There is a curious irony to the Government of India withdrawing the personal data protection bill in Parliament and stating instead that a “comprehensive legal framework” would be legislated shortly. When the Justice B.N. Srikrishna Committee was given the task of recommending a data protection law for India for the first time in 2017, the chairman and members of the Committee (I was a member) requested for a reasonable period of time for precisely the same reason — to recommend a framework that would take a holistic look at India’s digital economy, prevent regulatory overreach and protect privacy of citizens. That request was not heeded, not because time was of the essence but because in the governmental system, all deadlines are unthinkingly immediate, irrespective of the nature of the task.
As a result, the Committee, within the limited time offered to it, came up with a data protection legislation that promised a uniquely Indian approach to privacy and data protection — distinct from American way that protected individuals against the State but not as much against Big Tech, Chinese approaches which made individuals subservient to the State, as well as heavily regulatory European approaches like the General Data Protection Regulation, a goldmine for lawyers. Despite our best efforts, our recommended statute looked a bit like GDPR-lite, albeit with some uniquely Indian characteristics.
Over time, this version became heavy-handed, scarcely resembling the initial version that had been presented. The chief culprit of this was the Joint Parliamentary Committee that took two years to give its recommendations and presented a report that would imperil privacy, choke the digital economy and allow surveillance agencies wider latitude than they needed to do their job effectively. The demand that this matter go to the JPC was made by several groups which, perhaps a little too optimistically, felt that a bipartisan committee might better protect privacy than the government might. The JPC’s report, which includes in the long title of the bill the need for data protection “to ensure the interest and security of the state”, is a timely reminder to well-meaning activists and civil society groups that they must be careful what they wish for.
Handed such a befuddling report, confused in its concepts, vague in its recommendations, while at the same time voluminous in its opinions, the government appears justified in going back to the drawing board. Doing so gives it the opportunity of doing what might have been done five years back — consider the big picture of the digital universe in India. If that is indeed done, three distinct areas emerge for governmental action as part of a “comprehensive legal framework”.
First, there is an urgent need to protect children from online harm. It is unpardonable that with the withdrawal of the personal data protection bill, what technological companies can do with data of Indian children remains essentially unregulated. Children not only receive advertisements, but their behaviour can be tracked across websites and a detailed behavioural profile can be created. Further, plenty of inappropriate content is available on the internet for children without any warnings or restrictions. There is an urgent need to protect the personal data of Indian children from being mined for commercial gain.
Second, technology can play a critical role in promoting ease of living for citizens. While the government’s Jan Dhan-Aadhaar-Mobile record has been impressive, much more can be done to tap the potential of technology to improve lives. For example, despite JAM, property registration requires physical presence at the sub-registrar’s office together with the blackening of each of your fingers. The familiar rigmarole of providing physical photocopies of Aadhaar, PAN, Voter ID card plays out at otherwise well-functioning passport offices, even when requesting something as simple as change of address. To stop this, there needs to be a legislative mandate to use paperless, presence-less mechanisms whenever they are available. The promise of technology is understood by all, but behavioural change needs a strong legislative push.
Such a push is also needed because large amounts of non-personal data today lie untapped in silos within the government and the private sector. Imagine the utility of traffic data in the city of Bangalore to prioritise where the metro needs to be extended to in order to decongest the city. Or the evidence of particular kinds of disease in the population to decide which kind of medical specialist to send to a particular primary healthcare centre. The benefits of responsible processing of non-personal data are immense in facilitating ease of living. But this won’t happen unless there is a clear vision and legislative mandate to implement it.
Finally, with time, deliberation and consultation, India can also get the ‘fourth way’ privacy statute that the Srikrishna committee had aspired for. Much of its constituent elements are present — but in order to serve as a model for the Global South, a new data protection legislation needs to think in Gandhian terms of the last person in the queue — the face of the poorest citizens of the Global South — and how a data protection statute can help them access and navigate the intimidating world of the internet in an effective and safe manner. If that isn’t incentive enough, then perhaps consider this — globally, maximum data will flow to those countries whose legislative regimes are either considered ‘adequate’ by the European Union or countries that have specific bilateral data-sharing arrangements. Such arrangements will not happen without a dedicated data protection legislation.
The time for specious arguments of not regulating data protection to incentivise startups, comfort Big Tech and the BPO industry is over. If India is to become a data leader of the Global South, it needs a package of laws that deal with data protection, children’s data and technology-enabled ease of living for Indian citizens. By withdrawing the personal data protection bill, the government has taken a good preliminary step. It must now follow up right.
Arghya Sengupta is Research Director, Vidhi Centre for Legal Policy. Views are personal