Wider debate needed on major changes in data protection law

With the developments in Kashmir and the economy dominating so much of the national discussion, it can be hard to keep track of what is happening about tech policy. One thing that might slip through the cracks are the changes in the Data Protection Bill. According to a recent report by Medianama, the ministry of electronics and information technology, or MEITY, is privately seeking responses to new questions from select stakeholders.

The Data Protection Bill is going to be profoundly important in India’s tech policy landscape, going forward. It will tackle issues around data privacy, data protection and data processing, all of which have never been discussed at length in Indian law. Based on inputs received from the Srikrishna Committee report, it will also focus on data localisation. So when MEITY initially asked for feedback on the draft data protection bill, it received over 600 comments from individuals and organisations. For this round of comments, the ministry has reached out to only 10-15 stakeholders.

This raises a host of questions and concerns about the process. First, as Medianama puts it, why the secrecy? With over 600 comments being submitted, the bill is clearly an issue with a significant amount of public interest. MEITY and its bureaucracy could argue that 600 submissions are a lot to process, and not all the comments are relevant to the process. But for a piece of legislation this important, it is surely better to have too many inputs instead of picking and choosing which voices you would like to elevate. There is also not a lot of transparency in the process. How does one figure out the basis on which these 10-15 stakeholders were selected? This is not to imply that the participants asked for feedback are not a decent sample of stakeholders. But this could have been done better had a rationale/basis behind the selection been provided.

Not knowing why some people have been selected and the others ruled out matters more when the bill has sweeping changes. The new version of the bill is reportedly going to address issues in e-commerce and community data. Both these topics were not a part of the Srikrishna Committee or the October consultation process. It is unclear what the bill’s stance might be on both these matters. To make an educated guess on e-commerce, the bill might condense and borrow aspects from the draft e-commerce policy from earlier this year. It is anyone’s guess what those aspects might be, but it does narrow down the list. As for community data, there does not exist such a precedent. It is frankly shocking that the consultation has been labelled as “clarifications” in the bill. If entire new industries are being addressed under the document, then surely it should be classified as additions/revisions, and thus call for comments from all stakeholders. It might not have been acceptable to have a selection of stakeholders for a round of clarifications on data protection. And that is even more so when it comes to picking and choosing stakeholders regarding legislation that has such substantial changes.

This lack of transparency also makes one question the importance given to the comments submitted earlier. There is clearly value in having documents that present the perspectives of stakeholders across the industry, academia and civil society. But given the recent turn of events, who can say whether these perspectives have been reflected in the new version that is being circulated for feedback. The idea here is not to give credit to organisations/individuals who may have caused tangible changes in policy. Instead, it is to ensure that the process that goes into finalising the document is truly multilateral.

The final version of the policy will still have winners and losers. No legislation is objectively perfect. This is especially true in technology, where most laws find it hard to keep up with rapid advances in the industry. If the industry wins through lax laws on data privacy, civil society arguing for stronger privacy laws will de facto lose. What the consultations should then aim for is to reflect that different views on subjects were considered before making trade-offs in favour of one over the other.

What makes this situation even more bizarre is that up until this point, the process has been fairly transparent. The Srikrishna Committee’s recommendations were comprehensive and publicly available. As was the first round of comments in October 2018, even though the comments submitted were not made available to the public. Why then has the second round of inputs been restricted to just a few people without any explanation? Not allowing public comments while adding e-commerce and community data to the mandate is going to have negative implications when the bill finally comes out. A large share of stakeholders in academia, industry and civil society are going to have fundamental disagreements on the way this was carried out, as well as its contents.

Indian policy towards all things technology is slowly catching up with advancements. As new legislation comes out regarding other emerging technologies such as artificial intelligence, fintech, and the Internet of Things, it would make sense to involve multiple perspectives while designing it. Failure to do so is likely to have an adverse impact on the adoption of these technologies and, by extension, India’s development.

This article was first published in Deccan Chronicle. Views expressed are personal.