Triumph of hope over reality

Indians are set to become the world’s top data consumers although they made the cut in mobile data consumption. Some time ago, NITI Aayog CEO had tweeted that with 150 cr GB per month, India has become the world’s number one mobile data consuming country. Reliance Industries Chairman Mukesh Ambani had also made the same claim and pointed that Jio users consumed more than 100 crore GB of data per month on the Jio network and that is more than 3.3 crore GB a day. In just 3 years starting from 2014, monthly data usage in the country has increased by 15 times due to proliferation of smartphones and mobile internet. 

While mobile data consumption is bullish, firms like RIL have already invested Rs 2.5 trillion for creating digital infrastructure to provide mobile and broadband connectivity and plans are afoot to invest further Rs 0.5 trillion in fibre to home broadband network. 

With Bharatnet working to connect all 2.5 lakh Gram Panchayats covering nearly 6.25 lakh villages with a National Optical Fibre Network and provide a minimum of 100 MBPS broadband connectivity, data consumption is expected to surge further through both mobile and non-mobile platforms. All this shall result in creation of vast pools of data and there is an increasingly felt need to ensure that people (data principals) deserve legislation that ensures comprehensive protection. 

It is in this context that Government of India has constituted a committee for coming up with a Draft Data Protection Bill. On one end of the spectrum we have GDPR (General Data Protection Regulation) in Europe which completely focuses on data security and protection and on user control of data, on the other end of the spectrum we have the Chinese Cybersecurity Law which veers towards lending the state an upper hand in data processing. India’s draft Personal Data Protection Bill 2018 walks the royal middle path, seemingly wanting to empower both users as well the state (giving benefit of doubts) as far as personal data protection is concerned. 

First, the draft sets out detailed provisions for consent and explicit consent. On the other hand, there are provisions which dilute the right of data principals (individuals) completely such as Section 17, 22 and section 32(5). At the first step itself therefore this draft appears to be diluting individual rights. Secondly, it would be very difficult to comply in two years given the complexities involved. So there has to be a gradual approach, depending upon the size of the company, its turnover and the amount of PII (personally identifiable information) data that the entity would process in due course.  Thirdly, the committee had also identified a list of 50 statutes and regulations which have a “potential overlap” with the data protection framework. 

The proposed framework, therefore, suggests amendments in several laws, including the Aadhaar Act, RTI Act and IT Act. Considering the policy logjam due to increasing uproar in the parliament and impending election season, this seems to be a daunting task. 

Also for this to be effective on the ground, different regulators like RBI, SEBI, IRDAI, TRAI and others shall have to come out with their own guidelines which in itself shall be time consuming and which needs expertise from varied walks of life. Fourthly, as noted in an official dissent by certain members of the committee, Rishikesha T. Krishnan and Rama Vedashree, the provisions for keeping a copy of all data in India is concerning. 

This move towards data localization takes away from the open character of our global internet and is disproportionate to the benefits (if any) it would achieve. Fifth, there is a dire need for surveillance law reform in India. There was a small ray of hope that this effort would provide a comprehensive framework overhauling surveillance and interception in India – in consonance with the international standards on necessary and proportionate principles, along with providing proper judicial scrutiny. However, the report and the bill does not seem to provide substantive changes in the surveillance regime for data privacy in India. 

The brighter side of the act is the blue print provided for institutional capability that needs to be created. The Data Protection Authority (DPA) has been entrusted with the enforcement and effective implementation of the law. It will also categorize certain fiduciaries as significant data fiduciaries based on their ability to cause greater harm to data principals as a consequence of their data processing activities. Such significant data fiduciaries will have to undertake obligations such as Registration with the DPA, Data protection impact assessments, Record-Keeping, Data audits and Appointment of Data Protection Officer. 

Potential offenders could pay heed to the lofty penalties which are in the range of INR 5 Cr or 2% of the total worldwide turnover of the company in the previous financial year, to INR 15 Cr or 4% of the turnover. If an individual raises a complaint with a data fiduciary or company in question, and the fiduciary fails to comply with any request without reasonable explanation, it will be liable to a penalty of Rs 5,000 for each day during which such default continues, up to Rs 10 lakh. 

All these proposed steps aim at strengthening the voice of the consumer and empower them to address their data security issues. A journey of thousand miles starts with a single step. Although the act seems to have fallen short on certain aspects, this is a step in the right direction and I am hopeful that in the due course of process of stakeholder consultation and parliamentary debate, these issues will be sorted out and Indian consumer stands to benefit from the data protection and privacy regime. 

(Sarat Chandra Madala - Author is a professional working for Infrastructure Government and Healthcare Practice at KPMG)