Assessing India's Digital Personal Data Protection Bill

Audio of this conversation is available via your favorite podcast service.

This week, Indian legislators approved a data protection law that will govern the processing of data in the country. The Digital Personal Data Protection Act creates a data protection board and gives the government new powers, including to request information from companies and to issue orders to block content. While there is still work to do to determine how the law will be administered, it joins a range of new tech policy laws and regulations enacted against a backdrop of the increasing centralization of power in India’s government.

To discuss the law, I'm joined by Aditi Agrawal, an independent technology journalist based in New Delhi; Kamesh Shekar, a tech policy expert who leads the privacy and data governance vertical at The Dialogue, a think tank based in Delhi; and Prateek Waghre, the Policy Director at the Internet Freedom Foundation, a digital rights advocacy organization based in India.

Thanks to Tech Policy Press Program Manager Prithvi Iyer for his help on this episode. What follows is a lightly edited transcript of the discussion.

Justin Hendrix:

I am so pleased to have the three of you on this podcast to talk about developments in India around its Data Protection Bill. I have had the opportunity myself to visit India only twice in my life. One of those times was this year, where I did have the opportunity to meet both Prateek and Aditi in person. Kamesh, I sadly missed you on this trip, but hopefully next time I'll have the opportunity. But, Aditi, I want to start with you as the journalist, the reporter on this call. Can you just tell folks what has happened over the last week?

Aditi Agrawal:

So, the big headline is that India's privacy bill, or as the government would want us to believe, just the part of the bill that focuses on digital personal data, that cleared both houses of the Indian Parliament. And it took the Indian Parliament less than two hours to clear it in both houses. So, it was introduced last week on August 3 in the lower house. That's the Lok Sabha. Then, the discussion happened on Monday and it took them 51 minutes to clear without any amendments. Then yesterday, in the upper house, that's the Rajya Sabha, it took them another 68 minutes to clear it.

What's to be noted is that, in both cases, the opposition of this country wasn't there in either of the houses. So, this was passed with unanimous voice votes. Ironically enough, for the Digital Personal Data Protection Bill, we won't ever have data about how many members of Parliament voted for the bill and how many voted against it. But, at least, looking at the videos or the livestream of the parliament, it passed unanimously.

Now, a week before that, on July 26th, there's something called the Standing Committee on Communications and Information Technology. It's a parliamentary committee that has members from both the houses. They passed a report approving the 2022 version of the bill, which was released for public consultation by the Ministry of Electronics and Information Technology of India in November 2022.

However, what was interesting about it, that all lines read that the parliamentary committee has approved the bill and they seem to suggest it was the latest version of the bill, which would go before the members, before the open house. But, what was approved was the 2022 version of the bill. And before the bill was introduced in parliament last Thursday, nobody had seen a 2023 copy.

So, this 2023 copy is vastly different from the 2022 version of the bill. Yet, no public consultation has happened on it. So, some of the key differences are how exemptions are imagined, how the concept of processing personal data without consent which then turned to deemed consent and is now in a section called legitimate users has been reimagined. What has happened to the Right to Information Act, which is the equivalent of the American Freedom of Information Act, so all those things haven't undergone enough consultation.

Justin Hendrix:

Kamesh, I want to come to you. You penned an analysis of the Personal Data Protection Bill, which compared the '22 version to the '23 version, and also I think fairly clearly laid out all of the various new authorities that are created by this legislation. Can you give us the basics? What are the new bodies, authorities, titles, et cetera, that are created for government officials and for companies?

Kamesh Shekar:

That's a great question. Specifically speaking about the new bodies that have been created, there's two things which are significantly out there. There's that we will be having a Data Protection Board and we will be having an Appellate Tribunal. So, just first, coming to the Data Protection Board itself, this is not an authority that India is going to be forming. It's an adjudicatory party which has been reemphasized by ministers, and reemphasized in the bill as well, that they're just going to be adjudicating the complaints and other grievances which comes to them.

