The Journey of India’s Data Protection Jurisprudence

India’s quest for a data protection regime can be traced back to when the idea was first mooted in the Indian Parliament in 2008, when an amendment to the Information Technology Act, 2000 (“IT Act”) was proposed. The introduction of the new Section 43A under the Information Technology (Amendment) Act, 2008 (“Amendment”) inter alia put an obligation on companies to protect all sensitive personal data and information that they possessed, dealt with or handled in a computer resource by implementing and maintaining reasonable security practices and procedures. The Amendment also imposed a penalty for non-compliance. The Amendment was followed by the introduction of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, which inter alia specify minimum standards of data protection for sensitive personal data, including requiring companies to have a privacy policy, to obtain consent when collecting or transferring sensitive personal data or information, and to inform individuals regarding who the recipients of such collected data are.

Over the years, various sectoral regulations and rules have also introduced suitable remedies and preventive mechanisms for data protection. However, a fragmented set of regulations and the changing trends in technology have exposed India to the loopholes in the prevailing laws.

The foundation for a single statute legislation for protection of data in India was laid down in 2017, in the much-celebrated Supreme Court judgment in K.S. Puttuswamy v. Union of India (“Puttaswamy Judgement”), which recognised ‘privacy’ as intrinsic to the right to life and liberty, guaranteed by Article 21 of the Constitution of India, thus making ‘right to privacy’ a fundamental right. While chiefly dealing with the scope of rights of a citizen as against the State, the Puttaswamy Judgement also touches upon protections to be accorded to individuals in the private sphere. The Supreme Court linked the value of privacy to individual dignity and used long-standing precedence to hold that the State has a positive burden of maintaining and preserving this dignity. As a result, the Puttaswamy Judgement is not only the basis of establishing a prohibition against privacy-violative State action, but also forms a basis for the State’s mandate to regulate private contracts and private data sharing, in the interest of individual privacy.

This led to the setting up of the Sri Krishna Committee which floated the Draft Personal Data Protection Bill in 2018. After amending the bill pursuant to industry and stakeholder feedback, in December 2019, the Ministry of Electronics and Information Technology tabled the Personal Data Protection Bill 2019 (“PDPB”) in the Rajya Sabha.

This version of the PDPB proposed the overhaul of India’s legislative framework for regulating data sharing in private contracts. It inter alia prescribed compliance requirements for all forms of personal data, broadened the rights given to individuals, introduces a central data protection regulator, instituted data localisation requirements for certain forms of sensitive data as well as imposed hefty financial penalties in case of non-compliance.

However, owing to various challenges with respect to its implementation, the PDPB was sent for review to the Joint Committee of the Parliament (“JPC”) in 2019. Thereafter, the JPC spent around 2 years amidst the global pandemic to examine and deliberate the nuances of the PDPB.

In the interim period, a committee of experts set up under MEITY issued a report on the Non-Personal Data Governance Framework (“NPD Report”) in July 2020. The intent of the NPD Report was to create a framework to unlock the economic, social and commercial value of non-personal data for corporates, start-ups and the Government. The committee received over 1,500 responses from various stakeholders to the NPD Report and made changes based on the feedback received. In January 2021, the same committee released a revised NPD Report which limited the scope and purpose of sharing non-personal data and expanded on how the PDPB and the recommended Non-Personal Data Governance Framework would function in tandem.

Thereafter, in November 2021, the JPC finally submitted its revised report and draft of the bill. In its new iteration, the PDPB was renamed the Data Protection Bill 2021 (“DPB”) and it brought in various significant changes. A key change was the expansion of the scope of the law to cover not only personal data, but non-personal data as well. The DPB also introduced stringent data breach reporting requirements, regulation of hardware manufacturers, enabling a certification mechanism for all digital and IoT devices to mitigate data breaches and the additional compliance measure of consulting the Central Government for cross border transfer of sensitive personal data. The DPB also provided for a phased implementation wherein the Central Government may notify different dates for enactment of different provisions.

The expectation was that the DPB would be tabled in Parliament in the budget session held in February 2022, however, the new version of the legislation attracted strong criticism and pushback from various stakeholders, including from within the JPC as well as from domestic and international business houses for inter alia being more focused on the protection of state interests rather than being designed for the protection of data and privacy of individuals.

Consequently, the fate of the DPB is now uncertain, with various media news reports suggesting that the Indian Government is likely to scrap the DPB in favour of a completely new data protection legislation. It is further understood from media reports that the IT Act might also see an overhaul to address the requirements of the country’s changing technological landscape.

Amidst the cloud of uncertainty around the data protection regime in India, MEITY has in February 2022 released a Draft India Data Accessibility and Usage Policy (“Data Usage Policy”) as an attempt to leverage the economic value of public sector data. The key objective of the Data Usage Policy is to recognise open data i.e., any dataset which is free to use, reuse, and redistribute by anyone, as a valuable public resource and overcome current challenges in data accessibility. The Data Usage Policy is applicable to all data and information created / collected / generated / archived by the Indian Government either directly or through authorised agencies by various ministries, departments, organisation, agencies and autonomous bodies.

The Data Usage Policy is a laudable first step for the unlocking of the economic value of public sector data and has the potential to enable the business ecosystem to reap massive dividends from the contemplated data sharing. However, the absence of a comprehensive privacy and data protection legislation in India and lack of infrastructural support will make it operationally difficult to assign accountability and provide redressal for privacy violations or data breaches.

It appears that India’s 5 year-long endeavour of creating a robust regime for privacy and data protection has slowed down for the time being. However, the initiatives proposed by the Indian Government in respect of the IT Act overhaul and the framework for public sector data sharing indicate that the upcoming months will see critical developments in achieving a holistic data governance framework for India. Further, it will be interesting to watch the reimagining of the data protection regime itself, which will be a difficult task and will require proactive participation from industry stakeholders.

In conclusion, given that India is positioned as one of the largest data markets in the world, a comprehensive data protection and governance regulation will certainly influence and greatly contribute to the evolution of the global data governance landscape.

Leave a Reply

Your email address will not be published. Required fields are marked *