After nearly five years of negotiations involving the government, technology companies and civil society representatives, the Centre tabled the Digital Personal Data Protection Bill, 2023, in Parliament on Thursday (August 3), which lays out procedures on how corporations and the government itself can collect and use information and personal data of India’s citizens.
Over these five years, the legislation has undergone multiple iterations – having started out as a draft legislation that espoused the broader tenets of Europe’s privacy protections, which empower citizens to have a greater say in how their online data is used. Midway through the journey, there was an infusion of provisions that diluted some proposals to satisfy companies and promote competition, somewhat on the lines of the US legislation.
The final Bill is a mixed bag. While it has serious provisions for the way private entities can deal with users’ personal data, many of those yardsticks do not apply to the Centre itself, which enjoys wide-ranging exemptions and power over the enforcement process.
Criticisms of India Bill and the government’s counter
These include a progressive weakening of the Data Protection Authority of India – the body that is supposed to be the key regulator and enforcer of the law – and the multiple exemptions to the central government and its agencies entities, which were among the most criticised provisions of the previous draft. The Centre was also empowered to appoint members to the data protection board, raising concerns over the control it could potentially exert on the institution in cases where it was an interested party.
Other features include provisions for the central government to bypass norms around seeking express consent from citizens and the right to exempt “any instrumentality of the state” from adverse consequences citing national security, relations with foreign governments, and maintenance of public order among other things, are where the Bill comes in closer to the Chinese version, than the EU legislation that the whole exercise started out with.
The government has maintained that it needs some exemptions and cannot be treated at par with private entities in all cases for various reasons. Rajeev Chandrasekhar, Minister of State for Electronics and IT, told The Indian Express that the government needs certain exemptions because it deals with issues including terrorism, law and order, and public health emergencies. “In such a situation, there have to be carve outs so that the government can efficiently do its work,” he said, explaining the need for exemptions.
He also said that as far as data breaches are concerned, the rules will apply equally to the government and its institutions.
India’s multi-pronged approach to the Internet
While comparisons have been initially drawn with the EU’s landmark General Data Protection Regulation or GDPR, which according to Graham Greenleaf, Professor of Law & Information Systems at the University of New South Wales, has substantially influenced legislations adopted by nearly 160 countries, the Government of India’s view is that its version of the Digital Personal Data Protection Bill is only one of the pieces that form part of its larger policy vision for the entire digital economy and has to be seen in that light.
This larger policy framework includes a comprehensive Digital India Act that would eventually replace the existing IT Act, the new data protection Bill that has just been unveiled, a policy to govern non-personal data and the new draft telecom Bill that was put in the public domain last year.
Government officials have said that while they studied all major data protection regulations around the world, they had to prepare a model that works in the Indian context. “We have learnt from the mistakes of Europe and Singapore, and have made a Bill that works for our economic reality,” an official said.
The EU’s GDPR, enforced since May 2018, is largely considered to be the most comprehensive privacy legislation anywhere in the world, with Europe also framing additional norms like the Digital Services Act (DSA) and the Digital Markets Act (DMA) to check the dominance of big technology companies on different fronts.
The DSA focused on issues such as regulating hate speech, counterfeit goods etc. while the DMA has defined a new category of “dominant gatekeeper” platforms and is focused on non-competitive practices and the abuse of dominance by these players.
Data protection laws in other geographies
An estimated 137 out of 194 countries have put in place legislation to secure the protection of data and privacy, with Africa and Asia showing different levels of adoption – with 61 and 57% of countries respectively having adopted such legislations, according to data from the United Nations Conference on Trade and Development, an intergovernmental organisation within the United Nations Secretariat. The share in the least developed countries is only 48%.
Models for data protection laws
The EU model:
The GDPR focuses on a comprehensive data protection law for the processing of personal data. It has been criticised for being excessively stringent, and imposing many obligations on organisations processing data, but is the template for most of the legislation drafted around the world.
In the EU, the right to privacy is enshrined as a fundamental right that seeks to protect an individual’s dignity and her right over the data that she generates. The European Charter of Fundamental Rights recognises the right to privacy as well as the right to protection of personal data and is backed by a comprehensive data protection framework, which applies to processing of personal data by any means, and to processing activities carried out by both the Government as well as the private entities.
There are certain exemptions such as national security, defence, public security, etc, but they are clearly defined and seen as exclusions on the periphery.
The US model:
Privacy protection is largely defined as a “liberty protection” — focused on the protection of the individual’s personal space from the government, and, therefore, is viewed as being somewhat narrow in focus by virtue of enabling the collection of personal information as long as the individual is informed of such collection and use. The US template has been viewed as inadequate in key respects of regulation.
Unlike the EU’s GDPR, there is no comprehensive set of privacy rights or principles that collectively address the use, collection and disclosure of data in the US. Instead, there is limited sector-specific regulation. The approach towards data protection in the US is different for the public and private sectors.
The activities and powers of the Government versus personal information are, however, sufficiently well-defined and addressed by broad, sweeping legislations such as the Privacy Act; the Electronic Communications Privacy Act etc. For the private sector, there are some sector-specific norms.
The China model:
New Chinese laws issued over the last 15 months on data privacy and security include the Personal Information Protection Law (PIPL), which came into effect in November 2021. It gives Chinese data principals new rights as it seeks to prevent the misuse of personal data.
The Data Security Law (DSL), which came into force in September 2021, requires business data to be categorised by different levels of importance and puts new restrictions on cross-border transfers. These regulations will have a significant impact on how companies collect, store, use and transfer data, but are essentially focused on giving the government overreaching powers to both collect data and regulate private companies that collect and process information.
According to an EY analysis of China’s PIPL, the legislation is deemed to be “similar” to the EU’s GDPR, in that it gives Chinese consumers the right to access, correct and delete their personal data gathered by businesses, but credibly impacts offshore data processors that deliver goods and services or analyse individuals in China. The law includes stringent penalties, with fines that can be as much as $7 million or up to 5% of a company’s turnover from the previous financial year.
Businesses may also be required to suspend operations until they “demonstrate compliance”. India too, has introduced a similar provision, where any platform that has violated its norms for at least two times can be blocked by the central government.
There are also impacts on individuals, with anyone directly responsible for data protection personally facing fines of up to $140,000. But, the DSL also requires that business data be classified according to its relevance to national security and the public interest and companies looking to transfer “important” data outside of China must perform an internal security review before applying for a security assessment and approval from the Cyberspace Administration of China (CAC) and other relevant authorities.
Companies that mishandle data under the DSL face severe penalties. For instance, Chinese ride-hailing giant Didi was faced with a $1.2 billion (8.026 billion yuan) fine in July this year for allegedly breaking China’s cyber security laws after becoming one of the most high-profile targets of Beijing’s increasingly muscular approach to the country’s tech sector. Other companies have also been facing regulatory action.