India’s journey as a digital economy reached a milestone with the introduction of the Personal Data Protection Bill, 2018 (“Bill”) that has been brought forth with the intention to create a collective culture that fosters digital economy and ensures empowerment, progress, and innovation without compromising on the informational privacy of individuals.
The Bill acknowledges the necessity to protect personal data as an essential facet of informational privacy and falls in line with the landmark judgment from the Supreme Court of India in the case of Justice K. S. Puttaswamy (Retd.) and Another v. Union of India And Ors. recognising that the right to privacy is a fundamental right.
The Bill draws its root from the report on “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians” (“Report”) formulated by the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna which charts out the necessity of formulating a legal framework relating to personal data in a manner capable of acting as a template for the developing world.
Consequently, the Bill following the footsteps of the Report adopts learnings from practices that exist in developed democracies with established legal frameworks on the subject matter and tries to mold the same to address the concerns and aspirations prevalent in India on data protection.
One of the most notable foreign influences on the Bill is the General Data Protection Regulation (“GDPR”) promulgated by the European Union (“EU”) and hailed as a groundbreaker in the field of data protection and privacy worldwide.
Thus, as the murmurs about the proposed Bill’s eventual approval fill the legislative hallways, it would be prudent for all relevant stakeholders to study its correlation with GDPR, so as to better prepare themselves for pertinent eventualities through lessons from a law that has already been enforced.
In this Article, we study the relationship shared by the Bill and the GDPR with respect to two of the most highly contested issues of the Bill, and analyse their applicability in the global digital economy.
Jurisdiction and Applicability of the Law
One of the most vital elements of the GDPR has been the wide scope of its applicability, since the EU regulation is applicable on companies (controllers and processors) established in the EU, regardless of whether or not the processing takes place within the EU; as well as on companies (controllers and processors) not established in the EU offering goods or services within the EU or to EU individuals.
Taking a leaf from GDPR booklet, the Bill also provides that it shall be applicable on: (i) both government and private entities incorporated in India, and (ii) entities incorporated overseas, if they systematically deal with data principals within the territory of India or if they process data in connection with any activity which involves profiling of data principals within the territory of India.
Therefore, as it currently reads, the Bill has extra-territorial application and imposes additional compliance requirements on any entity, domestic or foreign, that processes data sharing a relationship with Indian data subjects. Consequently, even foreign entities and data processors who have insignificant or minute commercial relationships in India will be covered within the ambit of the Bill.
While such large scope of applicability seems somewhat necessary owing to the ‘global’ and ‘jurisdiction transcending’ nature of internet, the same raises several concerns about the commercial realities such as the compliance costs and other regulatory burdens associated with the Bill. Thus, businesses might now find themselves analyzing whether the costs of operating in or out of India match up against the benefits arising out of such operations.
This analysis becomes even more pertinent in the case of smaller entities, or entities with relatively insignificant transactions in the country. The Bill has made an effort to accommodate smaller enterprises and exempt them from most of its provisions, provided that they have a turnover of less than INR 20,00,000/- (Rupees Twenty Lakhs Only) in the previous financial year, do not disclose data to other entities, and have not processed data of more than 100 people on one day in the previous year. And while, the intent of the Bill in trying to give some breathing space to smaller entities is commendable, however, given the realities of the digital economy, the threshold is far too low for it to give any practical respite. The fact that the Bill does not exempt an entity which has processed the data of more than a mere 100 people on any one day in the previous year signifies that the Bill’s drafters have failed to understand the operational realities of the digital economy. Therefore, given the density of Indian market and other commercial concerns, it would be prudent for the Bill to rethink the threshold for exemption of such entities.
Another widely discussed element of the Bill and a remarkable difference between the Bill and the GPDR, are the Bill’s provisions pertaining to data localisation, whereby Section 40 of the Bill requires every data fiduciary to ensure the storage of at least one copy of personal data on a server or data centre located in India and Section 41 of the Bill provides that certain categories of personal data which may be notified as ‘critical personal data’ by the central government of India shall only be processed in a server of data centre location in India.
It is noteworthy that, this isn’t the first time that the Indian State has dabbled with data localisation. For instance, a notification from the Reserve Bank of India (“RBI”) on Storage of Payment System Data dated 6th April, 2018 required all payment system providers to ensure that all data pertaining to payment systems is stored only in India and is to be annually audited and reported to the RBI. The said notification specifies that among other things, it applies to full end-to-end transaction details, and information collected, carried or processed as part of the message or payment instruction and allows the storage of data for foreign leg of a transaction in foreign countries alongwith India. Remarkably, the said RBI notification in its own text justifies its requirements on the grounds that they same shall ensure better monitoring and allow ‘unfettered supervisory access to data’.