One of the key difference within the 2023 version is that, just like last time, '22 version, as Aditi mentioned, there was no clarity in terms of how the composition is going to be, and et cetera, and stuff. Though they've given a little bit of direction in terms of what's the term of office, removal, and composition, and et cetera, and stuff.

But, the functions of the Data Protection Board has been significantly diluted in the recent version, where it is nothing related near to the authority, which was actually part of the 2019 version, which is the Personal Data Protection Bill itself. So, why this distinction is very important is because of the key functions like awareness building, giving advices to the state government or the central government who are the biggest data fiduciaries in India in terms of handling data. And these kinds of key functions, which were part of the Data Protection Authority's perimeter, has been now removed.

And moving on to the next aspect of the Appellate Tribunal. As already mentioned, there's a significant change from the 2022 to 2023, is that there is an Appellate Tribunal where you can actually appeal on the board's decisions to the tribunal. But here, the concern is that this has been referred to the telecom regulators' tribunal, which is the TDSAT, in India. The key problem here, which we actually face, would be that the pluralistic aspect of India has different data fiduciaries and data principles, and their concerns are so different.

So, when TDSAT is already looking into telecom as well as IT, putting another pressure over the same appellate tribunal might have capacity concerns. Plus, data protection is in a niche topic, and having a TDSAT, kind of like an appellate tribunal to take such a role, might actually... we will also find technical capacity issues there.

Justin Hendrix:

So, let me just try to get a little more specific for some of my listeners who are in the US, who are in Europe perhaps. Let me ask you a question just about how this thing stacks up against perhaps what some folks think of as the gold standard for data protection legislation, the GDPR. How would you compare it to GDPR? I understand there's also trace hints perhaps of the California Consumer Protection Act may be influencing this bill as well. How would you describe it vis-a-vis GDPR?

Kamesh Shekar:

This bill is a little bit, significantly a little, different from what the other counterparts have done, which has been also flagged by a lot of experts recently also. Comparing this with GDPR itself is that GDPR I would say, that as a legislation, has been very much on the side of a lot of data protection. But here, with what the premises of the bill has been within India, is that how can we actually balance both privacy as a right as well as how can we actually unlock the potentials that the data actually could provide.

So, can give you some quick examples there itself is that the cross-border data transfer aspect, which is one of the key aspects when it comes to GDPR, because the concerns we all know. So, in India's case, we have evolved very significantly, where maybe we started from a place where it was data localization, a hard data localization. Now, we have come to a place where the bill states that you can transfer the data out to anywhere unless the government comes and says, "Hey, this particular country, maybe not." We upload the notification.

So, that itself is a significant difference from what the GDPR does in terms of adequacies, and et cetera, and stuff. Still, we think there is going to be some room there, but that is not very clear within the bill. But, at this moment, data transfers can happen.

So also, I think giving a little bit in there in terms of international aspect itself, is that India's also moving towards a sectoral data localization. Because the same provision on the cross-border data transfer also speaks about how they actually acknowledge the sectoral regulations. And some of the sectoral regulators in India, RBI, which is the central bank, and the insurance regulators, already have data localization in place for certain functions of the financial services.

So, they have acknowledged that will also apply. So, this is a little bit near to what Australia does, if I'm not wrong. Australia has a certain level of data localization for health data. It's similar. If I happen to compare it with the global benchmarks, these are some of the key areas which comes into the picture.

Justin Hendrix:

Prateek.

Prateek Waghre:

I know we tend to sometimes refer to it, and I've seen a lot of conversations calling it, the privacy bill. And I think one of our perspective has also been that, as the name suggested, it's a digital Data Protection Bill, Digital Personal Data Protection Bill. Aditi pointed that out.

If you look at the preamble of the bill, it curiously starts with the phrase, I won't read the whole thing but I'll just read the first line, which says, "To provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and then the need to balance it with other things." So, if you look at that, and if you just were to judge it slightly based on where it's prioritizing things, one could infer that the processing of data is up there. So, as Kamesh pointed out, that GDPR takes a more data protection approach, my assessment of this is that it takes a more data processing approach. You could even call it the Digital Personal Data Processing bill.

