Like the EU, India must regulate data effectively
The General Data Protection Regulation (GDPR) is a game changer in tech policy. India must follow suit
The European Union’s General Data Protection Regulation (GDPR) is considered a game changer in the technology policy world today. It has pushed several countries, including India, to adopt a regulatory stance towards personal data. The Justice Srikrishna Committee deliberations, leading up to the Personal Data Protection Bill (PDP Bill), is a reminder of the powers that this stance can vest with the bureaucracy. The proposed Data Protection Authority can investigate and adjudicate contraventions, formulate rules and monitor compliance, and evaluate ex ante whether a proposed processing of personal data merits course correction.
Regulation is not coterminous with micromanaged legislative prescriptions. Such prescriptions are counterproductive, especially when regulating new technologies that demand greater scientific expertise. India’s experiences with food safety and the environment testify to this fact.
Amid GDPR conversations, we look beyond advances in the EU towards “better regulation”. This initiative aims for regulatory outcomes at minimal cost. As part of the exercise, policy design and preparation, adoption, implementation and monitoring, evaluation and revision are subject to evaluation. This evaluation involves checks on how prior interventions advanced policy goals, impact assessments that deliberate upon alternative choices and their projected consequences, and collective consultations when the subject matter involves multiple regulatory or policy actors.
Take, for instance, the data localisation debate here. RBI’s April 2018 directive on storing financial transactions data locally hit the payments industry like a bolt from the blue. But this was only the beginning of episodic interventions that soon revealed how chequered policymaking can affect the borderless and free nature of the Internet. The PDP Bill came next, stipulating server localisation for an undefined category of “critical personal data” which could be carved out ad hoc from a broader category of defined “sensitive personal data.” A new (and now redacted) e-commerce policy followed, prescribing a sunset period of two years within which all e-commerce data ought to be localised in India.
Oddly, none of these interventions exhibited consistency over the underlying policy rationale. Did the rationale emanate in a heightened ability to access data for law enforcement purposes? If so, no actual figures were forthcoming on cybercrimes where law enforcement suffered because of the server being located elsewhere. If, on the other hand, the rationale was to bolster investments in indigenous artificial intelligence technologies like China did, it was unclear how mere data residence in Indian servers would help when such data continued to be under private control, or how the various other parallel initiatives China had embarked on could be conveniently forgotten when making this case.
Today’s digital economy demands mediating interests of both the Centre and states as it operates in domains that fall within the state or concurrent list under our federal scheme. It also demands a vibrant consultative process between multiple regulators to avoid turf war. The telecom regulator has been excessively expansive, transgressing into domains traditionally within the purview of the competition commission or ministries of electronics/information technology, and information and broadcasting. As the digital economy grows, such regulatory incentives to overstep are but natural.
To address comparable concerns, the EU has tightened its “better regulation” approach with the “innovation principle.” This principle requires assessing innovation effects of policy positions, thus ensuring that regulatory tools and design promote rather than hinder innovation. Thus, proportionality assessments to determine least burdensome solutions, temporary and experimental regulations, and the opportunity for industry players to challenge norms and present alternative frameworks, keeps in mind the centrality of health, environment, and consumer safety for any regulation. India must work towards a similar regulatory culture, prioritising collective consultation over siloed responses and a unifying innovation impact principle.
TODAY’S DIGITAL ECONOMY DEMANDS MEDIATING THE INTERESTS OF BOTH THE CENTRE AND STATES AS IT OPERATES IN DOMAINS THAT FALL WITHIN THE STATE OR CONCURRENT LIST UNDER OUR FEDERAL SCHEME