Other examples of data localisation requirements in India can be found in: i) the Draft National E-commerce Policy which mandates that all the relevant actors (intermediaries) and e-commerce entities collecting, storing, and processing data from its customers and operating in India will need to store the data in India only; and ii) Ministry of Health and Family Welfare’s notification dated 28th August, 2018 on Draft rules for the amendment of the Drugs and Cosmetics Rules, 1945, which provides that all e-pharmacy portals would have to be established within India and would have to keep all the data generated or mirrored through such portals localised, such that in no case would such data be stored outside India by any means.
Therefore, the Indian rulemakers’ belief in data localisation as a mean of monitoring and regulating data has become clearly evident through a chain of mandates to that effect.
However, despite the Indian State’s conviction towards the efficiency of these provisions, these data localisation requirements have been severely criticised by the several stakeholders all across the globe. Interestingly, one of the most severe criticism for the same came from one of the Bill’s biggest inspirations and the drafters of the GDPR, the EU.
Not only does the GDPR in its own body of text, not mandate any data localisation of the data processed within its ambits, the EU has been quite vocal in its dissent against the measure. For instance, in its submission dated 29th September, 2018 to the Ministry of Electronics and Information Technology in India (MeITY) with regards to Consultation on the Personal Data Protection Bill 2018, (“EU Submission”) the EU terms the Bill’s data localisation requirements as “unnecessary and potentially harmful as they would create unnecessary costs, difficulties and uncertainties that could hamper business and investments.” Additionally, the EU submission highlights that not only can such requirements threaten India’s global standing as a top-tier data processing industry, but it could also lead to multiplication of difficult conflicts of laws when other countries may impose similar but contradictory requirements concerning the same personal data.
The EU’s submission and its stance does seem to have merit, as given the high cost of compliance and complexities associated with it, data localisation has been successfully avoided by the EU which has shown remarkable flexibility in its approach towards different businesses. For instance, with respect to ensuring regulators’ legitimate access to data, the EU Submission highlights that the EU is currently in the process of drafting a legislation that will allow the police and prosecutors to access electronic information, irrespective of whether it is stored in the EU or not.
Another international example that the Indian lawmakers could turn to, is the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) promulgated by the federal government of the United States of America which allows the American federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
This approach of allowing access to regulators beyond the Indian territory could definitely prove to be a better way of regulating data in a manner that balance both, the privacy and rights of the data subjects and the economic interests of relevant stakeholders. This is especially critical for the evolving Indian digital economy which cannot afford to irk global investments if it is to survive in the highly competitive global digital market.
Additionally, given the inevitability of each major nation eventually defining their own data processing requirements, legal hurdles such as conflict of laws and practical regulatory access could also be better served if the global digital community was to join hands with regards to allowing each other the flexibility of enforcing their valid laws instead of asking each business to limit their processing operations within their individual jurisdiction. Multi-lateral international instruments could easily define such mutual obligations in fair and reciprocal terms, and once again India and the global community can learn from the EU on the subject and use the model of the Council of Europe’s Budapest (Cybercrime) Convention.
As a leading world economy and the world’s largest democracy, the inception of the Bill and its eventual approval into law would mark the commencement of India’s journey towards a comprehensive and holistic digital economy. With the ever expanding reach of the internet and its inevitable infiltration into some of the most vital aspects of human privacy, the recognition of the right to privacy as a fundamental human right is a defining moment with respect to how personal data is treated by the country’s law.
The legislature in India has had the advantage and the good-thinking to not only observe how other sovereign states have treated personal data, but also to inculcate these measures to suit the Indian context.
However, as analysed in this article, the complex and ever-evolving world of data processing and its unique features when it comes to basic tenants like jurisdiction and access of the law’s subject makes the promulgation of a comprehensive data protection regime a ‘dynamic-process’ instead of a one-time exercise.
As quoted in the EU Submission, “India is already a top world leader in the data processing industry and has built one of the best digital eco-systems in the world without having recourse to forced localization measures,” India’s tech-industry has been a major stakeholder in its journey towards becoming the world’s fastest growing economy. Simultaneously, given the global reach, high competitiveness, and distinctive nature of digital businesses, it cannot be discounted that they could not choose a more businesses-friendly regime over India. As a result, any new law should ensure that it does not by plan or unintentionally throttle the growth of this highly sensitive sector of the economy.
Consequently, we believe that, in addition their best intentions of providing ample protection to data subjects and their right to privacy, it is critical that the State does not lose sight of the practical realities that tend to accompany new compliance measures so as to foster a truly free and fair digital economy.
Disclaimer: This post has been prepared for informational purposes only. The information/or observations contained in this post does not constitute legal advice and should not be acted upon in any specific situation without seeking proper legal advice from a practicing attorney.