The other thing, just broadly in terms of approach, is that GDPR is pretty prescriptive in a lot of ways. Now, yes, that comes with some trade-offs and there are I think legitimate conversations to be had about how prescriptive GDPR is. But, I think with this bill, we seem to have gone the other extreme in the sense that it's pretty light on specifics. The term that they use is 'saral,' which is Hindi for 'simple.' And that expands into, I think, simple, actionable, rational. And I'm forgetting what the last is. Accessible. I may have flipped the order around, but broadly that's it.

And the idea is that, look, it could be principle-based regulation and we'll be able to move in a nimble manner through rulemaking. And that, to me, is concerning because, if you zoom out, it's part of the broader picture of how we are seeing technology legislation evolve in India. In the guise of being simple, you're losing specifics, you're also losing safeguard. And that is something that is not clear to me in the sense that the goal is, yes, it should be understandable, it shouldn't be something that only lawyers can understand. That's a laudable goal.

Where I defer is that I don't see that as being mutually exclusive with having safeguards in there, or specificity, or clarity on a lot of things. It doesn't necessarily mean that it's vague. And in that sense, what's also happened is that the bill has identified 25 plus one matters for rulemaking. And I'm saying 25 plus one because there are 25 that are somewhat specific and one that says we will decide what else we want to do. And what that broadly means is that, at this point, a lot of the specifics we don't know in terms of how they work. And because it'll happen through rulemaking, there is a lot of discussion and control with the executive, that it's not clear at this stage whether those will go through a consultation process. And the consultation process around this is a whole other thing. We should probably get into that at some point as well.

But, I think that's an interesting contrast I did want to point out in terms of the approach of framing this legislation. Because I also see it being a broader part in terms of how future legislation, and especially technology legislation, in India is going to be drafted. And the concern is that there's a lot of discretion with the executive.

Justin Hendrix:

Well, you've already tipped your hand, I suppose, to your views on this, or IFF's views, your organization. Fair to say, disappointed? You have written, "in its present form, the DPB does not sufficiently safeguard the right to privacy and must not be enacted." Fair to say IFF was opposed to this.

In terms of the failures that you see, one thing that you just mentioned is public consultation, questions around public consultation. The IT minister said that the bill had gone through a significant amount of public consultation, referenced dozens of organizations that were consulted, dozens of ministries, as many as 24,000 I suppose individual consultations. Is it your view that there was an opportunity for India generally to weigh in on this legislation before it came to this point?

Prateek Waghre:

Yeah, I'll come in there because I think it's also important to understand that this process has been going on for a lot longer right now. Yes, there were previous drafts for a privacy bill under a previous government which had been handled by the Ministry of Personnel. But, this particular process, I think, you could trace it back to 2017 where you had the Puttaswamy judgment, which reaffirmed the right to privacy as a fundamental right in India.

And since then, we've had multiple versions of a Data Protection Bill, one put out by the Justice Srikrishna Committee, one that was then introduced by the Ministry of Electronics and Information Technology in Parliament in 2019. That was then referred to a joint parliamentary committee, or joint committee of parliament, on the, I think it was called PDP at the time, the Personal Data Protection Bill. They presented a draft version in 2021.

Now, through a lot of these phases, there was the opportunity to provide input. But, what I will say is that, through these iterations, people have pointed to the same structural issues with the bill, similar set of structural issues throughout, in terms of the amount of the scope of the exemptions that have been granted to the union government and to government instrumentalities in general, the independent Data Protection Board, and a couple of other things. These have been retained through multiple iterations of the bill. And unfortunately, in many instances, has gotten worse.

So, it's one thing to say that, yes, there have been opportunities to provide feedback about the bill. But, if you're consistently seeing that the concerns you're raising are not only not being addressed, they're actually getting worse, then it does leave you with a lot of questions. That and I think, for a lot of people who had concerns I think around the bill, I think at this point I'm being a little flippant about it, but at this point when we look into a mirror, we probably see a broken record. Because we've been seeing similar things for multiple years over the structural issue with the bill and a lot of them really haven't gotten better.

