Indian policymakers last year launched the praiseworthy effort to develop a cross-sector data protection law. Separately from the draft bill’s several provisions which risk undermining investment and innovation in India from companies globally, four recent trends surrounding this law’s development trigger fresh concerns.
First: narrow consultation.
Though the government last year commendably consulted a wide range of stakeholders, it has now reportedly launched another consultation seeking only a few stakeholders’ views. While the government describes this consultation as merely an exercise to seek “clarifications,” the consultation raises meaningful issues that can significantly impact India’s investment and innovation potential.
While all stakeholders had the opportunity to comment on some of those issues last year, other issues are new. For the issues that are not new, providing some stakeholders another opportunity to comment but depriving other stakeholders of that opportunity risks producing an inadequate law.
The government should consider engaging a wide range of stakeholders on the new consultation, including industry to ensure the law reflects nuanced insights regarding technical and organizational feasibility and consumer behavior. Notably, reports suggest that a shortfall of such industry insights in the EU’s General Data Protection Regulation (GDPR) have rendered it vulnerable to data breaches.
Second: non-personal data.
In the aforementioned consultation and more generally, Indian policymakers aim to identify certain data as “non-personal” and regulate it in a manner that benefits the community at large. This is a commendable goal but pursuing it raises concerns that policymakers may not have fully considered.
For example, the concept of “non-personal” data is so vastly different from the subject of the draft bill that “non-personal” data should not be hastily incorporated into it, as the aforementioned consultation appears to seek to do. Instead, it should spur a separate policy and a separate, wide-ranging, and rigorous consultation.
Relatedly, defining “non-personal” data and developing rules for its treatment can be extremely complex and requires a deep, technical understanding of data processing. Inappropriately defining and regulating “non-personal data” risks undermining privacy, burdening companies with onerous and ambiguous obligations, and forcing them to aid their competitors through data-sharing, thereby deterring competition on the merits, innovation, and investment.
India’s February 2019 draft e-commerce policy, which sought to address “community data,” vividly exemplified these concerns. For instance, it did not define such data precisely; it ambiguously proposed that successful international companies share their data with Indian competitors (raising concerns about protectionism and free-riding) and the government; and it was unclear on whether only “community data” or even other types of data should be shared.
Even the aforementioned new consultation on the data protection bill demonstrates the challenge of aptly defining and regulating “non-personal data.” It identifies “e-commerce data” as a type of “non-personal data” without elaborating on the meaning of “e-commerce data,” and does this despite the February 2019 draft e-commerce policy defining “e-commerce” so broadly that it encompassed potentially all web services – therefore suggesting all data is “e-commerce data.”
Third: “critical” and “sensitive” data.
Reports suggest Indian policymakers are working toward defining “critical” data – the type of data that, per the draft data protection bill, should be stored exclusively in India. The draft bill does not define “critical” data (deferring to the government to define it), so these recent efforts are praiseworthy and can help generate regulatory predictability. However, policymakers should address the multiple concerns that surround these efforts (separately from the fundamental concern that requiring exclusive storage in India may be overly restrictive).
For example, policymakers should not conflate “critical” data with “sensitive” data – two different concepts in the draft bill. Prominent media stakeholders have conflated the two. Relatedly, reports on the government’s discussions regarding “critical” data make no mention of “sensitive” data, potentially signaling conflation.
Even if this signals not conflation but merely the government’s choice not to discuss “sensitive” data, it is concerning as “sensitive” data merits significant attention. This is because “sensitive” data must adhere to potentially overly stringent data localization obligations (albeit different obligations from those which critical data must adhere to), and because though the draft bill defines “sensitive” data, that definition is overly broad: a long list of various types of arguably non-sensitive data, with the list’s last item empowering a future regulator to add items to the list, thereby rendering the list potentially endless.
Relatedly, while efforts to define “critical” data are praiseworthy, those efforts will bear fruit only if the definitions are clear, narrowly tailored, and unchanging unless change is genuinely merited. Further, reports suggest policymakers may defer to sectoral regulators in defining “critical” data. Caution must accompany any such deference because this deference risks fostering uncertainty (till sectoral regulators finalize their definitions) and producing overly harsh regulations as sectoral regulators may not benefit from the IT Ministry’s consultations on the cross-sector draft bill.
Fourth: the focus on data localization.
Data localization appears to have recently taken the spotlight among Indian policymakers and other stakeholders, given the risks it may pose to investment and innovation in India. However, several other aspects of the draft bill are concerning for the same reason but may not be receiving as much attention as they merit, even though they featured in last year’s consultation, and some of them feature in the new narrow consultation.
These include – but are not limited to – restrictive grounds for processing, criminal liability, significant ambiguity regarding precise obligations and relatedly the role of the Data Protection Authority (the regulator envisioned in the draft bill), and onerous requirements to demonstrate compliance.
Nikhil Sud is a regulatory affairs specialist with Albright Stonebridge Group’s South Asia practice.