The Politics of India’s Data Protection Ecosystem

The Personal Data Protection Bill, or the PDP Bill, has been listed for introduction in the winter session of Parliament.^[1] The bill has far-reaching consequences for political economy, private industry, and India’s diplomatic posturing. The governance of technology is inherently political, and the Government of India has repeatedly stressed the need for strategic autonomy in carving out its “data sovereignty vision.” Entities within the bureaucratic machinery, along with several doyens of Indian industry, have been proactive in painting India’s cyber policy vision as one that would guard against continued “data imperialism” by foreign technology players, and ensure that data generated by Indian citizens is utilised for their welfare.

Along the way, there have been several flaws in the instruments responsible for the realisation of this vision, and this has been highlighted constantly by civil society and academics. Unfortunately, the relative scarcity of public information about the interests of various lobbying groups has prevented us from conducting a comprehensive empirical survey to assess how interest groups have aligned on different sides of the lobbying battle; as has been done in the case of the evolution of the General Data Protection Regulation (GDPR) (Atikcan and Chalmers 2018). 

Background to the PDP Bill 

The process towards the latest version of the data protection law began in 2017. However, despite repeated statements that India will soon have this law in place, we have seen little movement. In 2017, during the Supreme Court hearings in the referral matter before the constitutional bench to clear the judicial uncertainty around the existence of the right to privacy in K S Puttaswamy and Anr v Union of India and Ors 2017 (the Puttaswamy judgment), the Government of India announced the setting up of an expert committee to frame India’s data protection law (Agarwal 2017). The Ministry of Electronics and Information Technology (MeitY) formed a 10-member committee led by retired Supreme Court judge B N Srikrishna. This was not the first exercise towards the creation of India’s data protection law. In fact, over the last decade, there have been other such efforts and bills. In 2012, Justice A P Shah had led another committee of experts and provided detailed recommendations towards the creation of a data protection regulation (Agarwal 2017). Before the MeitY, the Department of Personnel and Training had been the nodal authority working on a privacy legislation, and there were at least two different drafts, one from 2011 and another from 2014 (Hickok 2014) that were produced. 

The composition and processes followed by the committee led by Justice B N Srikrishna attracted some criticism. An open letter sent by advocacy group Internet Freedom Foundation, which also led parallel efforts called #SaveOurPrivacy—a movement in support of a model draft law—criticised the composition of the committee citing lack of representation from civil society, and instead suggested having representation from those who “had been votaries of the Aadhaar infrastructure, and so may not be a position to objectively and critically analyse the Aadhaar infrastructure from the standpoint of Citizen's Data Security and Privacy.” Another criticism of the functioning of the committee was the lack of transparency (Deep 2018). The MeitY stressed that the submissions were “confidential” and “not available for public dissemination,” unless the entities who submitted responses provided consent.

Development of the Data Protection Ecosystem

On 27 July 2018, the Srikrishna Committee submitted a draft of the Personal Data Protection Bill, 2018 to the MeitY, along with a report titled “A Free and Fair Digital Economy” (Srikrishna Committee 2018) On 14 August, the MeitY invited public comments on the bill to be received in 20 days till 5 September, a period that was later extended until 30 September. Even though there were reportedly over 600 submissions, the MeitY refused to make these public. 

In 2019, two iterations of the draft national e-commerce policy (second one christened with the theme “India’s Data for India’s Development”) were put out by the Department for Promotion of Industry and Internal Trade (DPIIT) under the Ministry of Commerce. These endorsed certain provisions in the draft PDP Bill, but also fostered a lack of clarity regarding concepts such as “community data”—data is viewed as a “societal commons” or “natural resource”—held by an unidentified (presumably national) community (Basu 2019). While ambitious in its vision, the policy failed to highlight any meaningful ways in which “community data” can be utilised by the government, or a clear demarcation between personal and non-personal data. To complicate matters further, Chapter 4 of the Economic Survey released by the Ministry of Finance in July 2019 conceptualised data as a “public good” once data sets are anonymised without any mention of data protection, barring a passing note on respecting privacy norms. Further, the end of the chapter appeared to suggest that this data can be sold to public firms without clarifying whether this means foreign or domestic firms. This defies the essence of a public good, which is defined as being non-excludable and non-rivalrous.

