Siddhant Dubey & Umang Sethi
In 2017, the Supreme Court of India in the matter of Justice K. S. Puttaswamy vs Union of India declared privacy as a fundamental right and endorsed the need for a robust legal framework in India concerning data protection. Further, in 2018, the European Union enacted the General Data Protection Regulation [‘GDPR’], which placed certain limits on organizations concerning the processing and handling of personal data. In the same year, there was a revelation of a data breach by Facebook and Cambridge Analytica to influence voting outcomes in several countries.
This series of episodes stirred an uproar among nations to come up with an indigenous data protection framework. Pertinently, in July 2018 the Justice B.N. Srikrishna Committee was formed to fill this void in Indian laws. The committee presented its report and proposed the “Personal Data Protection Bill, 2018” to the Ministry of Electronics and Information Technology. Recently, a spin-off version of this bill called “Personal Data Protection [‘PDP’] Bill, 2019” was passed by the Lok Sabha. However, this bill has been receiving severe global criticism since its inception. Justice B.N. Shrikrishna himself has called this version of the bill,“dangerous” and “a piece of legislation that could turn the country into an Orwellian state”.
Bestowing Arbitrary Powers Upon the State
The 2019 bill provides for the appointment of the Data Protection Authority of India [‘DPA’] and the accountability for the appointment of its members lies in the hands of the Government. The DPA is responsible for the redressal of grievances concerning data breaches. Evidently, the intention of the Bill is to avert data breaches from both state and non-state entities. However, the complication lies in the selection of the members of the DPA, by the government, rather than a neutral or an independent committee. This provision begets the question as to how effective the DPA would be when the accused of a data breach is their employer itself i.e., the Government.
Further, the PDP Bills of 2018 and 2019 both bestows the government with the authority to elude the provisions of the bill in the necessity of preserving ‘public order’. Notably, the Bill of 2018 had provisions calling for a two-part test for determining the necessity and proportionality, however, there are no such checking mechanisms in the 2019 Bill. Considering the Indian government’s record for the most number of internet shutdowns in the name of public order and tranquillity, one can envisage the ways that this public order exception will be exploited by the government for violating the privacy of its citizens.
The most dejecting aspect of this Bill is the way it deals with the acts of privacy breaches. As per the Bill, if data gets stolen, then it is in the hands of the organization storing such data to decide whether it should be reported to the DPA or not. If the organization believes that the data stolen is not potentially harmful, the breach would not come to the knowledge of the DPA. Further, if the theft is reported, then similar powers lie in the hands of the DPA. If it thinks that the data stolen was important, only then will the owner of the data be informed about the theft, otherwise not. Why this is alarming can be easily understood from the recent incident where Google issued a warning to 12,000 of its users globally about government-backed attackers, of which 500 users were from India. If such acts go unchecked and the victims remain uninformed, the government can exploit valuable personal information in any way it wants, even to go so far as to influence voters which was the case with Facebook and Cambridge Analytica.
Anecdote of Privacy and “Social Media Intermediary (SMI)” with Data Localization
Another polemical issue of the bill is the implication of SMI guidelines, which obligates specific social media platforms to give users the option of voluntarily verifying their accounts. The paramount problem with this obligation is that it conflicts with the primary principle of similar law globally that has been emphasised in the present bill as well i.e. Data minimisation. This principle asserts that no organisation should collect more information than required to meet their purpose. However, the verification obligation is a state diktat forcing the companies to collect more data about their users than necessary. This provision also seems to be an indirect move for the expansion of the information available to the government.
Notably, the intention behind the obligation of verifying accounts has not been specified neither in the bill nor in the statement of objects and reasons. However, as per the judgment laid down in Puttaswamy v. UOI, the legitimate aim required to justify state’s privacy infringement must be sufficiently explained. Hence, this provision can also be subjected to constitutional scrutiny.
This legislation must also be focused in conjunction with section 35, which provides the state with power to exempt any government authority with accusations concerning the processing of personal data in the interest of the state’s security where necessary.
Additionally, the belief that by making domestic data stored within the physical boundaries of India will make the data secure from cybercrime is fallacious. As per Allied Startup, Brussels, “Data security and integrity are best provided through encryption and clear legal frameworks rather than a mere site of data stored”.
Also, there are two types of data i.e. Personal and Non-Personal. As per PDP Bill 2019, personal data is further classified into two: (a) sensitive personal data and (b) critical personal data. While sensitive personal data is clearly defined in the bill, critical personal data is not. Of these two categories and all the other sorts of data, only sensitive personal data is allowed to be stored outside borders. If data protection was paramount, the proposal of storage of all styles of personal data within the country would have made sense (as proposed in the 2018 draft of the bill).
India’s poor performance in protecting data is another concern with data localization. A report states that 75% of all the surveyed users of India have experienced a data breach at some point, while another study asserts that in 2019 alone, India reported about 390,000 cybersecurity incidents.
Impediment to Economic Prosperity
The requirements of the data localization bill, if implemented, would act as a significant trade barrier in digital trade between India and other countries. These provisions tend to elevate the costs of service providers, as these corporations already store and process personal data outside India and now mandating them to construct new data storage centers in India is redundant. For firms that operate with financial constraints, it is very hard to re-establish needless computing facilities in India, and hence this could definitely act as a market access barrier. Also, if they manage to cope up with the increased cost of establishing new data centers, these costs might be passed onto the customers, hence making their services more expensive in India.
As per a study by the European Center for International Political Economy, if the European Union implements provisions as harsh as those proposed in India, it would suffer a loss of around 50 billion Euros i.e 0.5% of its entire GDP. Now, applying a similar calculation for the Indian economy, the country might lose about 8.4 Billion Dollars annually.
These provisions, apart from being trade barriers, would also impede “cross border movement of services” and “free flow of data”. As per the General Agreements on Trade in Services [‘GATS’], all member states must provide equal playing space to every service provider, irrespective of the provider’s nationality. Being a member of GATS, India’s new PDP bill could be held liable for infringing its commitment to the free flow of services under GATS.
Data localization is an expensive event. As per a study, implementing the provisions of data localization could lower the country’s GDP by 0.8% and domestic investment by 1.4%. Also, the extra cost needed to comply with the provisions of the new PDP bill might turn India into a less yielding destination for both foreign and Indian firms. Small Indian firms that heavily depend upon cloud computing for data storage could suffer an increase of 60% in their costs.
Conclusion and Way Forward
For any provision of the present data localization bill to succeed, the Government should first try to articulate coherent policy goals, manifest reasonable data protection practices, reform state-surveillance laws, be more transparent in its functioning and aid the establishment of physical data storage centers while keeping in mind the cost efficiency, specifically of those in financial constraints. Today, data protection regimes across the world, including GDPR, do not contain data localization norms, but regulations for cross-border data flow. If India cannot totally scrap the provision of data localization, the least the government can do is to relax data transfer norms. Lawmakers must realize that data localization does not solve the plight of privacy or national security, rather trammel the nation’s economy which is already in downslide due to COVID.
The authors are both undergraduate students at the Institute of Law, NIRMA University.