I just want to also make a quick point on this particular consultation, which the minister also referred to. The report that they referred, I think, gave some specific numbers in terms of 45 government departments and ministries. And I think the number quoted in the report was 21,666 comments.

The thing to note is that with the public consultation for the 2022 bill, what the ministry also said is that, "Hey, we will not put out the comments in the public domain." And under a request under the Right to Information Act, the equivalent of the Freedom of Information Act in the US, they then denied this consultation responses essentially on the ground... I'm paraphrasing, but on the grounds of that, "Look, we said we won't provide it. Therefore, we're not going to provide it."

But, that also makes it difficult for you to understand what position different stakeholders took on different crucial aspects of the bill. It's also difficult to understand why certain clauses, or certain approaches, have gone from what they were in the draft bill, the 2022 draft, to the 2023 version of the bill. So, all of that is unclear.

So, it's one thing to say that, "Hey, there's been opportunity to provide feedback." But, if you're not listening to that feedback, and you're not being transparent about the type of feedback you've received, that rings a little hollow.

Justin Hendrix:

So, I want to come to Aditi. I'm going to ask you about a question, and maybe that slightly relates to what Prateek is talking about about the degree of influence on this and the degree to which you understand what the forces that were acting on the legislature as it went through different permutations. What about industry? A Bloomberg reporter called this bill a boon to Google and Meta. I guess first, do you see it that way? And do you suspect that there was a heavy hand of industry in this final version?

Aditi Agrawal:

The short answer to your question is yes, this is a very industry-friendly bill. If we look at how the bill has evolved from the 2018 version of the bill, which is for the committee, the Justice B. N. Srikrishna Committee had produced, to now, we have undergone five iterations. And each successive iteration is better for the industry and worse for the society at large. So, that balance has always been tilting in favor of digital economy and technologization, I would say, rather than in favor of protecting the right to privacy of citizens.

And that is also evidenced by the fact how both the Senior Minister Ashwini Vaishnaw as well as the junior minister Rajeev Chandrasekhar have been talking about this bill, that this bill will empower companies to make use of data and therefore shore up India's digital decade. That's the catchword, that's the catchphrase you have. So, if you look between 2018 and now, some of the issues that have been resolved include issues related to regulatory overburden on data fiduciaries. That's practically one. There are basically no compliance guidelines left for a data fiduciary.

Then, the question of data localization, we went from a hard data localization, to a soft data localization, to a confused data localization. And now, we have a blacklist approach. So, what's going to happen in this blacklist approach presumably is that countries like China, Pakistan of course, will not be our partners. But, countries such as the EU and US will. A process hasn't been laid out. Will we go through an adequacy check as the EU does? We don't know. But, even if we do, the other bills are definitely better.

The only issue that's left for the industry is the issue around children's data. And that's an issue that we are facing globally, whether it be in COPPA, whether it be in the EU. It's not clear how age verification would work. Would age verification lead to erosion of privacy of say not just children but their guardians and their parents? So, that's an issue. But then, that's a universal one.

Now, what has remained same, almost the same between 2018 and now, is what the exemptions look like. And what has worsened over time is the safeguards that were imposed on the government. What's worsened is the independence of what was earlier the Data Protection Authority, it has now been turned into a board. So, it has been divested of all rulemaking powers.

So, between 2018 and now, we have seen a shift where, in 2018, bulk of the rulemaking powers, that is the delegated legislation that Prateek was talking about, lay with the Data Protection Authority. Now, there's no rulemaking power with the Data Protection Authority. And I believe there are only two sections where Data Protection Authority has advisory role to the central government. Otherwise, it acts as an adjudicating body.

And even when it comes to its adjudication, there is this interesting concept of a voluntary undertaking that the 2022 version introduced, and which has been retained in almost its entirety. That's the concept of, as I said, the voluntary undertaking, which is where the Data Protection Board finds a data fiduciary guilty of a personal data breach. The data fiduciary's representative gives a voluntary undertaking that, "Oh, we are sorry. We won't do it in future," and they get away scot-free. So, there's that.

