Personal Data Protection Bill: Will Lessons From The Chinese App-Ban Debacle Permeate Into India’s Imminent Data Privacy Law?

The Review Committee constituted by the Ministry of Electronics and Information Technology under the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 articulated several concerns by way of the queries served upon the Chinese apps which were blocked. These concerns range from the deployment of data collected for the development of artificial intelligence to age gating and compliance with the provisions of the General Data Protection Regulations of the European Union. 

From a reading of these questions, it is apparent that over the years, the expectations of ethical conduct and transparency which we have come to expect from large tech companies have far exceeded the threshold set by existing Indian privacy laws. This is compounded by the fact that most of India’s personal data protection laws are contained in the scantily worded Information Technology (Reasonable Security Practices & Procedures & Sensitive Personal Data or Information) Rules, 2011. In fact, if construed strictly, extant privacy regulations appear to regulate only sensitive personal data or information, a sub-set of personal information which can identify a person. With personal information not being regulated with the same stringent standards, the expectations articulated by the Review Committee appear to hold companies to a higher standard than what is expressly articulated.

To help companies adhere to standards which are expressly laid down by Indian statute, Parliamentary Committee on the Data Protection Bill, 2019 (PDP Bill) needs to articulate the expectations without lazily delegating the task of formulating definitions to regulatory authorities such as the Data Protection Authority as currently contemplated in the PDP Bill. The flaw in granting these powers to authority, rather than painstakingly setting this out in the law itself, is manifest in the current scenario. Without a statutory definition of what situations allow for the personal privilege to be overridden to ensure collective safety concerns, the government has to rely on self-disclosure even when battling a pandemic. An ad-hoc definition formulated by any authority would open the floodgates to litigation and constitutional challenges. 

To prevent a situation where the right to avail judicial recourse is viewed not as a last resort, but a step in the ordinary course when dealing with actions of regulatory authorities, legislators rather than regulatory authorities need to set out unambiguous compliance expectations. These tasks cannot be relegated to the executive arm of the government. To this end, Indian legislators have always been burdened with the responsibility to ensure that its delegated legislation does not confer such unfettered powers to authorities that they define standards arbitrarily. On the one hand, delegating powers to a regulator allows for definitions to evolve rather than have archaic law play catch up with technology. On the other hand, if a regulator acts perversely, a definition or regulatory action may favour or prejudice an industry leaving open only judicial recourse.

If India intends to take concrete steps towards improving the ‘ease of doing business in India’ the lack of codification of expectations of the Indian government in India’s new privacy law would be conspicuous by its absence. It would be only fair for technology companies eyeing India as a potential market to expect transparency of the process, and be subject to compliance thresholds set by law rather than defined by a regulatory authority which often has unintentional consequences.

Where India intends to apply differential standards to companies that are owned or beneficially controlled by countries with whom India has strained geopolitical relationships, such differential treatment must be backed by the sanction of the statute and must meet the touchstone of “intelligible differentia”. In all imaginable scenarios, whilst the task of enforcement of law can be delegated to the executive arm, the standard has to be clearly defined by legislation.

If India hopes to attract foreign players in the technology industry, foreign companies cannot be expected to scramble to align their compliance protocols to vaguely defined expectations of privacy standards or end-use restrictions on data belonging to Indian data subjects. It is, therefore, trite to expect the PDP bill to directly address the uncertainty that India’s data handing related expectations have caused technology companies in India.