In September 2019, the MeitY also set up an expert committee to provide recommendations on the governance framework for non-personal data. While their recommendations will not impact the PDP Bill, they will likely serve as the edifice for the governance of any data classified as “non-personal.”

Table 1: Timeline of Key Developments surrounding the PDP Bill

Table 2: Summary of stakeholders and key interests

Key Issues, Engagements and Conflicting Interests 

Data Localisation

The data localisation provisions contained in Sections 40 and 41 of the draft PDP Bill were probably the most controversial, and generated heated debate. The provisions were an addition to a slew of notifications and policies across ministries that had mandated localisation in some form (Basu et al 2019). While there were a number of reasons for data localisation provided in the report of the Srikrishna Committee, two stood out in particular. First is the cumbersome and time-consuming process that law enforcement agencies have to go through during criminal investigations to access data stored in the United States (US), which has been, according to law-enforcement officials, a major fetter to the successful completion of criminal investigations (Sinha et al 2016). Second, data localisation is viewed as a means of combating “data colonialism,” which refers to the extractive economic models used by Western (largely, US) companies to use data generated in developing countries like India to consolidate their global market power.

The debate on data localisation is certainly driven by perceived economic interests, among several stakeholders. A previous paper (Basu et al 2019) analysed the responses of 51 stakeholders to India’s localisation gambit. Stakeholders arguing for data localisation include large Indian corporations such as Reliance and PhonePe, which have the capacity to build their own data centres in India, or pay for data to be stored on Indian servers. Mukesh Ambani, Chairman of Reliance Industries, has been a vocal proponent of data localisation, using the government’s “data colonisation” narrative (Economic Times 2018). Chinese players like AliBaba and Xilinx have also taken pro-localisation stances, possibly because some of them have already set up data centres in India (Variyar 2018).

On the other hand, industry associations, including the Internet and Mobile Association of India and National Association of Software and Services Companies (NASSCOM), have spoken up against data localisation, citing the cost to start-ups and consequent hurdles for India's innovation ecosystem. Big foreign technology players—Google, Facebook and Microsoft—have consistently pushed back against data localisation. Lobbying groups representing their economic interests, such as the United States India Strategic Partnership Forum (USISPF) (USISPF 2018) and the Information Technology Industry Council (ITI), have done the same. Civil society and academia, both in India and abroad, have also been largely opposed to data localisation.

Despite constant lobbying by their public policy verticals, Master Card (Alawadhi 2019), Facebook-owned WhatsApp (Aryan 2019) and Google Pay (Barik 2019) have promised to comply with the Reserve Bank of India’s (RBI) localisation directive and store all their consumers’ financial data in India—a condition for getting on board the United Payments Interface (UPI). However, in a big blow to WhatsApp, the RBI told the Supreme Court that Whatsapp is non-compliant with India’s data localisation norms and directed the National Payments Corporation of India (NPCI) to disallow a full scale launch of payments by WhatsApp on the Unified Payments Interface (Mishra 2019).

Various political representatives of the US government have taken an active stance against data localisation. President Trump explicitly opposed data localisation at the G20 Leaders’ Summit in Osaka. The localisation issue has certainly caused fissures in the Indo–US trade dynamic. As India and the US negotiate a free trade agreement, the US has stressed the importance of the free flow of data, goods and services (Economic Times 2019a). For instance, before Secretary of State Mike Pompeo’s trip to Delhi in June 2019, the Trump administration reportedly threatened to limit H-1B visas for any country that has data localisation requirements (Dasgupta and Kalra 2019). US Commerce Secretary Wilbur Ross has also echoed the sentiments of several US lawmakers, bureaucrats, and industrialists claiming localisation restrictions are a barrier for US companies (Pahwa 2019). Protracted lobbying by various stakeholders has been driven largely by economic interests. For the Indian government, however, it is not just a matter of economics, but a key component of its data sovereignty vision.

