With Conceptual Issues Still, India's Data Protection Bill Should Not be Rushed Through

The report does not consider how the domestic law and policy will fit into that global context, which accounts both for the hybridity of the proposed legislation and its unworkability.

The proposed data protection legislation offered by India’s ministry of electronics and information technology last month is a complex hybrid, blending provisions borrowed from European privacy law and indigenous strains of Indian statutory architecture.

But the draft law’s fundamental unworkability results not from its incoherence of detail, but from the absence of coherent policy-making from which the details of legislation could have emerged.

The committee of experts, on whose vision of the wider context the statutory language is supposedly based, starts correctly by observing that India must have a data governance regime that contributes to a “free and fair” digital economy in India, and it must protect the rights of Indian citizens. Having taken this most important, fundamental step in defining the goals of policy, the report immediately succumbs to conceptual confusions on both points. The desire to please multiple stakeholders results in the hotchpotch design and conflicting details of the proposed legislation.

In the first place, this Indian digital economy is part of a globalised data economy. As the report notes, and as we have written many times ourselves, Indian legislation will of necessity occupy an innovative position globally: US, European, and Chinese models are each not suitable to the Indian condition, while the nature of Indian policy and legislation will be influential throughout the developing world.

But this means that policy-makers must consider how their domestic law and policy will fit into that global context. The report does not address this question at all, which accounts both for the hybridity of the proposed legislation, and its unworkability.

Accessible to global digital economy

If India is to be part of the global data economy, its firms must be able to process the data of European Union citizens. They will therefore have to build all the necessary technical, business and social processes to comply with GDPR.

data protection policy that intends to help Indian individuals and firms access the global digital economy freely and fairly should interoperate with GDPR as smoothly as possible. Any Indian firm complying with Indian law should also be GDPR compliant, to the maximum extent possible, thus removing barriers to the global economy. Tools helping Indian businesses comply with Indian law should also assist all Indian firms seeking access to the global economy to be GDPR compliant. This would indeed be a light unto the developing economies. But on this aspect of the matter, the report is utterly silent and the draft legislation is wanting.

The Indian government should not only be seeking to harmonise Indian data protection law with the GDPR in order to maximise Indian firms’ access to the global data economy, it should be directly engaged with the European Commission in seeking mutual opportunities to define a Euro-Indian global regime. From this potential consensus, as the report notes, the US and China have both diverged in ways that present GoI with enormous potential international influence through cooperation with the EU.

The Data Protection Bill 2018 has been submitted by the Justice BN Srikrishna committee. In this photo, Justice BN Srikrishna hands over the report to IT Minister RS Prasad. Credit: PTI

Harmonisation would be welcome 

For well-intentioned multinationals, such a Euro-Indian movement to harmonisation would be very welcome. They must already implement GDPR compliance throughout their “clouds,” because they will inevitably process data connected with European Union citizens throughout their globalised technical infrastructure. Harmonisation thus offers them enormous efficiencies, which they will help to define and implement, thus putting additional pressure on the other, privacy-averse, platforms in intra-industry and multi-stakeholder fora.

But harmonising new data protection regulation with GDPR, important as it is, is merely an operating requirement of the design, not a primary objective. It is necessary to achieve the goal of enabling further Indian advance in the global digital economy, but not sufficient. What will be required can be described as ‘GDPR+’.

This is where the report mount fails to address the basic conceptual issues around the second objective, to protect Indian citizens’ rights. Here its primary error is making a fetish of consent. Rather than facing the inadequacy of consent to protect rights, however, the report announces a conclusion, by intellectual force majeure without the benefit of argument, that consent is not a means to protect rights but is rather “an end in itself”. Apparently, once we have grasped that the purpose of privacy law is *not* to protect privacy rights, but only to collect and administer consent for its own sake, everything will be fine. The value of consent requirements lies not in the formalities, but in the informational disclosures underlying consent. This is the principle of “informed consent” in the US law of health care, for example.

The concept of informed consent

Consent should follow receipt of clear, thorough and complete disclosure explaining, in forms that the individuals addressed can understand, what information is being collected, what will be done with it, how long it may be retained, who else may have access to it, and what the data subject’s rights are regarding this collection, storage and use.

What the report does not do is to answer the basic questions on which such a privacy policy must rest: (1) what are citizens’ rights; (2) what resulting duties must law impose on other private parties in order to ensure those rights are protected; and (3) what remedies should be available when breach of those duties results in harm? To say that citizens’ consent is an end in itself and that private parties’ duty is akin to product liability for defective consent forms is to turn in a convoluted exam paper that has nothing to do with the questions posed.

This is not the place for a full depiction of how the report should have answered those questions. This, however, is one of the most important area of legislation and Ministry of Electronics and Information Technology should not hurry through the process. Areas such as data localisation, cross border data transfer, breach notification and right to erasure are regressive in the current bill.

Public consultations with multiple stakeholders are set to be conducted and should get necessary feedback. Education and awareness about what this means for common men and women should follow. A rushed through legislation without any vision of the wider context will create the blueprint for “how to do it wrong” depriving India an opportunity to provide leadership that it aspires for.

Eben Moglen is professor of law and legal history at Columbia Law School. Mishi Choudhary is a technology lawyer and managing partner at Mishi Choudhary & Associates.