Sanjeev Ahluwalia | Personal data is only half protected' by new data bill
It includes a bland provision for transfer of data outside India to countries notified by the govt on terms and conditions to be specified
When is a bill only a “half bill”? The answer (borrowing from Chetan Bhagat’s bestseller Half Girlfriend) — when it just tables good intentions, like the draft Digital Personal Data Protection Bill which has been put in the public domain by the ministry of electronics and information technology.
In these lean times, as the robustness of parliamentary debate is getting squeezed by the decimated Opposition benches, a lowering of the bar for the consultative spirit seems inevitable. To be fair though, data privacy has been debated at length. The legal driver behind the protection of personal data is the principle of privacy, which the Supreme Court in the 2017 nine-judge bench ruling in the Puttaswamy case had elevated to a fundamental right, indivisible from the right to life. This was adopted in the Justice B.N. Srikrishna Committee Report on 2018, which also appended a draft Data Protection Bill.
Sadly, transitioning worthy legal principles into law has proved more difficult. At the heart of the problem is a national conundrum around the kind of State we want to be. Historically, the Indian State has been a confusing mélange of economic progressivity with large dollops of regressive, socio-political overtones. The track record on affirmative development — women’s empowerment, Dalit, tribal and backward class benefits — is comparable with many advanced economies. Just as surely, reforming the structures and processes of the State still remains a work in progress.
The bill reflects this conundrum. It straddles two disparate streams of national development — economic policy mimicking the liberal, globalising strain, while retaining the skewed domestic balance of power, favouring the State versus citizens. In 2007, the United States curated India’s emergence from the shadows of nuclear apartheid, pulling India closer to the “Western alliance”.
This trend deepened, after 2020, to counter the rise of President Xi Jinping’s assertive China. It helps that India has strengths in digital services and consequently global business opportunities to be exploited. It also helps that the information technology ministry is now helmed by a tech-savvy former bureaucrat, Cabinet minister Ashwini Vaishnaw, and a tech-entrepreneur-turned-politician Rajeev Chandrasekhar as the minister of state.
The bill resonates, with the sensible economic imperative of selective global collaboration. It abandons the earlier, antediluvian focus on the localisation of data. This is sure to cause disquiet within sections of aspiring, domestic, big business, although public opposition will be muted. The government has done well to recognise that India is poised to become a productive partner in friend-shored global supply chains and a security partner to boot. Firewalling Indian personal data is out of place with this strategy and plays to a jingoistic Chinese playbook, sans its economic and business heft.
That this ideological barrier has been crossed is to be applauded.
Nevertheless, a sneaking admiration for Chinese tactics persists, like permitting only selective access to domestic markets. The bill includes a bland provision for transfer of personal data outside India to countries or territories notified by the government on terms and conditions to be specified. The assumption here is that countries “friendly” to India and hopefully having data protection laws, at least as robust as India’s, would be thus notified.
A veiled process of legislation by subsequent notification is bad practice. But it provides the government a bargaining chip to negotiate reciprocity with advanced economies, like the European Union, which enforces the European General Data Protection Regulation (April 2016), a best-in-class standard. A selective approval process can also incentivise big, foreign corporates to expand operations in India and root for India in foreign capitals, which is not a bad thing. Nevertheless, fleshing out the criteria for assessment would be in the spirit of transparency. At present, the uncertainty around the method to be adopted for notifying countries, contrasts starkly with the “good practice,” helpfully transparent manner, in which the section on “Obligations of Data Fiduciaries” is drafted, with supporting examples from real-life situations, to help a “Digital Nagrik” understand how the safeguards would actually work. Big business and the global community deserve the same courtesy.
Does this mean that government remains in the driver’s seat? Yes, indeed. China’s experience illustrates that unspecified, residual sovereign powers do not necessarily raise the country risk profile. The rate at which this risk is priced depends on the consistency of the conventions established, going forward, on how these residual powers are to be used.
To compensate for such dirigisme, albeit smacking of “cheesy” progressivity, the bill doffs its cap at women’s empowerment by clarifying that the pronouns “she” and “her,” used in the bill, refer to all individuals — an innovative salute to “woke” sentiments. Another innovation, albeit expensive to implement, is the facility afforded to a Data Principal (an individual owning the data) to specify her preference for being serviced in any one of the eight languages specified in the Eighth Schedule of the Constitution. Data Fiduciaries (authorised user of personal data) must comply. The fleshed-out specific provisions for protection of a child’s data are also progressive and welcome.
But there are important misses on citizen-friendly provisions. Most importantly, oversight is entrusted not to an autonomous authority, as was proposed earlier, but to a government entity — a Data Protection Board. The difference in the quality of citizen services provided by autonomous regulatory agencies, legislatively empowered with quasi-judicial powers, with an explicit mandate to protect transparency and a government department, steeped in a culture of secrecy, remains significant.
The performance of autonomous regulators, constituted since the 1990s, is admittedly varied. But on transparency and access to information, they have all raised the bar. Citizens do have the right to approach the courts, but the rule-of-law ecosystem is slow moving. An additional legislative safeguard dilutes the arbitrary use of State power. Not to have this facility is disappointing for citizens and Internet freedom activists.
Also worrisome is the extent to which bare-bones provisions have been left to be fleshed out subsequently, through the “rules”. Exemptions for government agencies from implementing protection safeguards should be minimal and the limits further explained by citing real-life examples, as done elsewhere in the bill. Citing only generic criteria like sovereignty and integrity, security, friendly relations with foreign states, maintenance of public order or for preventing incitement to any related cognisable offence, is not transparent enough.
Specifying tests or minimum metrics, for government entities to qualify for exemption, under the justiciable rubric of legality, necessity, materiality, and proportionality are much needed changes for the bill to receive a thumbs-up, beyond the plush boardrooms of big business.