Context: The Reserve Bank of India (RBI) on Friday asked card companies American Express and Diners Club International not to get new domestic customers onboard from May 1 as they did not adhere to the guidelines on local data storage. 
“These entities have been found non-compliant with the directions on storage of payment system data", the RBI said in a notification on its website. This local data storage obligation is similar to the one proposed under the Personal Data Privacy Bill which were objected to by MNCs. In this edition of Big Picture we analyse the Personal Data Protection Bill. 

Need for new data protection regime

• The need for a more robust data protection legislation came to the fore in 2017 post the Supreme Court’s landmark judgment in Justice K.S. Puttaswamy (Retd) v. Union of India.
• In the judgment, the Court called for a data protection law that can effectively protect users’ privacy over their personal data.
• Consequently, the Committee of Experts was formed under the Chairmanship of Justice (Retd) B.N. Srikrishna to suggest a draft data protection law.
• The Personal Data Protection Bill, 2019, in its current form, is a revised version of the draft legislative document proposed by the Committee.

Issues with the existing data protection framework

• The Information Technology Act, 2000 governs how different entities collect and process users’ personal data in India.
• However, entities could override the protections in the regime by taking users’ consent to processing personal data under broad terms and conditions.
• This is problematic given that users might not understand the terms and conditions or the implications of giving consent.
•  Further, the frameworks emphasise data security but do not place enough emphasis on data privacy.
• As a result, entities could use the data for purposes different to those that the user consented to.
• The data protection provisions under the IT Act also do not apply to government agencies.
• Finally, the regime seems to have become antiquated and inadequate in addressing risks emerging from new developments in data processing technology.

How the new regime under Data Protection Bill 2019 is different

• First, the Bill seeks to apply the data protection regime to both government and private entities across all sectors.
• Second, the Bill seeks to emphasise data security and data privacy.
• While entities will have to maintain security safeguards to protect personal data, they will also have to fulfill a set of data protection obligations and transparency and accountability measures.
• Third, the Bill seeks to give users a set of rights over their personal data and means to exercise those rights.
• Fourth, the Bill seeks to create an independent and powerful regulator known as the Data Protection Authority (DPA).
• The DPA will monitor and regulate data processing activities to ensure their compliance with the regime.

ISSUES
Commercial and Political consequences of the Data Protection Bill (DPB)
Data Collection related issues  

• First- Bill will negatively impact the emerging technologies market of India dealing in the creation, use, and sale of data that is valued at $1 trillion by 2025.  
• Second- The bill requires digital firms who want to operate in India to obtain permission from users before collecting their data.  
• Third– Bill also declares that users who provide data are, in effect, the owners of their own data and may control its usage or request firms to delete it.  
• European internet-users are able to exercise a “right to be forgotten” and have evidence of their online presence removed. 
• Fourth– The bill allows the government to use “critical” or “sensitive” personal data, related to information such as religion, to protect national interest. 
• Fifth– Open-ended access to government could lead to misuse of data. Mr. B N Srikrishna, the chairmen of the drafting committee of the original bill, warned that government-access exemptions risk creating an “Orwellian state”.

2. Issues related to Establishment of Data Protection Authority (DPA)  

• Bill aims to establish a Data Protection Authority (DPA), which will be charged with managing data collected by the Aadhaar programme. 
• Authority will consist of a chairperson and six committee members,  
• Members will be appointed by the central government on the recommendation of a selection committee.
• Members will be selected from senior civil servants, including the Cabinet Secretary. 
• The government’s power to appoint and remove members at its discretion provides it an ability to influence the independence of agency.
• Unlike similar institutions, such as the Reserve Bank of India or the Securities and Exchange Board, the DPA will not have an independent expert or member of the judiciary on its governing committee.
• The UIDAI, for its part, has a chairperson appointed by the central government and reporting directly to the Centre.

3. Issues related to government use of data for surveillance

• There are instances that suggest, India is acquiring some features of a surveillance state. 
• As stated by the Union Home minister recently, police used facial recognition technology to identify people after the anti-CAA protests and the Delhi riots. 
• There is a high possibility that police was matching the video offstage with the database of Election Commission and e-Vahan, a pan-India database of vehicle registration.

4. Issue related to the safety of data 

• There are instances of controversy where the government has shown a casual approach towards data safety and privacy of its citizens:  
• First, Safety concerns were raised during aadhaar data collection, which stores biometric data in the form of iris and fingerprints which is a violation of the right to privacy.  
• Second instance was of Aarogya Setu contact-tracing app which was allegedly not able to protect the data provided by citizens.  

Advantages

• Data localisation can help law-enforcement agencies access data for investigations and enforcement.
• As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties”.
• Accessing data through this route is a cumbersome process.
• Instances of cyber attacks and surveillance will be checked.
• Recently, many WhatsApp accounts were hacked by an Israeli software called Pegasus.
• Social media is being used to spread fake news, which has resulted in lynchings, national security threats, which can now be monitored, checked and prevented in time.
• Data localisation will also increase the ability of the Indian government to tax Internet giants.
• A strong data protection legislation will also help to enforce data sovereignty.

Disadvantages

• Many contend that the physical location of the data is not relevant in the cyber world. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
• National security or reasonable purposes are an open-ended terms, this may lead to intrusion of state into the private lives of citizens.
• Technology giants like Facebook and Google have criticised protectionist policy on data protection (data localisation).
• They fear that the domino effect of protectionist policy will lead to other countries following suit.
• Protectionist regime supress the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
• Also, it may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India.

Road Ahead

• The bill is a step in right direction. It is in our interest to shown that India data is stored on Indian shores. The MNCs are against it as they not want to abide by the law of the land. Just like how Australia has gone after the tech giants we too have to ensure that we don't give them a free hand. Concerns that the bill gives govt. the blanket pass to access citizen's data are not justified as there are sufficient safeguards in the bill. We have to push for these reforms because it is in everyone best interest.