India’s New Digital Personal Data Protection Bill: What should be the way forward?

The new Digital Personal Data Protection Bill is a step in the right direction as it tries to establish a progressive data protection regime for the country.

The bill has various laudable provisions, which would aid businesses, especially the startup ecosystem, to flourish, in addition to some key concerns which need attention.

Narrowing the scope of the bill

Narrowing the scope of the data protection regime to personal data protection is a welcome move, as it resonates with the concerns of various stakeholders. We have been highlighting the implications of incorporating non-personal data, social media intermediaries, criminal penalties, and data localisation.

Getting the genesis of the data protection regime straight by concentrating only on personal data, now non-personal data could be used to unlock social and economic value to benefit citizens, businesses, and communities in India with appropriate safeguards in place.

Removing social media intermediaries from the premises of this bill is a step in the right direction as they fall within the ambit of the IT Act, and it would have caused regulatory arbitrage.

In addition, removing the concept of sensitive personal data and critical personal data is a significant step, bringing consistency to the bill where the critical data remained undefined in the previous versions of the bill. As critical personal data was not defined in previous versions of the data protection bill, many respondents through our study, including data processors and cloud service providers, noted that this could cause compliance uncertainty, which adversely impacts the industry.

However, removing ambiguity around critical personal data could alleviate the cost concerns where a constant change in definition and uncertainty could have hampered businesses.

Removal of criminal penalties

The removal of criminal penalties from the bill is a step in the right direction, as this would propel innovations by many startups and Small and Medium Enterprises (SMEs) without the fear of imprisonment for unintended consequences.

While there is inconsistency in the upper limit of financial penalties, the way of determining the amount of a financial penalty to be imposed based on the nature of non-compliance, the nature and type of personal data affected by non-compliance etc., would cause concerns for startups and SMEs as they have limited resources at their disposal. Additionally, calculating penalties proportional to non-compliance without slabbing according to the market share of the business places startups on an uneven keel with bigger organisations.

Therefore, introducing slabs for financial penalties according to the market share or a percentage of annual turnover could be a progressive measure. In addition, it would be ideal to have procedural clarity slated within the bill for the Data Protection Board in determining penalties per incident calculation.

Enhancing cross-border data flows

Through our extensive research and stakeholder engagement, we have been a voice for enabling the free flow of data, which critical is for attracting foreign investments and pushing digital exports. Therefore, removing data localisation to introduce trusted data flows is a welcome move, which would help the domestic startup ecosystem to scale and overarchingly increase the of digital trade. quantum

The free flow of data will help startups access cost-effective technology and storage solutions, as our research shows. Relaxation of the data localisation mandate would aid startups and companies in reducing the additional layer of money dedicated to local storage and data processing on top of other compliance costs, pressure to sustain, resource constraints in finding people, etc. While macroeconomic repercussions would be minimal at the business level, relaxation could significantly reduce the cost of accessing or purchasing technological solutions. Through our study, startups and businesses highlighted that having options to store their data across geographies is a better option.

The cost of data localisation is not always the economic cost, and it involves indirect costs which can’t be quantified, like expertise and time. For instance, in a resource-constrained environment, the relaxation of data localisation can help startups optimise resources for business development and innovation rather than compliance. As indirect costs increase with data localisation in terms of infrastructure costs etc., startups and businesses highlighted in our study that the price of the services and commodities provided would increase, ultimately hampering the demand curve as India is a price-sensitive market. The Indian market is susceptible to price, where businesses have to inputs the additional cost to optimise the price. Therefore, in such a sensitive market, the relaxation of data localisation would help start-ups and businesses by not making them pay the additional compliance burdens and costs associated with the localisation mandate.

However, as we move forward, it would be critical for the government to establish a standardised procedure for determining (a) countries to which data flow could happen (phase 1), (b) a framework to be followed for the data transfers (phase 2) and (c) mechanisms to be followed for the data transfers (phase 3). Phase 1 would be to establish a standardised procedure to identify and notify countries to which the data could flow such that the free flow of data can be enabled with countries that share a positive relationship in trade, investments etc. Besides, during phase 2, the principle-based framework could be one of the best possible options that India could consider, which can fulfil the objectives of deploying safeguards to ensure security, privacy and data protection while allowing data to flow freely across borders. Finally, in phase 3, as India moves toward enabling cross-border data transfers with other jurisdictions, it is essential to consider a combination of the mechanisms, such as Contractual Clauses, Binding Corporate Rules, Code of Conduct, Certification Mechanisms etc., tailored to embed the principles.

Importance of Sandbox mechanism

For building cooperation between data fiduciaries and authorities, the sandbox mechanism would be crucial, where the data fiduciaries can test their innovation against the set principles notified by the board. While the previous versions of the Bill provided for a sandbox mechanism, the new Digital Personal Data Protection Bill 2022 has removed provisions related to constituting a sandbox mechanism.

The removal of the sandbox mechanism to test innovation is concerning. The sandbox mechanism could effectively introduce new technology to lawmakers and regulators to prevent a fear-based reactionary ban and instead seek exemptions for the new technology rather than ad hoc legislation. While technology can be dynamic, changing legislation can be time-consuming and strenuous, so the sandbox mechanism could have created the needed exemptions based on principles for businesses to flourish. Therefore, there is merit for the government to consider bringing back the sandbox mechanism.

Also, there is a need to examine whether the Data Protection Board can collaborate with different regulators and authorities to run integrated sandboxes that allow innovations to be evaluated collaboratively by bringing back the clauses on MoUs with other regulators. In practice, this could involve entities (classified as data fiduciaries) proposing innovation being tested against a horizontal set of principles and by an additional framework developed by the Data Protection Board in coordination with other sectoral regulators.

As we expect the new form of the Data Protection Bill to be introduced in Parliament soon, we hope these aspects are considered while building India’s comprehensive data protection regime.