For starters, take the mandate for data localisation. It requires “sensitive” and “critical” data to be stored on Indian servers. This raises several concerns. What is personal and what is sensitive is subject to interpretation. This matters because critical data can be shared with a foreign entity only with explicit consent and other requirements. One man’s “critical” is another man’s “sensitive”. Who decides?
Additionally, storing massive amounts of data in physical servers locally is extremely expensive. It will drive up costs and make it harder to do business in India — without proof of being effective in protecting data. Running data servers is a very high-cost initiative. It requires land, incredible amounts of uninterrupted power, advanced security measures, and more. Indian infrastructure is not currently equipped to handle this.
The Supreme Court
granted Indians privacy as a fundamental right in the landmark Puttaswamy
verdict of 2018. This means Indians should enjoy data protection — from all entities. The data protection Bill
has a curious exemption. The central government can grant access to select government agencies and override protections at any time. They will also appoint the overseeing authority, the Data Protection Authority (DPA). How is our information being protected if anyone from any government agency can seize data in local servers, at any moment? So, if we are not protecting data, why traverse this maze of regulatory hoops and hurdles?
Also, how will the PDP Bill affect Indian fintech industry? Indian fintech raised $7.4 billion in investments in the last decade and is a valuable contributor to the Indian and global economy. The PDB Bill’s restrictions on cross-border data flows could severely slow this industry down. In this digital world, cross-border data flows are integral to growing the economy. Data flows across borders raised global GDP by 3.5 per cent ($2.8 trillion) in 2014 and could reach $11 trillion by 2025 (McKinsey). Protectionist policies like data localisation will obstruct our growth (Bauer, 2013). Why not specify that data needs to be secured and protected? If there is justified cause for contest, procuring a court order will offer access to data — like in any criminal case.
Most products and services rely on the internet and cloud computing. The mobile economy contributes significantly to India's GDP. Digital India
could offer $1.3 trillion in business opportunities for the future. Light-touch industry-friendly regulations are the key to realising these dreams.
Unfortunately, the rules around consent might be too cumbersome for small- and medium-sized businesses. User consent contracts and agreements are standard practice. The new rules place all decisions around consent in the hands of the DPA and not organisations. Excessive reliance on consent to drive any data processing can create consent fatigue. Apart from lawyers, there are very few who read each word of their smartphone or app user agreements. Also, how will this affect third-party contracts? Detailed and specific consent gathering in all transactions will slow down and hinder business growth — except for compliance lawyers.
The PDP Bill also created a separate category of organisations called “social media intermediaries”. It is practically impossible to segregate purely “social media” organisations. Are news websites social media intermediaries? After all, they collect user comments. This move is also redundant since intermediaries (communication channels) are already covered under the IT Act, 2000, and Intermediaries Guidelines, 2011.
In the end, what problem are we solving? Placing more roadblocks to growth can hamper our economy and drive global investors away. Industry-friendly policies are the foundation that permits Indian enterprise to thrive and secure Indian job opportunities for the future.
(Research inputs by Chandana Bala)
The author is president of Broadband India Forum and founder & CEO of Advisory@TVR
Views are personal