What has worsened? How we envision consent, that has worsened. What has worsened? We are not talking about harms at all. We are talking about only loss and gain in financial terms. The data principle is no longer at the center of the bill. It's the data fiduciary, which is a huge problem when you are dealing with a legislation that's supposed to protect a fundamental right. In terms of what's worsened is also introduction of two other clauses. One is the changes to the Right to Information Act, which basically now says that, if there's any personal information that can be given out, the public information officer can deny you that information. And this is information related to the government.

So, how would this play out? I'm looking for the educational qualification of a prime ministerial candidate. I want confirmation on whether or not he or she is actually qualified and what those qualifications are. Those would be denied because it's his or her personal data. Therefore, the university, as a data fiduciary, cannot violate that sacrosanct bond. Another one is that the journalistic exemption has been removed. How will that play out? They'll hold a journalist like me up and say, "Where did you get that information? Expose your sources. Otherwise, we'll impose a penalty on you."

Now, when it comes to how does it compare to EU's GDPR, which is widely understood to be, I wouldn't say the gold standard right now. But rather, the least bad option we have in the world is that GDPR actually puts Right to Privacy Act center. And it puts the data principle at center. So, even though yesterday and on Monday the minister, Mr. Ashwini Vaishnaw kept on saying that GDPR has 16 exemptions and India's DPDP bill has only six. That is actually patently false. He's referring to Article 23 of the GDPR, which has a list of 10 exemptions.

Now, the interesting part is that all these exemptions are discreet, whereas in India's version of the bill they've used comma. So, that's why you have six listed exemptions. But, if you look at each of the sub-clauses, there are actually many more. And the critical part of it is that the second paragraph of Article 23 actually constraints member states about how these exemptions are to be implemented. It mandates member states to introduce provisions around necessity, proportionality, scope of how such data will be processed, purposes for processing such data, deleting such data, concerning themselves with harms and risks associated with the rights of the data principles. All of that is absolutely absent from the Indian bill.

And Kamesh has spoken a bit about the lack of independent Data Protection Authority. And that's a huge problem. EU's GDPR still has an independent Data Protection Authority in each of the member states and then an independent Data Protection Board on top of it, which is sitting at the EU there.

Now, in India, a number of MPs, including yesterday, raised a concern about how perhaps we need a federated structure for the Data Protection Board. Because how is a central authority supposed to deal with so many grievances related to say just data breaches? Because that's what the Data Protection Board has now been consigned to. And the idea was it would still be centrally driven because information technology is a central subject. It's not a state subject. How would that work out? And in Europe, it also becomes easier because of this federated structure. Because things get escalated only if there's an issue with the member states in India. We don't have that option.

Justin Hendrix:

Kamesh, I want to let you perhaps respond to some of the things you've heard. But, I also just want to say you wrote on Twitter, to some extent, this bill, you said, I think is, "An important step towards establishing privacy in India and enacting a data protection law." Is there anything good about this?

Kamesh Shekar:

Quickly coming in, just before we move on the difference itself, if you could actually look at it as GDPR is for data, as I mentioned, personal data. And here it is the digital personal data. So, there is a difference in terms of which data is protected, only if the data has been digitized. That falls within the ambit of the bill, which may be not the case with the GDPR itself or many of the data protection regulations available out there.

In a way, that's fine because the problems within the digital is different from how you actually handle data manually. So, I guess that differentiation is fine. But, maybe if we move forward, we have to also answer what we have to do for the manual data as well.

But, quickly moving on into some of the key aspects, actually as we say, that this has become six years of a journey in terms of having a Data Protection Bill for India. So, I guess this is a start. And as Prateek and Aditi have also mentioned, is that we have so much battles more to get through because so much of power is given to the central government in terms of law making.

So, I guess that way, actually, we still have a long battle in terms of each and every clause to be dissected. So, in that way, I guess that's one way I would say in terms of the start is very important rather than anything presented. Because, since we recognized a right for privacy, we still don't have a legislation. So, it's really important that we do this.

