Event ReportsPublished on Oct 12, 2018
Will data localisation — or a diluted mirroring requirement — serve India’s strategic interests as outlined in the Srikrishna Committee’s report? Moving forward, how can India build data ecosystems that not only feed back into domestic innovation but also protect user privacy at scale keeping in mind the interests of the private sector?
ORF roundtable on Personal Data Protection Bill, 2018

On 3 September 2018, Observer Research Foundation convened a roundtable discussion to examine the Srikrishna Committee Report and the draft Data Protection Bill (Bill) that the Srikrishna Committee (the “Committee”) submitted to the Minister of Electronics and Information Technology (MeitY) on 27 July 2018. With the deadline for comments on the draft bill fast approaching, the dialogue was intended to gather inputs from stakeholders about the Bill and make recommendations on ways it could be improved. This report tries to broadly capture the discussions at the roundtable.

The discussion was facilitated by Dr. Samir Saran, President of ORF and Bedavyasa Mohanty, Associate Fellow with ORF’s Cyber Initiative. The participants included representatives from several technology, telecom, and media companies; lawyers and litigators; government and foreign officials; and other informed and interested individuals from various fields.

With the emergence of reactive regimes around data ownership, management, and protection being brought to the billion-strong population of India, the very nature of the internet is being threatened by different approaches to data governance. Can the efficacy of the fiduciary model and magnitude of fiduciary responsibility be improved by incorporating learnings from other sectors, and be made more responsive to legal rights and new innovation?

Will data localisation — or a diluted mirroring requirement — serve India’s strategic interests as outlined in the Committee’s report? Moving forward, how can India build data ecosystems that not only feed back into domestic innovation but also protect user privacy at scale keeping in mind the interests of the private sector?

Key areas of discussion

Enforcing mandatory data localisation in the absence of an impact assessment will pose operational and economic risks

Requirements to segregate certain kinds of data and store data in India either completely or in the form of mirror servers will be a burdensome and prohibitive barrier to companies especially SMEs. Such a requirement can fundamentally alter the architecture of how companies operate in the digital economy — it is further unclear how the supply chains of non-digital/traditional companies will be affected. Operationally, it will be difficult for companies to identify the nationalities of the data owners’ when processing any service online. This can be particularly challenging and onerous for companies that would be identified as collecting “critical personal data” under the Bill. Further, if foreign companies are unable to store data (even through mirroring) in India, users in the country could potentially lose out on access to several parts of the internet — effectively creating a “splinternet.”

Additionally, stakeholders at the roundtable expressed that the Report does not effectively address how mandatory data localisation is best suited (or the only viable solution) to meet India’s stated interests in improving enforcement of laws, avoiding vulnerabilities of relying on fiber optic network, building an AI ecosystem and preventing foreign surveillance. Some argued that data localisation may not be the one-size-fits-all solution to all the well-meaning challenges the Committee has highlighted. Additionally, individual users will no longer be able to choose the service they want for protecting their data, or choose the location where their data is stored thereby limiting their autonomy.

To enforce the data localisation mandate, the Data Protection Authority (DPA) will need to be notified. This applies to all the instances listed under Clauses 40 and 41 of the Bill where restrictions on cross-border transfer of personal data have been imposed. Such a legal requirement envisages a host of repeated notification requirements. Furthermore, some stakeholders were of the opinion that the Bill requires data fiduciaries to approach the DPA each time an approval is required either for consent or cross-border transfers of data through contractual agreements. This “regulatory bear hug” stifles innovation, fosters protectionism, and retards India’s economic growth.

Carrying out differential treatment of data would be technically infeasible

Clause 104 of the Bill carves out an exception for the processing of personal data of data principals not within the territory of India by any/any class of data processors incorporated under Indian law in pursuance of a contract. This exception was made to benefit the Indian BPO industry. If India were to become a global hub and serve users globally, it would require any company to operationally segregate user data, and differentially treat data belonging to Indian and foreign users/customers. Some stakeholders pointed out that such a legal requirement would be technically cumbersome to carry out and can potentially become arbitrary during enforcement.

Framing of the eventual data protection act will need to informed by ease of enforcement and clarity in duties of regulators

The Data Protection Act is envisioned to be a legislation that would override other existing laws. This could potentially translate to the Act also overriding existing provisions in licensing and contractual agreements. Additionally, it is unclear which authority — TRAI, DPA or RBI — will prevail when an issues of jurisdiction arise. Since India does not currently have a comprehensive data protection law in place, several of these challenges will have to be taken into account and resolved while finalising the current draft proposed by the Committee. There was a consensus at the roundtable that MeitY is best placed to analyse stakeholders’ comments since private companies with the exception of DSCI were not represented in the constitution of the Committee.

Excessive Delegation Authority reposed in the DPA 

While stakeholders welcomed the creation of a data protection authority and the concomitant adjudicatory, regulatory and policy making powers situated in the agency, the excessive delegation of legislative authority granted to the DPA was cited as a concern. The parent statute — the data protection bill — does not offer guidance to determine circumstances or manner under which this rule-making authority is to be exercised. The constitution of the DPA will necessarily need to be diverse when adjudicating multilingual notice and consent requirements. The authority will further need to determine how companies must publish privacy policies and other notices in different languages to accommodate Indian users — particularly first-generation users who are just beginning to use the medium.

Impact of the Bill on startups

To understand how the regulatory environment will be affected, it is essential to consider how the passing of the data protection law will impact Indian startups. Given the restrictions the law would impose on data processing — which the Bill defines as collecting, processing, and storage — combined with the DPA’s wide-ranging powers, startups could potentially be hugely deterred during their routine operations. When the GST Council was introduced a year ago, startups struggled to adapt to requirements for multiple registrations and filings across states. As the DPA is established, startups will need to be sensitised to raise awareness about new compliances that will be required. Requirements to localise data in any form could be rolled out in phases to encourage compliance.

As a counter argument to the increase in barriers and the decrease in ease of business, it must be acknowledged that the Bill aims to protect data privacy of individuals and collectives. Privacy — including data privacy — is recognised as a Fundamental Right. One speaker pointed out that the Act, immediately upon its passing, would have short-term negative impacts that would hinder the way things have been functioning in the country, its long-term effects will far outweigh these initial setbacks. It is crucial to recognise that something as fundamental as privacy cannot be traded off for short-term inconvenience that companies may face.

This report was prepared by Meghna Chadha, Research Intern and Madhulika Srikumar, Associate Fellow.

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.