Times like these show the importance of digital infrastructure – Part 2
In part 2 of this blog on Digital Infrastructure, I examine the PDP bill in greater depth and its importance if India is to develop its digital economy further to lead the world.
In case you missed part 1, you can catch up here.
Considering the growing emphasis on AI, ML and IoT where ‘Data’ is key, for India to truly become a digital economy alongside other incentives there needs to be a robust Data Protection legislation. And yes, GoI has taken a big step by developing the Personal Data Protection Bill (PDP) which is currently with a Joint Committee for review. But the question here is, is the PDP actually a Bill to protect the rights of individuals and support innovation? Or is it more about the State taking control of data as suggested by industry experts including Justice Srikrishna, who chaired the original committee on Data Protection and released the first draft of the Personal Data Protection (PDP) bill in 2018?
The revised Bill cleared by the Cabinet provides blanket rights to exclude the applicability of the PDP to State agencies in the interest of ‘sovereignty’, ‘integrity’ or ‘public order’ placing the State on a different footing as far as ownership and processing of data is concerned.
The Bill also fails to clearly define what constitutes as ‘reasonable purposes’ for non-consensual processing of data. Although fairly similar to GDPR the PDP does not put the onus on the data processor to establish how non-consensual data processing must outweigh the data subject’s fundamental right. The definition of ‘reasonable purposes’ itself is a matter of discussion and based on past experience leaving terms undefined, to be based on personal interpretations. This may not be a good idea and could end up in a situation similar to the AGR definition issue which could cause more damage later on.
Another area of concern is the localisation and mirroring requirements which could potentially restrict the ability of local companies to participate and compete in the global marketplace by limiting access to the global supply chains. This could result in local businesses being unable to expand their product or services to large numbers of potential customers around the world. This isolation may not only result in reduced investment and access to capital and customers but also create hurdles for businesses, Indian and international, to come together to build solutions for situations like COVID19 and other national emergencies.
Should the Joint Committee nevertheless determine that restrictions on the transfer of personal data outside India are appropriate, the categories of information subject to such restraints must be clearly defined at the outset. As drafted, the PDP Bill establishes restrictions on “critical personal data”, defined solely as “such personal data as may be notified by the Central Government to be the critical personal data”. This definition does not provide clear direction for companies to establish compliance for this data category. Furthermore, the open-ended mandate that would permit the Central Government to designate additional categories of “critical personal data” is being seen with scepticism. This lack of clarity and scepticism will certainly deter businesses from using data for greater innovation.
Finally, in order to ensure consistent and effective enforcement of the data protection responsibilities under the PDP Bill, there needs to be in place a strong, independent and fairly-funded regulator. The regulator must have the requisite expertise to oversee rapidly changing digital services and the authority to engage with its counterparts around the world to facilitate collaboration and exchange of best practices. Read our recent report Data: The Foundation of Intelligent Economies for our full recommendations on the Data Protection Bill. Trust in the system, the regulator and judiciary is absolutely key here.
I agree that no one was prepared for a global emergency, a pandemic, like this. But we can be better prepared for the next time. A key challenge for Governments across regions today is to design policies and regulations that strike a balance between addressing valid privacy and security concerns and enabling movement of data to keep their economies dynamic, competitive and relevant in the digital age.
This is a time for global leaders to come together and support each other in whatever way they can, share knowledge and expertise and learn from each other to formulate the framework towards one global marketplace supporting its citizens and businesses. We, at the UKIBC, always stand ready to work with businesses and the Government of India to support them with their efforts.