And secondly, I guess it's a very important aspect, is that some of the key nuances of the bill has changed over evolution. And also, I would say an advocacy success in certain ways is that especially I would love to talk about the data localization angle. As a lot of people in the panel also spoke about is that we started from a supremely very stringent, very hardcore data localization. But, ever since then, that a lot of research and a lot of expertise has gone into the picture. Where actually we come to know that the data security aspect or the data protection aspect is agnostic to the location. Just because I store the data within India doesn't mean my data is very secure and protected. So, certain nuances has been gotten into clarity.

And this also adds to the individuals of it in terms of this balance. How are you actually going to balance privacy while actually also unlocking the data for the value creation itself? Which actually at this moment, EU is also thinking about in terms of though we have a stringent data protection, now it's time that we also have to know how to unlock the potentials of the data as well. So, certain balances has been brought into the picture.

When coming to the children data, this is a battle still. One of the key aspects of the difference there is the age of consent is 18, which is a little bit different from most of the legislations out there, which is 13, 15, and et cetera, and stuff. Plus, I'll also like to add, want to just point out, is that there are also a lot of evolution has happened in terms of how we actually approach certain levels of age gating aspect itself. That's right? Because age gating comes in between how internet, as networker's network, works.

Also, adding to my data localization point, also that itself brings some of the internet enablers not to work. Certainly, these things have changed. Especially within this bill, if I come back to the age gating aspect itself, there are going to be exemptions. So, such exemptions were not very well clear in the previous version of the bill. So, certain to us are that certain class of data fiduciaries will be given exemptions from the additional obligations of processing the data.

But, the one crazy, or one key aspects, I don't know whether it has been spoken a lot, is that now that additional obligation for the children has been also extended to the person with disability. So, that's a little bit of a concern because how are you even going to identify somebody is disabled in a digital platform? And also, you haven't defined what does disability means within the bill. And also, how can you actually extend additional obligation, which is for children, for a disabled person who could be about 18? So, these are some of the nitty-gritties that comes into the picture, which is within the concerns with the children data itself.

Justin Hendrix:

It sounds like there's just an enormous amount that's still to be worked out in the rulemaking where the rubber meets the road. And it sounds like your two organizations, Kamesh, Prateek, you'll engage in that. Aditi, you'll be covering it.

I want to just step back a little bit and maybe try to contextualize this for my listeners, how this development fits in the broader scheme of what's happening with regard to tech policy in India. Prateek, you made some mention of that earlier about the general thrust of things lately. Hey, from the perspective over here in the states, when we read about some legislative development with regard to tech in India, it isn't necessarily good news. It's normally bad news. At least that's the way it's portrayed to us.

You've mentioned, of course, the increased centralization of power in the executive. You've mentioned perhaps fears of overreach. We see lots of reports about concerns on censorship, internet shutdowns, things of that nature. Let me just pose the question to the group. How would you situate this in the broader scheme of things when it comes to tech policy at the moment? Maybe, Prateek, I'll come back to you.

Prateek Waghre:

So, if you go back to, I think it was August 3rd, 2022, where the Union minister Ashwini Vaishnaw actually got up and asked to move the motion for withdrawal of the previous citation of the bill, where he mentioned the need for a comprehensive regulatory framework. And something that's been referenced a number of times, which has, depending on the time you read the quote, I think some element of this has shifted. But, it broadly consists of telling a more updated telecommunication regulation, a data protection regulation, an overhaul of the IT act, which has been called the Digital India bill, and a framework for data governance, essentially sharing non-personal data. And in some cases, you might hear mention of a cybersecurity policy in there as well. There are these multiple moving components that are at different stages of progress right now. From our vantage point, most of them come with the baggage, at leas from our perspective, of increasing the amount of discretion and control with the union government.

So, if you look at, for example, the telecommunication bill, I know we haven't gone into that, but broadly the way it speaks, the way it sought to define telecommunication services was so broad that it could include anything on the internet as well. The intent seemingly was to capture your messaging application, et cetera within that and potentially impose licensing requirements on them. But, the language ultimately used was so vague that they could wake up tomorrow and say, "Hey, you need to come under this licensing framework."

