Foreign Relations & International Law

Key Global Takeaways From India's Revised Personal Data Protection Bill

Arindrajit Basu, Justin Sherman
Thursday, January 23, 2020, 8:00 AM

The Indian government has introduced a new data protection bill. What's in the bill? What does it reveal about the Indian government's vision of the data protection and of the internet?

Minister Ravi Shankar Prasad (Center) Flanked by Ministers P.P. Chaudhary and S.S. Ahluwalia (Source: Ministry of Law & Justice (GODL-India))

Published by The Lawfare Institute
in Cooperation With
Brookings

The Indian government finally introduced its Personal Data Protection Bill in Parliament on Dec. 11, 2019, after more than two years of fierce debate on the bill’s provisions. Rather than pushing to immediately pass this hugely significant bill, India’s minister of information technology, Ravi Shankar Prasad, referred it for scrutiny to a joint parliamentary committee. After the committee publishes a report on the bill, it will then be debated in the Indian Parliament—and, given the huge majority the ruling coalition has in both houses, likely passed—in 2020.

This bill has implications far beyond India, as the country seeks to develop a comprehensive data governance framework that would affect virtually any company attempting to do business in India. India—thanks to its population size, gross domestic product and influx of new internet users—has a unique ability to exercise leverage over multinational tech companies and shape global policy.

As many countries begin to construct data governance regimes, this bill will have an important role in shaping the regulation governing today’s increasingly data-driven geopolitical landscape. All the while, the bill contains some elements of the protectionist and authoritarian-leaning data policies that are cropping up around the world as some countries attempt to curtail the global and open internet.

What are the main takeaways from the bill, and how do they impact global geopolitics and data policy?

A Brief History of the Bill

The narrative around data protection in India reached a crescendo during the hearings in the K.S. Puttaswamy vs. Union of India (2017) “right to privacy” case. In a landmark verdict, a nine-judge bench of the Supreme Court of India affirmed the right to privacy as a fundamental right.

During the case, the Indian government set up an expert committee to devise India’s data protection framework. After a public consultation on a white paper, the committee submitted a draft Personal Data Protection Bill and an accompanying report interestingly entitled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians.” Ultimately, the Personal Data Protection Bill was introduced into Parliament in December 2019.

The Bill’s Foundations

What are the stated motivations behind the law? The bill’s preamble identifies three key focal points:

  • “[T]he right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy[.]”
  • “[T]he growth of the digital economy has expanded the use of data as a critical means of communication between persons[.]”
  • “[I]t is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion.”

Not explicitly mentioned is that the bill was developed through continued engagement and consultation with a host of stakeholders. These interests included Indian law enforcement’s desire to access U.S.-stored data during investigations and an aversion to so-called data colonialism by large Western technology firms—a grievance against large-scale collection of Indian citizens’ data by Western companies.

What’s in the Bill?

Many of the consent-related provisions in India’s data protection bill sound quite similar to those enshrined in the European Union’s General Data Protection Regulation (GDPR). According to the new Indian bill, to collect personal data, those entities classified as data fiduciaries must obtain consent from the individuals whose data is in question. Data fiduciaries are essentially any entity determining the “purpose and means of processing personal data,” a wide definition that could encompass everything from ride-sharing apps to social media platforms to data brokers that buy and resell customer data.

Data collectors are also subject to various new reporting requirements. For example, the bill imposes additional requirements, such as a requirement to obtain parent or guardian consent for the collection of data belonging to children.

That said, the legislation’s text does carve out a number of exceptions for when data fiduciaries may not have to obtain consent in order to collect personal data on Indian citizens. For instance, there are consent exemptions for state or other entities complying with court orders, enforcing the law, providing public benefits or services, and treating medical emergencies. There are other “reasonable purpose” carve-outs for situations like whistleblowing, mergers and acquisitions, credit scoring, and the operation of search engines. Europe’s GDPR, by comparison, also contains consent exemptions in areas such as law enforcement data access and functions related to taxation, but the exemptions in India’s draft bill are defined a bit more vaguely.

The legislation also contains provisions giving rights to “data principals,” those about whom data are being collected, to request information from data fiduciaries about what is being collected on them. Similarly, data principals are given rights to correct or erase data stored by the fiduciary—a “right to be forgotten,” like in the GDPR. Data principals will also have the right to view the data itself in a clear and portable manner, with the data presented in a “structured, commonly used and machine-readable” format.

