New Data Protection Bill to Enable Progressive Data Governance Framework

Along with India’s digitization efforts, privacy risks and concerns have come to the fore, where companies have created a privacy vacuum that requires addressing. For this reason, policymakers now face the dilemma of the “privacy paradox”, which is how to ensure a mutually beneficial trade-off between securing an individual’s personal data while using it for economic advancement. of the collective. As the government works on a new personal data protection bill, it is crucial to consider some of the features that enable a strong and interoperable law to catalyze Indian techade.

First, the 2019 bill’s need for an extremely elaborate and stringent consent and notification framework was concerning. The strong framework that pledged to protect the privacy of an individual’s data would have made the bill’s privacy design even more redundant. The consent and notification framework in the new bill should be handled in a way that respects the right to privacy of information while avoiding consent fatigue for consumers. For example, individuals may receive countless privacy notifications causing consent fatigue; this issue was considered and acknowledged in Judge Srikrishna’s committee report. Also, from a business perspective, the cost of compliance, especially for small businesses, will be huge and could lead to additional costs. The new personal data governance framework should focus on simplifying the consent and notification framework so that individuals can easily understand how and for what purpose their personal data is being processed. In addition, the new bill must provide better ways and means to obtain consent, which is inclusive, less cumbersome and efficient.

The second concern related to the mandatory location of sensitive and critical personal data in the 2019 bill, where certain conditions were imposed on the transfer of sensitive and critical personal data across borders. If implemented, this provision would have increased operational and implementation costs for businesses. This is especially true for start-ups that rely heavily on cloud servers based around the world for storage and analytics. Through our impact study, we found that start-ups are more likely to be affected by the data localization mandate, as it would increase the compliance burden and require system-level changes, which could be difficult and expensive. They also raised concerns about the 2019 bill’s unharmonised nature with globally accepted privacy standards. There is a greater need for interoperability between international and national standards for greater ease in cross-border data flow. To provide a formidable personal data governance framework, one of the priorities should now be to ease data localization compliances.

Furthermore, trade in the 4th industrial revolution, i.e. the transformation of industrial processes with rapidly changing technological developments and societal patterns, is fragmented in terms of geographically dispersed global value chains (GVCs), which creates interdependence between countries. As the GVC is geographically fragmented, this has paved the way for the international distribution of production processes, where certain production-related activities and tasks are carried out in different countries. While cross-border production in the form of GVCs may not be new, a key element propelling and transforming GVCs is information and communication technology, which makes the flow of goods and services transparent. one level of production to another. While allowing cross-border data transfers is beneficial overall, it is more lucrative to allow the same with countries that share a positive relationship in trade, investment, etc. Therefore, the Indian government can focus on bilateral or multilateral agreements to establish mutually beneficial and guaranteed principles with partner countries such as UK, US, EU, Australia, etc., for data storage, access and cross-border flows. For example, in our recent report with UKIBC, we highlight the importance of having an interoperable and harmonized data protection regime for India and the UK to facilitate the free flow of data and broader digital commerce. discussing barriers and providing a way forward.

Third, the proposed Data Protection Authority (DPA) will be the cornerstone of India’s data governance efforts, and it is to function as an independent supervisory authority for all relevant stakeholders, including the government. In addition, more attention needs to be given to capacity issues and the ability of the regulator to work in harmony with pre-existing regulators in other sectors.

The Indian government has moved in the right direction by withdrawing the PDP Bill of 2019. Personal data governance is a new challenge that should not be tackled in a hurry. To introduce and implement a great data governance framework, research and proper stakeholder consultation are needed.



The opinions expressed above are those of the author.