By Ashit Kumar Srivastava
There are talks that the data protection bill might be scraped and a new one introduced. This was following the third round of discussion under consideration in Parliament.
The news that the Personal Data Protection Bill, 2019, might be stalled and a new one introduced on the pretext of suiting the technological ambiance of a growing India has come as a shocker. There have been various legislative endeavours in this regard, including the Supreme Court ruling of 2017 (KS Puttaswamy-I) which led to the origin of informational privacy. It also includes the BN Srikrishna Committee report on data protection, styled as the Personal Data Protection Bill, 2018, which was revisited in 2019 and again the following year by a Joint Parliamentary Committee. This was destined to be the new Data Protection Act, 2021.
All of these legislative and academic endeavours might be brought to an abrupt end because suddenly the Bill is found to be unsuitable for Indian technological growth. It is hard to imagine that all the industry consultations, innumerable sessions of committees and academic writings will become irrelevant suddenly.
There are several reasons why these delays might be more hurtful to India. Additionally, the idea of scraping of the bill does not seem logical knowing that India has lost precious time in drafting the legislation. Technological development is happening at the speed of light and probably by the time the new law comes in, it might not be in a position to compete with the technology developed.
Interestingly, the current data protection bill, be it 2018 or the revisited 2019 one, has drawn many references from the General Data Protection Regulation (GDPR), which has turned out to be a model legislation in this field. Thus, if the Indian data protection regime draws a reference on the lines of GDPR, there is nothing wrong in it; rather, it will lead to more standardisation of data protection regulations.
In the absence of a sound data protection regime, e-commerce websites and search engine websites are having a gala time in India. These websites have utilised this loophole to manipulate individual private data for advertising their products. In European countries where data protection authorities have been well-established, heavy penalties have been put on major e-commerce websites and search engine websites for violation of GDPR. But India is still lacking a legislation to even moderately control these entities.
Interestingly, when in early 2021 WhatsApp was changing its privacy policy and users were given an option of take it or leave it, the Competition Commission of India had taken a suo motu cognizance of the case on the pretext of abuse of dominance. But in a normal scenario, a situation like this should have been addressed by a data protection authority. In a digital era, the user is at the lower end of the bargain against a multi-billion dollar corporation offering services to him. In lieu of its services, the user is giving away personal information. Thus, the introduction of a data protection regime works as a bargaining tool against these MNCs.
The more the delay, the more the information being traded in the market and more the tools of extraction get sophisticated. Therefore, prompt legislation making becomes of utmost importance. Additionally, it cannot be denied that there were discourses of discontent against the Personal Data Protection Bill, 2019 in its current form, especially with regard to Section 35 (exemption clause) and Section 33 read with 34 (data localisation).
Many of the global players have shown discontent towards the exemption clause under which the government can exempt any of its agencies from the provisions of personal data protection. However, even under this exemption, the agency is subject to procedures, safeguards and oversight mechanisms as may be prescribed.
Additionally, the Joint Parliamentary Committee in its report has recommended that “such procedure” refers to just, fair, reasonable and proportionate procedure. Thus, it can safely be said that the exemption is not exemption per se. Additionally, there have been innumerable discussions on data localisation.
It cannot be denied that for ages, digital India or rather the whole of South Asia has been a consumer market, serving the cause of western corporations. Many times, data breaches have taken place in western soil. No one can forget the Edward Snowden incident, but due to lack of proper jurisdiction, no action could be taken.
Any step towards data localisation must be seen as a step towards a higher level of “constitutionalism” under which the native government is showing resistance against non-State actors. In fact, India is not the only country batting for data localisation; the whole of South-Asia (including Pakistan and Bangladesh) have shown signs towards this.
All said and done, what really matters for India now is a sound data protection regime. It cannot be delaying techno-laws, knowing very well that technology development is happening at the speed of light.
—The writer is Assistant Professor of Law at Dharmashastra National Law University, Jabalpur