These protections demonstrate that the Indian government is interested in both safeguarding the rights of Indian data principals and chipping away at the gross power imbalance that currently exists between large technology firms and individual Indian citizens around data collection. But, again, it remains to be seen how that relationship will play out when it comes to individuals and the government, not just individuals and corporations. For example, the numerous vaguely defined exemptions on data regulation could potentially enable forms of surveillance, when government organs deem collection and use pertinent to state functions. 

In fact, the biggest concern about the bill among academics and activists is the exemptions granted to the government for data collection. Section 35 states that exceptions can be made to collection rules, reporting requirements, and other requirements whenever the government feels that it is “necessary or expedient” in the “interests of sovereignty and integrity of India, national security, friendly relations with foreign states, and public order.” Most importantly, “necessary or expedient” has replaced the “necessary and proportionate” standard for government processing of data. The latter was a recognized standard in Indian constitutional and international law. Just last year, the right to privacy ruling had stated clearly that any intrusion into the right must be authorized by law, conducted in accordance with procedure established by law, and be necessary and proportionate to the objective being sought. The use of the term “necessary or expedient” does not impose an obligation to undertake the balancing act between the intrusion and the objective, thereby augmenting the government’s surveillance powers. This leaves a gaping regulatory vacuum around surveillance law in India and fails to adequately protect citizen privacy, as there are no clear rules that govern government use of data.

In a bid to regulate social media corporations, marking a departure from both the GDPR and the 2018 draft of the bill, the most recent bill proposes the creation of a special class of significant “data fiduciaries” known as “social media intermediaries.” These are defined as entities whose primary purpose is enabling online interaction among users (and does not include intermediaries that enable business transactions or access to the internet, or that are in the nature of search engines or encyclopedias). Essentially, a “data fiduciary” is a social media company. The bill includes vague language that stipulates that social media intermediaries allow for the voluntary verification of their accounts by any users who use their services from India or register from within India. However, the proof users need to submit to the social media intermediary to verify their accounts is unclear. No other country has the provision for a voluntary verification mechanism of this nature. 

Despite adding layers of regulatory obligations, the revised version of the bill does provide some cheer to foreign technology companies. After protracted lobbying and pushback from foreign companies, diplomats, and heads of state (including President Trump), the bill narrowed the scope of a data “mirroring” requirement for all data, which was present in the earlier draft. This data mirroring requirement would have mandated that a copy of all data on Indian citizens be stored within India’s borders. Now, the legislation only requires that certaintypes of data must be stored in India. The first, “critical personal data,” must be stored and processedonly in India. The second, “sensitive personal information,” must be stored within India but can be copied elsewhere provided certain conditions are met. This includes a provision that mimics the GDPR’s adequacy requirement: In order for data to be copied into a country, the destination country must apply sufficient privacy protections to the data and not impede Indian law enforcement access to the data.

Localized data storage requirements are also not entirely new to India. Rather, they would supplement measures that are already in place. Most important among the preexisting protections is a Reserve Bank of India (India’s central bank) requirement for the local storage of payment data. Major technology firms such as WhatsApp PayGoogle PayMastercard and other payment companies have made attempts to comply with the new Reserve Bank regulation.

Finally, the government made sure to add Section 91—a provision clarifying that it reserves the right to interpret any policies for the benefit of India’s digital economy—as long as this does not involve the use of personal data that can be directly used to identify an individual. Section 91(2) states further that the government can direct data collectors to hand over anonymized personal information or other “non-personal data” for the purpose of “evidence-based policy-making.” Little clarity has been provided on what that might entail.

Implications for India and the World

Since the bill was introduced in Parliament, the global business community has expressed disapproval over certain aspects of the proposed legislation. For example, U.S.-India Business Council President Nisha Biswal criticized the obsensibly privacy-focused bill for reaching into other areas, such as liability of social media intermediaries, that she thinks should be handled in separate legislation. Despite her reservations about legislative overreach, Biswal praised the bill for relaxing India’s data localization requirements, a move she feels would provide access to global processing and data analytics that could benefit India’s economy. Moving forward, it will be interesting to watch other responses from the international business community to the now-diluted data localization elements of the bill.

