An analysis of India’s Personal Data Protection Bill, benefits and objections of various stakeholders.
The government’s decision to withdraw the Personal Data Protection Bill 2019 so close to its implementation, comes as a surprise to many. Despite being in the works for nearly four years, and having gone through multiple iterations, the bill has been abandoned in favour of a new bill that is expected to have a more “comprehensive legal framework”. This decision comes amidst disapproval from major tech companies like Google, Surfshark and Facebook over its most recent iterations. Many industry experts also seem to be on both sides of the spectrum, but was this the right decision?
The first thing we need to understand is how complicated it is to regulate data privacy. Traditional AppSec has a list of best practices and vulnerabilities that, if followed to a T, can overcome most threats, but there is no such list for data privacy. Drafting a personal data protection bill for India means having a thorough understanding to parse through the sensitive and non-sensitive data of about a billion citizens. There is no denying that every user has a right to privacy and protection, but the government also needs to have access to certain information about its citizens. What is black to some, is white to others – data privacy is a grey area and is subject to different perspectives.
What was wrong with the bill?
The bill wasn’t perfect by any means, in fact, a review by the Joint Committee of Parliament (JCP) in 2021 proposed 81 amendments and 12 recommendations. The one area of the bill that almost unanimously raised eyebrows was the control the government could exercise over the storing and usage of an abundance of personal and non-personal citizen information, including fingerprints and iris scans. The use cases of such data are only limited by imagination, but the fact is that this is both a good and bad thing in every situation. For example, on the one hand, access to such information could greatly benefit the economy and help government programs, extending and regulating the benefits of government schemes to change the lives of those in need. The flip side is that the data could just as easily be manipulated for coercion by linking the accounts and privileges with voting. Data is a powerful weapon and can be harnessed for widescale social welfare or malicious activity like corruption and election rigging.
The Data Localisation provision in the bill was also subject to backlash from big tech companies like Facebook and Google that currently store their data abroad. It should come as no surprise that companies that have been accused and penalized for their continual misuse of personal data should object to a provision that makes them liable for the same. All the provision requires is for companies to store a copy of certain sensitive personal data within India and prohibits the export of critical personal data from the country. GDPR policies already have similar provisions in place, and it would be a huge oversight to not recognize that other countries are going to follow suit with similar protocols. Although implementing these changes may be challenging at first, companies like Facebook and Google are more than capable of altering their systems to satisfy the bill. Furthermore, advancements in technology such as data tokenization will make it possible to extract sensitive data by simply referring to it in the source system instead of storing it, presenting endless possibilities for the future.
What could the new bill look like?
Data privacy is a sensitive issue and its protection simply cannot be delayed any longer. The Indian Government is making efforts to emulate the robust security system of some of its western counterparts, but without the allocation of a dedicated budget to cybersecurity, we will continue to fall short. Even the most secure policy in the world is useless without the proper infrastructure.
For both, governments and large corporations, data is the next resource waiting to be tapped, offering the potential for business growth, widescale development and social welfare. However, as much potential for good as there is, there is equal potential for data to be deployed towards malicious, anti-social or even criminal intent. This is why the focus is on developing a comprehensive legal framework, or a set of controls that clearly identify intent, decision-making, accountability and methodologies in place to regulate the use of personal data.
The new bill could also focus on having controls to secure people in rural areas or from under-resourced communities as they make up the largest chunk of India’s population, and are most vulnerable to cyber frauds. Creating awareness and educating an audience this large about new threats will have some challenges of its own. The government also plans on revamping the compliance-intensive bill to make it easier for start-ups to comply.
Between trying to keep large enterprises happy on the one side and the government on the other, it is the individual citizens that continue to be the victims. With no legal recourse for data protection, they remain targets of malicious activities and complication manipulations. Ideally, a comprehensive legal framework would be the way to go but, do we have the time to wait? The industry has been waiting for the bill to pass for almost four years. Leaving an industry that handles immense volumes of sensitive data without any regulated protection for even a little while longer is asking for trouble. Something is better than nothing – implementing the bill at the earliest will at the very least give individuals some control on the personal data protection front. Continuing without any regulation is a free pass for any organization or individual with malicious intents – it will encourage a dark ecosystem to thrive, creating yet another parallel economy, fuelled by the lucrative opportunities around it. Meanwhile, the positive and purposeful use of data will be under-exploited, creating a new social inequality.