The ill-fated PDP law – which has undergone numerous iterations by a joint parliamentary committee since 2018, including a brief stint as “Privacy Bill 2021” – has reportedly been scrapped, to be reformulated from the ground up, so we’re back to the drawing board. The PDP bill introduced various controversial concepts such as data localization and data mirroring, which caused great consternation among business stakeholders who would have had to redesign significant parts of their data flow architectures to meet such requirements. The existing IT law is a relic of its time and does not adequately meet modern data protection requirements. Therefore, a comprehensive overhaul of all data laws in India is a positive step to solve India’s data problems in a holistic way.
Changes in technology and data related laws are not just limited to India. Strict privacy laws such as GDPR, California’s CCPA, and China’s Personal Data Protection Act are the norm today, with each jurisdiction rigorously protecting the privacy of personal data. All of these laws came into force within the last decade. Countries around the world are now working to incorporate the protections of these laws into their data flow structures to protect both commercial interests and individual rights. In March 2022, US President Joe Biden and European Commission President Ursula von der Leyen jointly announced efforts to create a new EU-US data exchange regime that will complement/replace the existing EU-US Privacy Shield. The recent Schrems I and II judgments of the Court of Justice of the European Union have invalidated the existing Privacy Shield due to US surveillance laws disclosing data of EU citizens, raising uncertainties around data transfers between the EU and the USA led. Any law that mandates blanket localization of all data without equivalent safeguards for data abroad could risk violating the standards set by the EU, as well as various other data laws of several countries.
The forthcoming changes to data protection laws in India, in whatever form, must be aware of the changing approach to data protection around the world. The Indian government’s recent Data Accessibility and Use Policy, which was scrapped almost as soon as it was published, appears to largely fall short of this, narrowly focusing on the commercialization of large datasets.
Any new legislation from the Government of India must take into account a few key factors. First, the law should require companies and government agencies in India to adopt a “privacy-by-design” approach, where the default approach to handling personal data is to give data controllers complete control over privacy with a range from opt-out opportunities to grant options. Second, commercialization of data should be strictly opt-in, constrained by the requirement for robust security standards. Finally, aspects such as data localization, categorization of data types, cross-border transmission and storage should be regulated with due regard to business operations, weighing individual rights. Ancillary provisions are intended to provide clarity on aspects such as regulatory procedures, logistics, data centers and broadband connections.
India is now one of the last countries in the world that does not yet have a comprehensive, modern data protection law. Given India’s desire to promote a global image of a digital economy with a booming data services industry, the government must act quickly to introduce a framework that puts it on par with its partners on the international stage. Unlike other laws, data protection laws cannot work in isolation in a national setting and must necessarily work well with their international counterparts.
The author is a Partner and Sriram SL, Senior Associate, at J. Sagar Associates (JSA).
Download the Economic Times News app for daily market updates and live economic news.