Second-order effects of the Personal Data Protection Bill

share this article

Besides the obvious privacy concerns, the PDP bill comes with other attendant ramifications on essential domains like foreign investment, law enforcement, national security and data infrastructure.

India is not alone in enacting data protection laws and if the government implements the procedure well without losing sight of the key objectives, we all stand to benefit in the long run.

The provisions of the Personal Data Protection (PDP) Bill, presented in Parliament earlier this month and referred to a Joint Parliamentary Committee for examination, have received significant coverage in the media because of what it means for protection of personal data and concerns around state surveillance. The topic of data privacy became a public discussion every since the Cambridge Analytica scandal broke out in March 2018. Since then all major countries have enacted regulations to either regulate use of data (EU’s GDPR in May 2018; China’s Data Protection Regulatory Guideline in June 2019) or gain access to data (the United States’ CLOUD Act in March 2018).

India’s PDP Bill lays down provisions for preventing misuse of personal data. It mandates where data can be stored and processed and also grants the government power to obtain non-personal data from companies. But if we’re to look beyond the obvious, the law, once passed, could have significant implications for foreign investment, international trade and national security.

Foreign Investment

A law like this can easily be seen as anti-competitive and unfriendly towards foreign investment. Foreign players bring the latest technology and innovation to the country. Making it difficult and expensive for them to set up shop in India will discourage them from investing by increasing their cost of doing business — investment in local data centres, loss of economies of scale, manpower investments and concerns around oversight by regulators. In this globally networked world, it is foolhardy to believe that we don’t need global technology companies and that only Indian companies are best placed to solve Indian problems.

On the other hand, it is also important to consider that a large underdeveloped consumer market like India is a scarce commodity in global trade and access to it should come at a price. Drawing parallels, we find that in the retail sector, local sourcing norms exist in an effort to boost Indian industry. Similarly, joint ventures between a local and a foreign partner typically have technology transfer clauses built in to allow the local partner to learn from the technical expertise of the foreign partner. Hence, if foreign companies have to start investing in local data centres and train Indian engineers to manage them, it would be a fair price to pay for accessing one of the world’s largest consumer markets.

India is Facebook’s largest market with 270 million users as of July 2019. Facebook has 15 data centres globally of which 10 are in North America, four in Europe and one in Asia (Singapore). Is it unreasonable to expect Facebook to set up a data centre in India? For the first time, India installed more mobile apps than any other country in the world — 4.5 billion in the first quarter of 2019, ahead of the U.S., and TikTok was India’s most downloaded app. It is no surprise then, that in July 2019, ByteDance, TikTok’s parent company, announced that it planned to set up a data centre in India.

Hence, a positive outcome that may arise out of data localisation requirements is the need for companies to invest in better data centres and networking infrastructure. Incidentally, the Adani group recently announced a tie-up with a U.S.-based provider of data centre solutions to set up data centre infrastructure in Hyderabad.

National Security

Where there is money, international trade and technology, geopolitics can’t be far behind. India is not alone to think that it can benefit from enforcing data localisation. Indonesia, with its fast-growing online population, has also considered data localisation requirements but had to go slow under pressure from the U.S. when it threatened to roll back preferential trade terms. The U.S. has also openly criticised India’s localisation norms stating that they “would serve as significant barriers to digital trade between the U.S. and India” and the international media is replete with analysis on how localisation requirements would harm international trade.

Unstated in the PDP Bill is the government’s concern that dependence on other countries for essential infrastructure can harm its national interest. United States’ hegemonic attitude and security concerns when dealing with China make it imperative that India protects its data sovereignty. For instance, in late 2018, Belgium-based SWIFT, the messaging system that forms the backbone of the international financial transactions, announced that it would be disconnecting some Iranian banks’ access to its messaging system. This was done under pressure from the Trump administration and SWIFT described its own move as “regrettable” but said that it had been done to maintain the stability and integrity of the global financial system.

It follows thus that India needs to remain unfazed and continue to do what is best in its national interest

Law enforcement

Data localisation is not an end in itself and economic benefit is certainly not the only thing the government will have in mind when it presents the bill in the Parliament again. Arguably, the biggest beneficiary could be Indian law enforcement agencies, who could get access to data for anti-terrorism purposes without having to go through international channels. Currently, law enforcement agencies face a genuine challenge while trying to access personal data from companies that are subject to U.S. laws.

By requiring companies to store data locally, the government will solve only the first piece of the puzzle. We would still require legislation to compel technology companies to decrypt encrypted communications. And that is easier said than done. In one of the most famous instances, in 2016 the Federal Bureau of Investigation (FBI) wanted Apple to create a software that would enable FBI to unlock an iPhone it had recovered from one of the shooters in a terrorist attack that killed 14 people and injured 22. Apple declined to create the software and FBI took Apple to court (a day before the hearing was supposed to happen, the government obtained a delay, saying they had found a third party able to assist in unlocking the iPhone).

The PDP Bill is a step in the right direction for India. But to reap its benefits without discouraging foreign investment and restricting access to innovation, the government must avoid shifting goals and be clear on what principles guide the policy (personal data privacy, national security and investment in infrastructure) and who are the beneficiaries (citizens and law enforcement agencies). India is not alone in enacting data protection laws and if the government implements the procedure well without losing sight of the key objectives, we all stand to benefit in the long run.

share this article
This article is closed for comments.
Please Email the Editor