The prime minister has recently said that “innovation, aspiration and application of technology” will fuel the country to become a $5-trillion economy. The government has also indicated that technology and electronics manufacturing will be the foundation of the $5-trillion economy. Its stated goal is to grow the technology and electronics manufacturing sector to $300 billion by 2025.
However, the Bill as it stands imposes regulatory burdens on businesses without securing proportional gains in privacy protection. It perpetuates an uncertain and onerous regulatory environment. The proposals are certain to undo the gains made in recent years by progressive policies of the government. It could result in the largest expansion of the regulatory state in India since economic liberalisation in 1991. The burden of onerous regulation will be fatal to new entrants, while the costs will be absorbed by established incumbents. The Bill, if adopted, will ensure that the start-up ideas of today that could become unicorns of tomorrow are stillborn.
https://images.indianexpress.com/2020/08/1x1.pngThere are several areas of concern. First, the framework under the Bill is premised on a centralised Data Protection Authority with a wide discretionary remit to formulate regulation. Second, the Bill has broad-based restrictions on the transfer of data overseas that are likely to splinter our market from the global digital economy. Third, it seeks to impose onerous compliance obligations that have little to do with data protection. Fourth, it sets forth an inflexible framework that is bereft of any formal consultative rule-making process. Lastly, substantial portions of the Bill are out of sync with international data protection practices, which could blunt India’s competitive advantage as a digital market. These aspects of the Bill require substantial changes for it to not only achieve its objective of privacy protection, but to also avoid stunting the growth of our digital economy.
The Bill imposes restrictions on the transfer of sensitive personal data outside India. The authority’s prior approval would be needed for any such transfer. Further, a narrower category of personal data that is considered “critical” would be entirely prohibited from transfer outside India. It is the authority who is to define “critical data” without even an indicative hint of its scope in the Bill. These requirements destroy the basic value of the digital economy — connectivity beyond physical barriers. It is these steps that are certain to deprive India of the full fruits of the global digital market without any enhancement in user protection. This is completely out of step with the capitalist digital market and places us in the same category as protectionist China.
The Bill also requires large players to have data protection officers physically located within India. These officers are required to be key managerial personnel. The outside world is likely to see these measures as less about protection and more about protectionism.
The JPC has recommended that all hardware must be monitored, tested, and certified by an authorised agency to ensure its “integrity and trustworthiness”. This does not augur well for our goal for electronics manufacturing. This is an all-encompassing requirement alien to any data protection law in the world, including the EU’s GDPR. The avowed objective is to ensure against “malicious insertion of software that may cause data breach”. In making this recommendation, the JPC has ignored the existing testing requirements under the Bureau of Indian Standards and the mandatory testing of telecom equipment regimes. This proposal is a clear duplication of existing requirements. It constitutes an unfair burden on a sector that holds promise for Indian champions who are already struggling because of the onslaught of Chinese mobile companies in India. This change will impose a testing requirement on hardware as diverse as computers and cars including over 50 million internet enabled connected devices that are likely to blossom across the country over the next decade.
This is certain to result in delays and disruption in supply chains. The premise of this requirement of a continuing liability on manufacturers after the sale of hardware products to ensure against “malicious software” is divorced from reality. The Bill ignores the real threat posed by the insertion of such software clandestinely post the sale of hardware through other means. The JPC report provides an insubstantial explanation of these means having even a chance of protecting users.
Extensive compliance requirements have been included, such as the conduct of audits and impact assessments to be filed with the authority. This approach of breathing down the neck of digital businesses is unknown to any data protection regime. The compliance burden is likely to act as a potent deterrent to fulsome participation in the Indian market as most digital businesses run on lean business structures. Also, technology companies that thrive on acquiring a competitive advantage will be reluctant to share information on their processes and business models. These proposals would give companies a reason to pause as they seek to grow in India.
The foundation of the framework is a domineering mandate to be given to a data regulator, structurally geared to intervene rather than facilitate. The provisions seek to regulate by fiat alone, with innovation and ease of doing business as the main casualties. Value generation through technology requires an open and innovation-friendly regulatory environment. The government, therefore, must closely consider each of the policy prescriptions in the Bill including the unintended but deleterious consequences of the regulatory regime mooted.
(The writer is an advocate practising in Delhi and co-author of Privacy Law: Principles, Injunctions and Compensation)