The Indian government has embarked on a concerted diplomatic mission to convince global players of the vitality of its “data sovereignty” vision, and bilateral and plurilateral agreements continue to be the battleground for the future of data localisation. At the G20 Summit in Osaka in June, India, along with the BRICS grouping, stressed the role that data plays in the advancement of emerging economies and refrained from signing the Osaka Declaration on Digital Economy that kickstarted the “Osaka Track” (Sherman and Basu 2019). The Osaka track, which India has consistently opposed, is spearheaded by Japan, and its 78 signatories have agreed to meaningfully take forward global policy discussions on international rule-making for e-commerce at the WTO.

India recently also opted out of the high-profile Regional Comprehensive Economic Partnership (RCEP), a 16-country trading deal between members of the Association of Southeast Asian Nations (ASEAN) bloc and six trading partners (Economic Times 2019b). The decision to opt out was ultimately due to factors other than data localisation, including large pre-existing trade deficits with member nations and threat of a surge in imports (especially from China). However, at the latest round of negotiations in Bangkok on 11–12 October, India blocked the e-commerce chapter and the financial services agreement because it would interfere with its “essential security interest and national interests” (Suneja and Narayanan 2019). However, reports that emerged on 21 October suggest that India was willing to relent on this stance, and allow for the e-commerce chapter to go ahead without the localisation provision (Mathew 2019). This is a crucial development as it indicates that India is willing to abandon a hard-line stance on localisation to achieve global economic or strategic cooperation. Though, as India ultimately opted out of RCEP, it remains to be seen how it engages in debates surrounding the free flow of data when it negotiates a trade deal with the European Union (Haider 2019).

Governing Personal and Non-personal Data

The PDP Bill defines personal data as any “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.” This definition diverges slightly from some of the international definitions of personal data. For instance, under the GDPR definition provided in Article 4, there is specific reference to “identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.” Despite the differences, it is clear that the identifiability of a natural person is the central idea behind determining what is personal data. 

How we define and govern personal data has clear implications for both the state’s ambitions, where it views data as central to India’s geopolitical ambitions, and the private sector’s interest in using data for commercial gains. Aside from the data protection regulation, several other policy documents, such as Niti Aayog’s National Strategy of Artificial Intelligence, Ministry of Commerce’s Artificial Intelligence Task Force Report and the Economic Survey of India 2018–19, echo a growing national vision where data is at the centre of the state’s welfare agenda, as well as its ambitions to compete in the artificial intelligence (AI) race. Yet, while there is an abundance of these policy documents, there has been little effort to analyse how this vision aligns with the need to protect the interests of citizens while processing personal data. Leveraging data for both welfare and innovation requires untangling the tricky matter of how personal data is differentiated from non-personal data, how we must deal with mixed datasets, and how to meaningfully obtain consent for these additional purposes. There is a clear indication of the intent of the Indian state to extract value from large data sets on Indian consumers maintained by large corporations. Yet, both the legal and economic particulars of such an arrangement remain unexplored. 

This intent is clearly reflected in the setting up of a new committee (Committee set up by Ministry of Electronics and Information Technology under the Chairmanship of Kris Gopalakrishnan) to look into the question of non-personal data (Agarwal 2019). Some of the issues that the committee is likely to look into include the economic value of data and how a nation can create value using the data of its citizens, and the need for property rights with respect to data and building of public databases. Influential policy actors, such as Nandan Nilekani, have spoken about the value of data as an unlimited, non-rivalrous source, particularly in a country like India (Nilekani 2017). Nilekani has used the term “data democracy” to refer to people’s ability to trade their data. 

Unlike other commodities, where ownership is often synonymous with physical or legal control over the commodity, data cannot be possessed by just one person. As data processing is a shared process, often involving the participation of a variety of actors, this poses difficulties in determining control and ownership over data. The exploitative nature of mining personal data creates an imbalance in the benefits accrued to those whose data is utilised for financial gain, and those who gain monetarily on the basis of their access to data. This idea of commodifying the data of Indian citizens was reinforced by Prime Minister Narendra Modi’s address in Texas, where he said that India’s new identity was defined by its low-cost data, available at 25–30 cents for 1 gigabyte of data (Economic Times 2019c). Justice Srikrishna has, however, called the government’s approach of “data as an asset” dangerous. 

