The report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 is striking for its imagination of what India’s data regulation architecture should look like. It reaffirms the core components (some of them problematic) of the Bill and fine-tunes many aspects. But it has also used the Bill to paint a broader canvas of data regulation for India. Some of these proposals will require greater deliberation in and outside Parliament.
First, the JPC has provided a rationale for regulation more firmly grounded in sovereign interests than has been articulated yet. With respect to the issue of data localisation, for example, the JPC has argued for further procedural constraints on the free flow of data on the basis of security interests. The text proposed by the JPC states that all contracts enabling businesses to take sensitive personal data out of India’s borders will now need the approval of the central government in addition to the data protection regulator (DPA). The original draft only required the DPA’s approval. The report also proposes requirements that limit the sharing of data processed outside with a third country without prior government approval.
The JPC has doubled down on the rationale of data localisation as an instrument for developing local innovation, AI eco-systems, and for ensuring proper taxation of digital companies. In addition, it has used the discussion on security considerations advanced for localisation to argue for the need to develop local financial systems that reduce dependency on existing mechanisms like SWIFT. While the proposed changes to the Bill do not reflect this concern, it is significant that the discussions of the JPC paint a broader canvas of self-reliance than just localisation. Indigenisation may be a more appropriate term to describe the broader thrust of the report’s discussions on these issues.
Second, the report increases the scope of regulation of the Bill. It proposes in clear terms, the need to end the exemptions that social media platforms enjoy from liability based on their status as “intermediaries” under existing law. Its proposal to regulate social media platforms as significant data fiduciaries under the Bill will not make such companies liable for content by itself. The relevant clause requires only mandatory registration in India. However, the related discussion argues that these businesses can no longer be treated as “intermediaries”, but as platforms instead. The shift in semantics strikes a nail in the coffin of the normative concept of giving wide leeway to social media platforms.
Whether these businesses deserve to be treated as intermediaries or platforms would become an empirical question under the JPC’s proposal, not a normative one. Some would argue, as the report does, that the market realities have changed and platforms no longer function the way “intermediaries” are supposed to. Regardless of where one falls on this debate, this proposal would herald a significant exercise of sovereign regulatory power over businesses that some argue are the last bastions of free speech.
On many other aspects of the Bill, the JPC has adopted a workman-like approach. Clauses that proposed to exempt small businesses from certain parts of the Bill have been modified. While the earlier provision sought to exempt “manual processing”, the report proposes a more sensible idea of exempting non-automated processing. Simple lists of names stored on text documents for convenience would now thankfully go out of the ambit of this law, providing necessary leeway to small businesses. This narrows down the focus of the Bill to data-processing activities that originally motivated the need for data protection — the use of big data, automated decision-making, and hard to understand algorithms.
Similarly, the Bill narrows down the scope for employers accessing employee personal data, proposes a simpler mechanism to safeguard children’s data, and provides a timeline of implementation for different parts of the Bill. The most significant aspect of this implementation exercise will, of course, be the creation of the Data Protection Authority — the over-arching regulator proposed to oversee data protection.
On some very contentious aspects of the Bill, however, the report is unfortunately modest. The Bill presented in Parliament gives the central government the power to exempt its agencies from the ambit of the data protection regulation. The text of the modifications proposed in the report do modify this proposal, but in a way that may not amount to much. The report proposes that any procedure followed by such agencies will have to be a “just, fair, reasonable and proportionate procedure”. While this encapsulates the checks laid down by the Supreme Court in its judgment on the right to privacy, it leaves it to the executive to figure out what just, fair, reasonable and proportionate ought to mean. A hard-headed executive may well argue that its existing procedures meet all these tests.
The report takes a similar approach to the provision that enables the central government to require businesses to hand over non-personal data to it. The original provision provided wide leeway to the government regarding the circumstances in which it could exercise this power, and provided no framework for compensating businesses who would have to hand over such data. This discretionary largesse persists in the JPC’s report as well.
Many years of privacy activism rooted in scepticism of state power have ironically led us to this expansion of state power in the domain of privacy. In the final analysis, state power has increased. While some of this is necessary and appropriate, state accountability in matters of privacy continues to elude us. The JPC’s report only reaffirms this fact.
This column first appeared in the print edition on December 18, 2021 under the title ‘Shielding the state’. The writer is fellow and associate research director in Carnegie India. Views are personal