajita Bharti, Co-founder, The Quantum Hub.

Building a new framework for data governance

Setting the context for the entire discussion, Manish Tewari opened his keynote address by mentioning how the period from the 2017 verdict of Justice K S Puttaswamy vs. the Union of India on the right to privacy to the withdrawal of the PDP Bill 2019, has gifted India with perspective on the past and insight into the future of data protection. Based on his experience as a member of the Joint Parliamentary Committee and as the Minister of Information and Broadcasting (2012-2014), he firmly asserted that the new Bill must be drafted by digital natives, not lawmakers in their 50s and 60s. This is why, in his words, the PDP Bill 2019 was “a very typical brick and mortar government bill, which didn't really understand the nuances of the cyber civilisation or the virtual civilisation”.

The process of building a comprehensive framework for the new bill should also be far more transparent, according to Nehaa. Citing the example of the European Union, she said that official sources of the government should now be open about what stage the policymaking and lawmaking was at. Furthemore, there should be transparency around all Cabinet meetings, the ministers who are examining the drafts or the various iterations and versions of contentious or big topics in the bill so that people can step in and add their feedback or changes periodically before the bill is introduced in the Parliament.

Easing the cost of compliance and doing business in India

Another issue touched upon by Mr. Tewari in his keynote speech was the cost of compliance. Legislation, he said, is always accompanied by a cost of compliance. When you enforce a new law, compliance is the cost that people have to bear. Now, the titans of industry would be able to factor in this cost and move on. However, this will be a heavy burden for India’s startups and small business entities to bear. Additionally, startups who are experts in technology, not necessarily in law, would find it hard to untangle and factor in these compliances.

In the course of this discussion, Amol also spoke at length about the ease of doing digital business. He spoke about how the government is approaching the regulation of new technologies and the emerging digital economy. He was in agreement with Mr. Tewari on how different arms of the government must work together in drafting a new bill. Additionally, Amol discussed CUTS’ new business study on the ‘Ease of Doing Digital Business’. The study revealed that the government had pushed the Ease of Doing Business (EoDB) mandate by reducing licences, decriminalising offences, reducing compliance burdens and more in a traditional economy. However, the regulation of the digital economy involves a lot more criminalising offences, disproportionate regulations and uncertainty which leads to ambiguity. He said, “Unless and until you have your fundamentals clear in terms of what is the scope of personal data versus non personal data, what is the scope of sensitive personal data or critical personal data…this uncertainty will result in unease of doing business in India.”

He also spoke about the uncertainty around sensitive data, such as child data protection. While this subject is important, prohibiting the process of data generated by children under the age of 18, without the consent of their parents, can have many unintended consequences on businesses, consumers, citizens and core data principles.

Re-examining the role of the Data Protection Authority

The Data Protection Authority (DPA) was a regulatory body that the government proposed to set up in the context of the PDP Bill 2019, to handle and solve issues related to personal and Non-personal Data. When discussing the new bill, Nehaa spoke about the changes she would recommend for a new DPA, the most important of which was accessibility. She said setting up different benches in different parts of the country would be more efficient, as opposed to one regulator sitting in Delhi. Without access to the DPA, how could grievances be addressed or problems solved?

Data localisation is unclear in the hands of the government

Data localisation - the practice of keeping data within the region from which it originated - remains unclear in India, according to Mr. Tewari. While sensitive data has been defined to some extent, the categorisation of critical data is wholly left to the government to define. This essentially means that personal data (that can be sent abroad to other countries) will be solely defined by government regulations.

The Digital India Act or separate legislation?

Recently, the Ministry of Electronics and IT has also indicated that it is working towards a comprehensive legislative framework for the tech ecosystem in the form of a Digital India Act. The sprawling Digital India act aims to cover the vast digital landscape. However, as Trishee stated, this could be problematic. It would be far better to create legislation around specific issues, such as online harms. From an enforcement perspective, it would make more sense to create separate legislation to handle different sections of the Digital landscape, and it would make passing these legislations through Parliament easier.

No consensus around consent

While consent refers to the informed and unambiguous indication of a data subject’s wishes, the issue of consent is far from clear. Furthermore, while there is consensus on the importance of data governance and principles, the implementation and interpretation of these will differ.

As Nehaa explained “On consent, we have a house divided in terms of what the contours of consent should look like. Whether or not consent is even necessary, whether it's broken, whether we should look at accountability, instead of consent or whether we should look at alternative grounds of processing data.”

She went on to say that a consent-heavy framework would not empower either individuals or businesses and that India has to look past consent.

According to Mr. Tewari, the new Bill should have to go through a Joint Parliamentary Committee for consideration. He also emphasised that strong data governance practices would have to be created for rural India, where basic privacy still remains a challenge. Finally, the panelists were in agreement that the Bill should apply equally to both the private sector as well as the government and its agencies.