After the Supreme Court of India declared privacy a fundamental right in 2017, the country saw two drafts of the PDP Bill — the first in 2018 and another in 2019. The draft 2018 Bill authorised 10 national agencies to intercept, monitor, or decrypt any digital information. The PDP draft Bill in 2019 granted central government agencies the same powers over personal and non-personal data.
The 2019 draft Bill stoked criticism for the excessive powers granted to central government agencies to access personal data without consent. Former justice of the Supreme Court of India, Bellur Narayanaswamy Srikrishna, who headed the committee that drafted the Personal Data Protection Bill, warned in late 2019 that the legislation could lead to personal data being misused by the government.
India’s data and internet economy started flourishing in the late 2000s. Data protection was then based on the Information Technology (IT) Act of 2000, which only had provisions for the punishment of negligent data handling. In the years since, regulations pertaining to data privacy in India have largely been sectoral, leading to disparate ways of interpreting privacy and data protection.
India’s National Unique Digital Identity system, Aadhaar, based on voluntarily registered biometric data (fingerprint and iris scans), now includes over 1 billion people, making it indispensable to aggregating and delivering government services. When mobile internet users reached close to 500 million in 2018, the increased use and storage of personal data by the government, tech and telecom giants exposed the inadequacy of the existing laws in preventing data vulnerability and privacy breaches.
With the increasing demand for a stricter regulatory regime, the 2019 PDP Bill proposed a legal framework along the lines of the European Union’s 2016 General Data Protection Regulations (GDPR). The Bill covered personal data, attributable information (name, age, gender, sexual orientation, biometrics) and other genetic details but had limited provision for non-personal data in anonymised form. The Bill then underwent 81 amendments from a Joint Parliamentary Committee before being withdrawn from the Lok Sabha (lower house of the Indian parliament). The provisions of the Data Privacy Bill were expected to address three major concerns.
The first was the usage and protection of personal data and its vulnerability to data breaches by tech companies. India reported 313,000 cybersecurity incidents in 2019, making it the third largest destination for data breaches worldwide. Those facing data breaches included both private company such as Domino’s Pizza and public enterprises such as the State Bank of India.
The new Bill proposed to deal with this issue through stringent regulations on cross border data flows and stricter regulations for tech giants. These changes concerned tech companies with servers outside the country. They would have faced the burden of compliance and had difficulty accessing data from India, one of their rapidly growing markets.
The second concern was that the government, which holds the largest amounts of personal data relating to its residents, including biometrics, would use the data for surveillance or to infringe on privacy. Aadhaar health data is susceptible to cyber-attacks, having experienced accidental data leaks and unauthorised access by government employees. Yet Chapter VIII clause 35 of the proposed Bill exempted the government from compliance with all provisions to protect the ‘sovereignty and integrity of India, national security, friendly relations with foreign states and public order’.
The final issue was the stringent data localisation provisions that sought all data fiduciaries to store a copy of personal data collected in India. ‘Critical personal data’ — a category left undefined at the time — could only be kept in India. That faced pushback from tech giants that, while operating in India, store user data in foreign jurisdictions favourable to individual privacy rights. Data localisation is a sensitive issue for the government because there are concerns about the non-availability of data preventing the investigation of serious crimes involving citizens outside the country.
On the one hand, ordinary citizens or users of social media sites and other internet users are worried about their data security and privacy. On the other hand, governments are concerned about national security and protecting basic rights of citizens when tech giants hold reams of personal data. Corporates and tech giants worry about how excessive data regulations and government surveillance could lead to a loss of trust in their services if the personal data they hold is compromised.
India has a peculiar national security problem — most of its citizens use foreign owned social networking sites such as Facebook, Instagram, Whatsapp and Google. But their internet hardware, network infrastructure and mobile phones are dominated by Chinese players.
While the revised PDP Bill will be released for consultation by the end of 2022, lawmakers are expected to water down the data localisation component to make it more palatable to multinational corporations. They are also expected to permit government access to personal data for national security reasons and keep social media platforms under check through grievance appellate committees.
Dharish David (PhD) Associate Faculty for the University of London at the Singapore Institute of Management Global Education (SIM GE). He is also a Research Manager at Global Angle, a market research and consulting firm in Singapore.
B. Rajeshwari (PhD) is a Senior Consultant at Niiti Consulting. She has over 15 years of experience working in research, academic institutions and development organisations in India and Europe.