One of the reasons behind allowing cross-border flow of data in the recently released draft Digital Personal Data Protection Bill, 2022, is that it is increasingly becoming an important aspect of digital trade negotiations, Minister of State for Electronics and IT Rajeev Chandrasekhar told Soumyarendra Barik in an interview. He said that regions where data will be stored to be decided by the government on the basis of “reciprocity”. He also spoke about government-exemptions in the Bill and the independence of the Data Protection Board. Edited excerpts: 1. What are your key objectives under the revamped Bill? Since the 2017 right to privacy judgment, there has been discussion and debate on how we create legislation that addresses the issue of legalising and creating a need-based proportional use of data. Having a data protection law is in many ways a first for many countries across the world, everybody is stumbling and learning. We withdrew the previous Bill as it had become complicated, and posed an issue for us because of the success of our innovation and start-up ecosystem. The new Bill makes sure that consumer rights to data protection are captured as rights. Data fiduciaries’ obligations are light and easy to comply with so that it does not slow down innovation, the economy, and India's position as a safe destination for data processing for the world's citizens. It also ensures that the government’s governance objectives based on data governance are met. 2. Where does the Bill place India in the global digital economy? Now we have released the Bill for public consultation, we have also released a policy on non-personal data to harness data for our start-ups, and soon we will have the Digital India Act which will replace the Information Technology Act and create an ecosystem of laws that protects consumers and allows innovation to flourish. This also positions India where the entire digital economy can be viewed through the prism of trust and protection as people can participate in the growth of the digital economy in a manner that is predictable. For the government, it will also help us to move towards more data-led governance where we can create analytical models to figure out where the gaps are and then plug them. 3. The Bill has finally allowed cross-border data flows after years of focusing on data localisation. Why did you decide to go back on local storage? What would be the criteria behind notifying regions where data can be taken? In a globalised world where Indian software firms are servicing global customers and vice versa, data flow across geographical boundaries is almost like a given. Our startups must have the ability to choose the best services. But the government also needs access to data for law enforcement purposes. That’s how we arrived at the provision in the Bill, where we will identify trusted geographies where data can be stored and processed. It serves the purpose of our startups and at the same time ensures that we don’t create artificial walled gardens around the Internet like some of our neighbouring countries have done. We are a liberal democracy, we don’t want to create an Internet like that. By bringing in the concept of trust, it means there are still some factors that will decide where one can store data which will be decided by the government. There will be a lot of reciprocity built into this. 4. So will we be looking at bilateral agreements with such geographies? It is safe to assume that given data and digital trade are becoming important parts of the global economy and free trade agreement (FTA) conversations, such agreements will also be negotiated. 5. One of the biggest concerns so far in the Bill has been the wide-ranging government exemptions. Earlier the Parliamentary committee had said that exemptions be given in a ‘just, fair, proportional’ way, but these words don’t find a mention in the Bill. Why is that? I personally believe that given our government’s track record it is clear that we are doing everything very transparently. Also, given that every citizen and every data fiduciary has the right to approach courts, it is clear that if we don't do things in a fair, transparent and just way, people can seek recourse in courts. It is not our intention to have a data protection law where people who are, in a sense, invested in creating the data economy are dissatisfied with it. So putting words like that would only be stating the obvious because there is no incentive for the government to do anything in a non-transparent manner. 6. The Data Protection Board’s independence has also been called into question. How independent will it be? We have clearly stated in the Bill that the Data Protection Board will be very independent. 7. Yes, but in essence it might not be, especially since it is appointed by the government and will ultimately take decisions in matters where the government could be a party. Will that not create a conflict of interest? The Board will have a purely adjudicatory mechanism to decide on the issue of data breaches. It carries the same rank as a civil court and its decisions will be appealable to a High Court. This fact is enough of an incentive or disincentive for the board to work transparently. Simply saying that it would be appointed by a third-party will not guarantee its adequate performance. The objective of this government is that the board adjudicates on disputes fairly and transparently because it can otherwise be legally challenged. I believe the system’s structure is efficient and cost-effective. Anyone who insists that the board is not independent enough is missing the point that the board will have to establish its credibility through its own performance.
