India’s government has delivered a flurry of announcements about data – where it should reside, how it should be regulated, and how it should be paid for.
The fun kicked off late last week with the debut of the Personal Data Protection Bill, 2022 – a piece of legislation that replaces a 2019 bill that proved so contentious it was shelved before being put to a vote. That bill was prompted by a 2017 court ruling found that Indian citizens have a right to privacy.
The 2022 bill has mostly been well-received, if only because it is less obviously messy than the 2019 draft. However, activist group the Software Freedom Law Centre of India (SFLC) criticized it as “significantly less explicit in the harms which are recognized under it” and therefore offering weak protection from surveillance.
The bill also leaves some important issues to be decided by the government at a time of its choosing. For example, the bill mentions “data fiduciaries” and “significant data fiduciaries” without a definition of either term, but does state that each will be subject to different levels of penalties after a data or privacy breach. Politicians, it appears, will sort out the differences if the bill becomes law.
The SFLC also points out that the explanatory memorandum for the bill offers the following seven data protection principles, but they’re not in the text of the bill itself:
- Lawful, Transparent and Fair usage of personal data by organizations.
- Purpose Limitation – data is utilized only for the purpose for which it was collected in the first place.
- Data Minimization – only that data which is required is collected, and not more.
- Accuracy of personal data – updated and accurate personal data is stored by organizations.
- Storage limitation – personal data is not stored beyond the time period for which it is actually required.
- Security safeguards – adequate security measures to be in place to prevent data breaches, unauthorized access, etc.
- Accountability measures – holding the data fiduciary accountable for the processing of the data.
The bill softens previous prohibitions on cross-border data flows and data sovereignty requirements – changes said to ensure Indian businesses can fully participate in the global digital economy for the benefit of locals.
To enforce the bill, a Data Protection Board of India with the powers of a court will be created, but that body is poorly-defined. India’s IT minister Rajeev Chandrasekhar has asserted it will be independent, but the bill states its members will be “public servants” and is silent on qualifications required for members.
Complicating matters further, India’s Telecoms Regulatory Authority (TRAI) last week proposed formation of a “Data Digitization and Monetization Council” that would define ethical use of data by business and government in India. The TRAI also wants India to create a data sharing and consent management framework. The regulator has not explained how its proposed Council or framework would interact with the Personal Data Protection Bill.
The TRAI’s suggestions emerged in a proposal [PDF] to promote the development of datacenters, internet exchanges, and content delivery networks in India. The proposal floats the ideas of subsidies to attract investment, plus the creation of 33 “datacenter economic zones” in which the availability of land and electricity make building and operating datacenters apposite.
The proposal also suggests India should define its own datacenter construction standards. Subsidies to attract new submarine cable landing stations are also on the agenda.
It is unclear how the TRAI intends to advance its proposals. The IT ministry has sought feedback on the draft bill but won’t disclose any comments it receives.
Delhi has also announced a framework to prevent the publication of fake product reviews. The framework is voluntary, and strongly suggests any online platform that publishes reviews implement a moderation regime to stop fakes. India’s government has flagged the framework will become mandatory at a future date yet to be determined.
All of which leaves plenty of detail to be added to three significant tech policy announcements – a process that The Register does not often observe in other jurisdictions. ®