Back in 2018, a panel headed by former Supreme Court judge BN Shrikrishna was created to formulate a data protection bill for Indian citizens. The decision to create such a panel came in the wake of growing data breaches by big tech, most notably, Facebook’s Cambridge Analytica Scandal.
This bill, which has been coined the Data Protection Bill was approved by the Union Cabinet headed by PM Narendra Modi this Wednesday.
Data storage and monopolization by big tech has been a burning issue in recent times, as governments and citizens alike are becoming more aware of the implications of personal data being stored in databases of international giants like Facebook, Google, Apple, etc. Thus, legal regulations in favor of citizen data protection have become the need of the hour.
Data Protection Bill: Key Provisions
The bill will be proposed for final approval in the Parliament’s winter session. Some major provisions under the bill have to deal with how tech giants handle Indian users’ personal data, the exercise of consent by consumers, and penalties for breaking the laws.
First and foremost, the bill defines personal data as any credentials that can be used to specify an individual’s identity such as their religious background, ethnicity, biometrics, sexual orientation, etc.
The bill will make it mandatory for all tech firms with an Indian consumer base to store sensitive personal data about Indian consumers in servers based in India, instead of overseas ones. However, it allows for the processing of data overseas, granted that the data owner consents to it. Non-consensual data processing is only permitted in cases of national interest and security or court order, and other urgent instances.
If a company fails to adhere to these laws, they’ll be liable to a penalty of 15 crore or 4% of the company’s global annual revenue, depending on which amount is greater. Additionally, the bill proposes a jail term of up to three years for the executive in-charge of conduct of an offending company, according to sources.
The bill also states that minor offenses can be penalized with a fine of 5 crore or 2% of the company’s global revenue.
The bill could also possibly mandate the establishment of a Data Protection Authority as a regulatory body for data processing activities, judging by the initial propositions made for the bill in 2018.
Pros and cons of the bill
The Data Protection Bill would limit the ability of international tech giants to exploit user data, and could possibly secure Indian users from data breaches. It would also create greater local activity by tech companies, and, thus, generate jobs for Indians.
However, the bill lacks provisions that empower citizens at an individual level. It fails to address or grant individual rights and agency to data owners.
The bill’s provisions also create the need for sophisticated infrastructure that would allow safe encryption and storage of data, with minimum possibilities of breaches. However, India lacks that kind of infrastructure at this point. This also makes way for the possibility of the Indian Government to leave it up to tech companies to come up with the right kind of infrastructure.
However, the most striking criticism of the bill is its facilitation of data sovereignty. While the bill prevents international giants from exploiting consumer data, it also transfers this ability into the hands of the Indian Government. Thus, it puts the government over a competitive advantage over international tech giants and, thus, does nothing to put an end to the commercialization of user data.
The government’s unfettered access to data also poses threats to individual privacy and undermines individual sovereignty.
When looked at alongside the recent IT Act Amendment allowing for content screening and tracking, a pattern emerges pointing towards a potentially stifling digital landscape for Indians in the coming years.