In tandem with the digitalisation efforts of India, privacy risks and concerns have come to the forefront, where businesses have created a privacy void that needs a fix. Due to this, policymakers are now faced with the dilemma of the “Privacy Paradox”, which is, how to ensure a mutually beneficial trade-off between securing the personal data of an individual while utilizing it for the economic advancement of the collective. As the government is working on a new personal data protection bill, it is crucial to look at some of the features that allow for a robust, interoperable law to catalyse India’s techade.
Firstly, the 2019 Bill’s need for an extremely elaborate and strict consent and notice framework was concerning. The robust framework that vowed to safeguard the privacy of an individual’s data would have made the privacy design of the bill even more redundant. Consent and notice framework in the new Bill should be dealt with in such a way that it addresses the right to informational privacy while avoiding consent fatigue for consumers. For instance, individuals may receive innumerable privacy notifications causing consent fatigue; this issue was considered and acknowledged by the Justice Srikrishna committee report. Besides, from a business perspective, the cost of compliance, especially for small businesses, will be huge and may result in additional costs. The new personal data governance framework should focus on simplifying the consent and notice framework in such a manner that individuals can easily understand how and for what purpose is their personal data being processed. Besides, the new Bill must lay out better means and ways to obtain consent, which is inclusive, less tiresome, and efficient.
The second concern was regarding mandatory data localisation of sensitive and critical personal data in the 2019 Bill, where certain conditions were imposed on the transfer of sensitive and critical personal data across borders. If implemented, this provision would have increased operational and implementational costs for businesses. This is especially true for start-ups that have a heavy reliance on cloud servers based across the globe for storage and analytics. Through our impact study, we found that start-ups are more likely to be affected by the data localisation mandate as it would increase the compliance burden and require system-level changes, which might be difficult and costly. They also raised concerns regarding the non-harmonised nature of the 2019 Bill with the globally accepted privacy standards. There is a greater need for interoperability between international and domestic standards for greater ease in the cross-border data flow. To deliver a formidable personal data governance framework, one of the priorities now should be easing data localisation compliances.
Besides, the trade in the 4th industrial revolution, i.e., the transformation in the industrial processes with rapid change in technological developments and societal patterns, is fragmented in terms of geographically dispersed Global Value Chains (GVC) which creates interdependence between countries. As the GVC is fragmented geographically, this has paved the way for international production process distribution, where some of the activities and tasks related to production are carried out in different countries. While cross-border production in the form of GVCs may not be new, a key element which propels and transformed GVCs is information communications tech, which makes the flow of goods and services from one production level to another seamless. While enabling cross-border data transfers is overarchingly beneficial, it is more lucrative to enable the same with countries which share a positive relationship in trade, investments etc. Therefore, the Indian government may focus on bilateral or multilateral agreements to establish mutually beneficial principles and safeguards with partner countries such as the UK, US, EU, Australia etc., for data storage, access, and cross-border flows. For instance, in our recent report with UKIBC, we highlight the importance of having an interoperable and harmonised data protection regime for India and the UK in order to facilitate the free flow of data and wider digital trade by discussing the roadblocks and providing a way forward.
Thirdly, the proposed Data Protection Authority (DPA) will be at the cornerstone of India’s data governance endeavours, and it must function as the independent supervisory authority for all relevant stakeholders – including the government. Also, more attention needs to be given to the issues of capacity and the regulator’s ability to work in harmony with pre-existing regulators in other sectors.
The Indian government moved in the right direction by withdrawing the PDP Bill, 2019. Governing personal data is a novel challenge that should not be done in haste. To introduce and implement a formidable data governance framework, research and appropriate stakeholder consultation are necessitated.