From ordering groceries online to striking a business deal, the onset of COVID-19 has seen a surge in digital transactions. This has translated into an unprecedented need for data storage and protection locally in India. With the country on the verge of introducing a Data Protection Bill in Parliament in the upcoming budget session, the debate will only sharpen in coming months over what kind of data will need to be localised, data transfer and which security norms body will protect rights under the laws.
In the wake of WhatsApp's recent decision to transfer its users' data to its parent company, Facebook, a popular meme in circulation says: "Hey there! I am using WhatsApp" and in the next line says, "Hey there! WhatsApp is using me."
Disquiet over India’s data framework
On the other hand, global firms are worried that there might be undue compulsions on the quantum of data localized in India. India's new Data Protection Bill may be significantly different from Europe's GDPR, a framework that has served as a privacy legislation model in many countries.
Until now, most companies, including those in India, have formulated their data privacy policies in line with compliance aimed at the GDPR. Given the direction, the Personal Data Protection Bill in India is taking, companies will likely need to have an additional workforce to comply with the added burden of data compliance under local laws. But a delay in putting the finishing touches to the Data Privacy Bill will end up doing more harm than good. Companies are already rustling together more documentation than required, especially those eyeing mergers and acquisitions, because of the uncertainty surrounding future data compliance requirements. This, in turn, is likely to delay deal-making at a time when several sectors may require consolidation post the pandemic.
The Journey until now
Privacy is a constitutionally protected right embedded in the guarantee of life and personal liberty in article 21 of the Constitution. As such, a few legislations also address aspects of privacy and data protection in their limited capacities.
The Information Technology Act was amended in 2000 to include sections 43A and 72A, giving a right to compensation for improper personal information disclosure. Aadhaar, or the biometric-based unique identification number, is regulated by the Aadhaar (Targeted Delivery of Financial and Other Subsidies) Act, 2016 and the rules and regulations enacted thereunder.
In 2017, the Hon’ble Supreme Court delivered the landmark judgement of Justice KS Puttaswamy (retd) versus Union of India. A nine-judge bench assembled to determine whether privacy is a constitutionally protected value. After analyzing numerous judgements on the issue, the Supreme Court reiterated that privacy is an intrinsic element of the right to life and personal liberty under article 21. This right is not absolute. The limitations which operate on the right to life and freedom would also apply to the right to privacy. “Any curtailment or deprivation of that right would have to take place under a regime of law. The procedure established by law must be fair, just and reasonable. The law which provides for the curtailment of the right must also be subject to constitutional safeguards.”(para, 183).
The Hon’ble Supreme Court noted the office memorandum dated 31 July 2017 issued by the Union Government to constitute a committee chaired by Justice BN Srikrishna to review its data protection norms and make its recommendations. We now await the law to be enacted by Parliament, considering the concerns expressed by the Supreme Court.
Delays would only aggravate concerns
The draft law was expected to be submitted during the last winter session of Parliament and later, to the upcoming budget session. In the wake of WhatsApp's move to transfer its users' data, it is believed that the Bill is once again undergoing modifications.
Even after its introduction in Parliament, it is unlikely to be approved in the same session as many of the provisions will require extensive debates. There will then be another 18-month window for further defining and implementing substantial provisions including the powers of the Data Protection Authority of India, which is expected to function both as a civil court and enforcement agency.
Lawmakers are also likely to minutely examine what kind of data will require what degree of monitoring and regulation. While user data will be broadly classified into two types -- personal and non-personal – these will be further classified depending on how sensitive the information's nature is.
Build up the required infrastructure
The current apprehension about the misuse of such user data will likely see a substantial requirement arising in the law for data to be stored locally. But having the legal framework in place will only be the start of the mammoth effort required to build up the supporting infrastructure.
India's data centre industry is likely to witness a 25%-30% rise to $4.5-$5 billion by the fiscal year 2025 due to the additional future demand, according to CRISIL research.
While in the last budget, the government incentivized setting up of data centre parks, building them is likely to be a tedious process due to historically slow processes of land acquisition and related infrastructure development.
Research indicates that India needs 15 times the existing data centre capacity to meet data storage and processing requirements. Even if one were to assume a smooth transition to building the data infrastructure, equally heavy responsibility will lie with private sector players and public watchdogs to protect such user data against cyber-attacks and leakages. Unless a robust infrastructure is in place, international companies will hesitate to do business in India as any mishap may see the blame placed on them. Therefore, India needs to advance in anticipation of this need. Data localization will not be the only driving policy. The goal should be to boost India in a changing global landscape. The upcoming budget should build upon last year’s approach to facilitating a comprehensive data transformation that does not stop only at a law.
Much would also depend on the individuals who operate the Data Protection Authority and the Data Protection Adjudication Authority's autonomy and structure. Merely setting up institutions would serve no purpose unless one ensures that the enforcing authorities are knowledgeable and dedicated to ensuring that they comply with their objectives.
Undoubtedly, the current debate over data privacy and the need for localization won't be the last one in the coming months. It is the need of the hour to establish a credible data framework as quickly as possible.
(Dr Poornima Advani, Partner at Law Point and Former Chairperson National Commission for Women)