The ill-fated PDP Bill – which has since 2018 gone through numerous iterations at the hands of a Joint Parliamentary Committee, including a short stint as the ‘Data Protection Bill 2021’ – has reportedly been scrapped in order to be reformulated from scratch, bringing us back to the drawing board. The PDP Bill introduced various contentious concepts such as data localisation and data mirroring, which caused much consternation among corporate stakeholders who would have had to restructure significant parts of their data flow architectures to comply with such requirements. The existing IT Act is a relic of its time and does not adequately cater to modern data protection requirements. Therefore, a comprehensive overhaul of all data laws in India is a positive step towards solving India’s data woes in a holistic manner.
Changes to tech and data related laws are not isolated to India alone. Strict data protection laws such as the EU GDPR, California’s CCPA and China’s Personal Information Protection Law are now the norm, with each jurisdiction fiercely protecting the privacy of personal data. All such laws have come into existence within the last decade. Countries across the world now work towards incorporating the protections in these laws into their data flow structures to preserve commercial interests as well as individual rights. In March 2022, US President Joe Biden and the European Commission President Ursula von der Leyen jointly announced efforts towards creating a new EU-US data sharing system that will augment / replace the existing EU-US Privacy Shield. The recent Schrems I and II judgements by the Court of Justice of the European Union invalidated the existing Privacy Shield on account of surveillance laws in the US exposing EU citizen data, causing uncertainty surrounding data transfers between the EU and US. Any law that mandates blanket localisation of all data without equivalent safeguards for overseas data, could risk breaching the standards set by the EU as also various other data laws of multiple countries.
The upcoming changes to data protection laws in India, whichever form they may take, must be cognizant of the world’s changing approach to data protection. The Government of India’s recent “Data Accessibility and Use Policy”, which was scrapped nearly as quickly as it was published, appears to miss the mark on this widely, by narrowly focusing on the commercialisation of large data sets.
Any new law(s) by the Government of India must take a few key factors into consideration. Firstly, the law should require companies and State agencies in India to adopt a ‘privacy-by-design’ approach, wherein the default approach to handling personal data is providing full control over data privacy to data principals, with a set of opt-out options. Secondly, commercialisation of data should be strictly opt-in, caveated by a requirement for robust security standards. Finally, aspects such as data localisation, categorisation of data types, cross-border transfer and storage, should be regulated with due consideration for commercial operations while balancing individual rights. Ancillary regulations should provide clarity on aspects such as regulatory processes, logistics, data centers and broadband connectivity.
India is now one of the last few countries in the world to not yet have a comprehensive, modern data protection law regime. Considering India’s desire to foster a global image of a digital economy with a booming data services industry, the Government must move fast to introduce a framework that brings it on par with its partners on the international stage. Unlike other laws, data protection laws cannot work in isolation in a domestic setting and must necessarily play well with its international counterparts.
The writer is Partner and Sriram SL, Senior Associate, at J. Sagar Associates (JSA).
Download The Economic Times News App to get Daily Market Updates & Live Business News.