What we witness is a lack of convergence between the position of personal data being considered a matter of right under the draft law and the Puttaswamy judgment on right to privacy in 2017, and that of data as an economic asset to be exploited for national gains under the various policy documents mentioned in this essay. A resolution of these two contrasting positions is essential for a coherent regulation of personal data processing.

Debates on non-personal data will probably be resolved by the recommendations of the non-personal data committee. While it has representation from multiple stakeholder groups, the members of the committee have similar positions on the governance of non-personal data. The committee is headed by Kris Gopalakrishnan, one of the co-founders of Infosys with Nandan Nilekani. Other members from the private sector include Lalitesh Katragadda, who is affiliated with a financial inclusion technology venture funded by Nilekani and Ratan Tata, is a volunteer with the Indian Software Products Industry Round Table (iSpirt), and a supporter of data localisation as a means for safeguarding India’s “data sovereignty.” iSpirt has been acknowledged in the Economic Survey, and has previously detailed the importance of carving out data as a public good when it was involved in constructing Aadhaar, India Stack and several other technology stacks for the Government of India (Kodali 2019). Civil society representatives include Parminder Jeet Singh, the executive director of IT for Change, who has been vocal in his support for conceptions of community data (P Singh 2019a) and restrictions on cross-border data transfers in the national interest (P Singh 2019b). Finally, members from government bodies include the Joint Secretaries of DPIIT, who have endorsed the idea of “data as a national asset,” and the MeitY, which has espoused data localisation. Representation from these government bodies is also an indication that they are looking to converge on a framework that balances the governance of non-personal data along with data privacy concerns.

The deliberations of the expert committee are ongoing, and while they have consulted with leading e-commerce players Flipkart and Amazon, and ride-hailing apps Uber and Ola, they have not put out a public request for comments. It is unlikely that their recommendations will steer far away from the suggestions in the draft e-commerce policy and Economic Survey, given the stances of its members, and the roles they have played in formulating each of these policies. However, one should expect further clarity and coordination as a result of these deliberations, especially since two crucial ministries—the MeitY and Ministry of Commerce (through the DPIIT)—are on board, along with expert representation from both the civil society and private sector.

The Government's Use of Data

The PDP Bill contemplates a drastic change in data collection and processing practices in India. So far, both the private sector and the state have operated in a largely unregulated space, where they do not have to worry about checks and balances and processes to protect the privacy interests of the citizens. There is obvious discomfort about the nature and form of regulation being introduced. The state’s agenda has, to some extent, already seen significant concessions in the language of the bill. 

Section 13 of the bill allows the state to process data without the consent of the individual in the following cases: i) where it is necessary for any legislative function; ii) where it is necessary for the state to provide a service or benefit to the individual, and iii) where it is necessary for the state to issue any certification, license or permit. In order to carry out (ii) and (), there is also the added requirement that the state function must be authorised by law. 

The use of the words “necessary” and “authorised by law” is intended to pose checks on the powers of the state. The first restriction seeks to limit actions to only those cases where the processing of personal data would be necessary for the exercise of any function undertaken by the state. This should mean that if the state function can be exercised without non-consensual processing of personal data, then it must be done so. Therefore, while acting under this provision, the state should only process one’s data if it needs to do so to provide that individual with the service or benefit. The second restriction means that this would apply to only those state functions that are authorised by law, meaning only those functions that are supported by a validly enacted legislation.

The final report by the Srikrishna Committee interestingly mentions three kinds of scenarios where consent be not be required—where it is not appropriate, necessary, or relevant for processing. The report goes on to give an example of inappropriateness. In cases where data is being gathered to provide welfare services, there is an imbalance in power between the citizen and the state. Having made that observation, the committee inexplicably arrives at the conclusion that the response to this problem is to further erode the power available to citizens, by removing the need for consent altogether under Section 13.

This issue was a subject in several comments submitted to the committee in response to the draft law (Dvara Research 2018). The draft law has two conflicting objectives of protection of personal data of citizens from the state, and of the state’s need for ease in delivering services and performing its functions. It is lopsided in that it favours the latter objective. One possible way to resolve this issue meaningfully would be to apply the standards of proportionality along with necessity to the state’s use of personal data. 

