Why the Draft Data Bill needs stronger provisions for localisation of non-personal data

Source– The post is based on the article “Why the Draft Data Bill needs stronger provisions for localisation of non-personal data” published in The Indian Express on 19th December 2022.

Syllabus: GS3- Awareness in the field of IT

Relevance– Issues related to data in emerging digital space

News– The article explains the issues related to the fresh draft of the Digital Personal Data Protection Bill, 2022.

What are the positive aspects of the draft bill?

It is crisp, to the point and easy to read. It is the first attempt to define who can possess data and what their legal obligations are.

It doesn’t get into issues such as critical and non-crucial data. There is a very simple definition of personal and non-personal data.

The new draft is neither a copy nor an adaptation of Anglo-Saxon laws, like the EU’s General Data Protection Regulations or the CLOUD Act. It is designed for India’s requirements.

What are the issues with the bill?

Lack of clarity– There is still no clarity on the role and structure of the data protection board. It is not clear if it will be a regulator or adjudicator or how it will function independently.

Issues related to sovereignty– People concerned about data sovereignty have long been advocating the housing of servers within India. The draft appears far too focused on individuals’ privacy issues.

There can’t be a handful of global corporations accumulating data through ethical and unethical means. In many cases, they can manipulate the minds of consumers.

India has resisted the attempt by developed countries at international fora to bring in the seamless flow of data to facilitate the competitiveness of their corporations.

The UNCTAD Trade and Development Report (2018) says, “it is important for the countries to control their data and be able to use or share their data and regulate its flow.

Issues related to data transfer– Chapter 4 of the draft Bill deals with the transfer of data outside the country. It says that the Central Government may notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified. These words may make the job of trade negotiators difficult when free trade agreements with the US, EU and the UK are yet to be concluded.

What are the updates that are required for the bill?

The draft requires fine-tuning, including determining the quantum of penalties. The upper ceiling has been fixed at Rs 500 crore. There are global examples, where the penalties are determined as a percentage of their global revenues.

There is no knowledge of how Big corporations use the data accumulated by them and what products are made out of it. To curb these tendencies, there is an urgent need for data nationalism and localisation.

India needs to assert its sovereign right over non-personal data emerging out of Indian citizens and make it obligatory to share products with Indian players.

India must continue to stand its ground on e-commerce at various WTO ministerials in the context of transfer of data outside our country.

It would have been much better if the law didn’t leave important matters, such as the obligations of data fiduciaries once the data moves to foreign shores open to interpretation.

The draft talks about consent, deemed consent, and has provisions for withdrawal of consent. But, this is largely for personal data.

As of now, there is little clarity about how personal data can be converted into non-personal data. One just has to remove the identification labels to make information non-personal.