Data Protection Bill set to bring yet another shock for companies

The debate and protests around the Citizenship Amendment Act and the National Register of Citizens have dominated headlines around the nation, and rightfully so. While public attention and the news cycle continue to revolve around the issue, the Ministry of Electronics and Information Technology (MeitY) has released a Personal Data Protection Bill.

Since reading the bill, Justice B.N. Srikrishna (chair of the committee that drafted the initial report on data protection) has claimed it to have the potential to turn India into an Orwellian State. The statement is based on legitimate grounds, and that should give most people sleepless nights.

The Personal Data Protection Bill does give the government the power to exempt itself from the legislation. It also gives the State significant powers to demand data, and also places significant restrictions on cross border data flows.

All of this is troubling on multiple levels and is being written about in columns and articles throughout India’s tech policy space. What is not getting enough attention, however, is that the bill is also bad news for the Indian economy, that too when it is the last thing India needs right now.

There are several counts on which the bill, in its current form, will have a negative impact on the economy. Most importantly among them, is the timeline for enforcement. The 2018 version of the Bill, provided for a period for adjustment and compliance before the enforcement of the Bill’s provisions. Section 97’s transitional provisions provided industries a period of 18 months before mandating compliance.

Having a defined period of time that affords industry the space to be in compliance is an objectively good policy. You could have a debate on how long that period should be, but it should be common ground to have a transition plan. For example, Europe’s Data Protection Law, the GDPR, was adopted in April 2016 but was enforced almost 2 years later, in May 2018.

What this tells us is that policy does not work like a light switch. Flicking it on does not always magically make sure that it will have the intended effects. The current version of the Bill does away with a transitional period altogether. This gives any company that collects data no time to adhere to the bill’s requirements. If implemented without a transition period, the bill would provide the government with grounds to penalise companies and impose punishments for not complying with directives that did not exist a day before the bill was introduced. Bangalore, being the hub of the Indian IT sector is likely to be impacted the most, with Mumbai, Hyderabad, and Delhi-NCR in tow.

Not only does the bill offer no transition period, but it also makes it a lot harder to carry out data processing outside of India. If companies want to outsource data processing of personal sensitive data to a different country, they need to do so under an intra-group scheme with the Data Protection Authority (DPA).

There are two things to consider here. Firstly, the DPA will be set up following the bill. Staffing it and providing it with the correct infrastructure and resources could take months from when the bill is enforced. Since there is no transition period, until the DPA is formed, companies who outsource data for processing would legally not be able to do so.

Secondly, even if the DPA is formed, there must be thousands of companies that would want to apply for an intra-group scheme, with new companies forming every month. It would put a lot of undue strain on the DPA to individually assess each company’s proposal and include them in an intragroup scheme.

This redundancy is going to impact small and medium enterprises a lot more than big firms. Big companies are likely to be able to afford to build processing capacity in India or afford costlier versions to maintain their standards. Small and medium enterprises, especially Indian firms, are not always going to have the money to comply within the given timeframe.

On a related note, the bill also creates three tiers of data, personal, personal sensitive, and critical personal data. While the first two are defined within the bill, critical personal data is not. As you would expect, critical personal data is going to be the tier with the most restrictions and burden of compliance.

For instance, while personal and personal sensitive data can be subject to cross border transfers, critical personal data is not. So it puts any company that deals with data under a lot of anxiety. It would force them to stay in limbo until the third tier is defined, and will have an impact on how they go about their day to day business.

The digital economy is inextricably linked with the traditional economy. All of this, removing a runway for compliance, placing redundancy-ridden restrictions on the cross border flow of personal sensitive data, and not defining critical personal data is bound to have a negative impact on the Indian economy. If the bill is passed in its current form, we are looking at FDI drying up within this sector. Big companies might have deeper pockets, but localization laws will also go a long way to make sure that they keep their India-bound spending and outsourcing in check. On the other hand, it is also likely to incentivize small companies and startups to register their businesses elsewhere. All of this is coming at a time when the Indian economy needs it the least.

The redundancy is going to impact small and medium enterprises a lot more than big firms. Big companies are likely to be able to afford to build processing capacity in India or afford costlier versions to maintain their standards. Small and medium enterprises, especially Indian firms, are not always going to have the money to comply within the given timeframe.

Rohan is a Policy Analyst at The Takshashila Institution. Views are personal.

This article was first published in Deccan Chronicle.