There are also business costs associated with data localization compliance that many foreign companies would prefer to avoid. There is no doubt that many companies incorporated within India, and particularly those incorporated beyond, will continue to push back against other existing data localization requirements that raise storage and processing costs. The revised data localization provision in the new bill addresses these costs as the mandate is limited to “sensitive personal data” and “critical personal data.”

Beyond purely financial concerns, some observers in the business community may have other worries about the data localization rules because these rules can sometimes create legitimate cybersecurity and national security concerns. In Russia, for example, more aggressive data localization rules have created conflicts between the Russian government and Western technology companies. The Russian government has pressured foreign-incorporated companies to store their encryption keys within Russia’s borders, as part of a broader tightening control of Russian cyberspace. This has raised concerns about elevated (and unchecked) government access to sensitive communications. In light of some concerning provisions in the draft bill about government surveillance (notably exemptions when “the security of the State” is in question), it’s possible that foreign companies may have similar concerns around local data storage in India’s case.

The U.S. has broadly supported a business-led pushback against data localization in India, purportedly for economic reasons: At the G-20 summit this past summer, a major event for global data governance, President Trump stated that “the United States opposes data localization and policies, which have been used to restrict digital trade flows and violate privacy and intellectual property protections.”

Beyond business concerns, what does India’s Personal Data Protection Bill mean for the U.S. privacy stance? 

The Indian bill mirrors and appears to endorse parts of the stance taken by the GDPR. Federal data privacy approaches in the United States have to date taken a much more laissez-faire approach to data regulation than the approach embodied in the EU’s GDPR. This perhaps reflects a fundamentally different understanding of how human rights pertains to the protection of online speech and data privacy. The U.S. largely views the protection of online data and information as less the government’s responsibility than, for example, many counterparts in the European Union. 

While its data regulation model is far more controlling, China has already looked to the GDPR as a model for building out some elements of its emerging data governance regime. India’s proposal represents yet another country attempting to model its own data governance regime on the GDPR’s privacy standards. India’s bill reflects the GDPR’s further entrenchment as the global standard on which to base early-stage data protection regulations.

For those American policymakers who would have preferred India to take a slightly different approach, it’s worth wondering how better U.S. government action on the data governance front could influence this global contestation over data access and regulation.

What does the bill mean for India’s role in the global data conversation? India is an important player in the global internet policy space. Indian government leadership is eager to position India as a global leader on democratic data regulation and has largely succeeded. India has high levels of global internet policy participation—that is, activity in the UN General Assembly and elsewhere on internet issues—and analysts have rated the nation high on its ability to influence international policy.

The introduction of a data protection bill in furtherance of a constitutionally guaranteed right to privacy is a very small step toward occupying a leadership position on democratic data governance. However, the text of the bill largely appears to be a crude amalgamation of provisions in the GDPR with authoritarian leanings. In the Indian bill, these include the enabling framework for government surveillance in the bill, which undoubtedly entrenches government power to undermine citizen privacy. Further, the blurring of the distinctions between non-personal data and personal data remain is concerning. The bill ultimately dilutes protections on individual data rights by enabling the government to access anything it feels would fit within the laid-out categories of exemptions.

These authoritarian leanings ultimately undermine India’s potential to guide emerging market economies and smaller democratic states. The bill makes India a less appealing model for those nations looking to chart out a new vision of data governance that merges the right to privacy with important civil liberties. Though some privacy-protecting measures in the bill mimic several provisions of the GDPR, the legislation needs significant revisions if India wants to be a leader in forging a democratic, privacy-protecting approach to the internet.

India’s strategic interest likely lies in ensuring that it upholds its constitutional responsibility to its populace and privileges citizen rights and economic welfare over mere business or bureaucratic interests. But—particularly due to concerning exemptions in the text of the Personal Data Protection Bill—it is not clear whether this objective is satisfied. As the Joint Parliamentary Committee starts its deliberations on the draft of the bill, it remains to be seen whether the policymaking pendulum swings the right way.


Arindrajit Basu is a research manager at the Centre for Internet & Society, India, where he focuses on the geopolitics and constitutionality of emerging technologies. He is a lawyer by training and holds a BA, LLB (Hons) degree from the National University of Juridical Sciences, Kolkata, and an LLM in public international law from the University of Cambridge, U.K.
Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; a senior fellow at Duke University’s Sanford School of Public Policy, where he runs its research project on data brokerage; and a nonresident fellow at the Atlantic Council.

Subscribe to Lawfare