Surveillance Reform

It must be noted that the Srikrishna committee was constituted to make suggestions on “principles to be considered for data protection in India and suggest a draft data protection bill.” The mandate given to the committee did not cover surveillance reform. This is peculiar as one of the foremost privacy issues that India has been grappling with has been the complete lack of surveillance governance either in the form of legislative oversight or judicial review. 

However, as the law will relate to the processing of data both by the state and private actors, the PDP Bill deals with the use of data in order to discharge sovereign functions. Without going into detailed questions of surveillance governance, the PDP Bill identifies the globally accepted principles of necessity and proportionality as pre-conditions for any exemptions from data protection obligations, for security of the state and domestic law enforcement activities. These provisions, while far from perfect, provide a potential window for surveillance reform, either through the data protection authority, or through legal proceedings that can be initiated in furtherance of these provisions. 

Some of the lack of clarity about the final form of the legislation could also have to do with surveillance reform issues. There have already been reports of the Ministry of Home Affairs seeking insulation from data protection obligations so that “its work/role is not hampered, especially in the areas of security and law enforcement” (R Singh 2019). On the other hand, Justice B N Srikrishna has spoken about the need for judicial review of surveillance decisions (Pahwa 2018) while stopping short of prescribing such a standard in the PDP Bill. 

In Conclusion

Despite several steps towards a data protection regulation in the last decade, so far, the Indian government has failed to pass a law. For the better part of this time period, this has been the case due to a lack of political will in successive governments. Over the last few years, there has been significant pressure from the judiciary, as well as other actors, including voices from civil society, to create a robust law. At the same time, there has been greater recognition of privacy as a social and economic good among the general public, as a response to incidents such as the Cambridge Analytica data scandal. These developments coincide with a growing national ambition to leverage the data of the country’s citizens for national economic gain. It is clear that the two primary interests of any data protection law—protecting the privacy of the citizens and using citizens’ data for economic gain—sit uneasily with each other, and a failure to meaningfully resolve this conflict has perhaps led to a delay. The large shadow cast by key figures from the domestic private sector lobby has had direct ramifications on the evolution of India’s data policy vision.

There is a need to see the privacy of the citizens as the primary end goal of data protection legislation. It is perhaps this clarity of vision that may help the policymakers in resolving the competing interests of the state’s welfare and surveillance agendas, the private sector’s gargantuan appetite for personal data, the need for community data to facilitate bottom-up innovation, and the ability of individuals to exercise their right to privacy.

Since this article was written, a revised version of the Personal Data Protection Bill was introduced in Parliament and sent to a Joint Parliamentary Committee for consideration. Many of the interests identified in this article were articulated in multiple provisions in the new Bill. The provision on data localisation has been diluted with the mirroring provision being done away with and restrictions being imposed only on “sensitive personal data” and any data notified as “critical personal data.” Undoubtedly, this dilution was a product of the continuous lobbying done by US-based technology companies in conjunction with trade diplomats.

Safeguards for surveillance have received a big blow. The “necessary and proportionate” standard—recognised both in constitutional and international law—has been done away with and replaced with the term “necessary and expedient,” which is not a legally recognised standard and gives far greater discretion to the government. This article had identified that government agencies had expressed the need to dilute the safeguards present in the original bill.

Finally, non-personal data has found its way into the text of the revised bill. Sticking to its grand vision of ensuring that India's data is used for India's development, the government included a provision clarifying its power to frame any policies that would benefit India's digital economy, so long as it did not concern personal data. It goes on to state that, in consultation with the Data Protection Authority (DPA), it can direct any data fiduciary to hand over anonymised personal data or other "non-personal data" for the purpose of “evidence-based policy making” with no clarity on what evidence-based policy-making might entail.

As the Joint Parliamentary Committee commences its deliberations, we have no doubt that the interests identified in this article will continue to shape the contours of the bill. The key question is whether the final text will be able to grapple with the politics of the multiple interests shaping this bill while still championing and prioritising citizen rights.