I should point out, though, that some recent report now suggests that, over the course of last week, it might have been approved by the union cabinet. And reportedly, because we haven't seen the draft so we don't know for sure, but reportedly there have been some tweaks to the way telecommunication services have been defined. And maybe it may not be as expansive anymore, but we'll have to, I think, wait to see that draft in public. But, broadly, there is a state of flux right now in terms of the policy that are going to define the next part of "India's decade". And we'll have to see how that pans out.

But I think, like I said, there are concerns from our perspective in terms of, with this control in discussion, if you look at the broader political context. Or if you look at the evolution of the IT rules through 2021 and then through subsequent amendment. Including the most recent one, derisively called the fact-checking amendment, where the union government wants to give a notified authority, a notified body, the power to flag content as fake or false. And of course, that's currently under challenge in the Bombay High Court. But, broadly, they want the ability to say what is fake or false concerning government business. Government business itself is not defined. So, you could see how something like that could be misused, which is why we're looking at some of these trends with concern.

But, I'll just pause quickly and I'll just wrap up quickly. In terms of broadly, if you look at the motivating factor, I think you could point to national security being one of them. That's something that's always discussed. I think there is a welfare aspect to it as well in terms of digitalization, and if we talk about digital public infrastructure, which we haven't really discussed.

Justin Hendrix:

Kamesh, I'll come to you. Prateek's described, I suppose, the commanding heights of tech policy in play at the moment. What's your perspective?

Kamesh Shekar:

Just adding a complementing comment on what Prateek had mentioned, let's look at from three layers here within the tech policy ecosystem of India itself. One, as Prateek has mentioned very clearly, Data Protection Bill is one component. We are revamping the telecommunication regulation. We are also revamping the IT Act, Data Digital India Act. And also, certainly some changes are coming within PCs and et cetera to get into the tech space.

So, at one level, this is happening where the digital laws and the digital policies itself is evolving at the central level. Then, you have next facet of things is the sectoral regulations. So, within the sectors, if I can say TRAI, or which is the Telecommunications Regulator of India. RBI, they're also actually coming up with their own ways of regulating their spaces.

If I could give an example is that RBI is also thinking about, or already in the process of, FinTech regulations, the financial tech regulations. And the TRAI recently put out a recommendation paper on AI, the recommendation on how to regulate artificial intelligence within the country. So, sectoral regulators are also on their spree of coming up with certain levels of tech policies.

And then, you move on to the states. So, as Prateek has mentioned, India has been pioneering a lot of digital public infrastructures. And many of these things fall within state and central list. So, the states also are coming up with their own ways of utilizing the data that they actually topple over and actually also come up with some principles in terms of how they will be using those datas and securing it, like [inaudible] et cetera, which are the Indian states.

So, state government also is simultaneously doing certain level of aspects. So, there are three different aspects that are happening, but one change or the key for all of these things is coordination and interregulatory level of cooperation, which is needed, which is not really the case at this moment.

If I come back to the digital policy landscape itself, so how the telecommunication regulation, which is getting revamped, how the Data Protection Regulation and Digital India Act is going to all interact with each other is not clear. These are all the components which add to one particular aspect, but they are not very clear.

Similarly, how such digital policies will interact with the sectoral regulations is also not very clear. The Data Protection Bill states that the bill comes over other sectoral regulation except for the data localization part, cross-border data transfer part. But, the rest of the things the bill says, that the Data Protection Bill will be over others. But, this is easier said than how it operates within the Indian jurisprudence.

And third thing, as legality, as Aditi also mentioned is about the India quasi-federal structure. Centers and state have roles when it comes to using the data. But, where the role of the state government comes into the picture is also questioned at this moment within the data protection aspect or the digital policy aspect itself. So, I would stop there. Yeah.

Justin Hendrix:

Aditi, I'll come to you. I'll ask you perhaps to comment on that broader question that Prateek and Kamesh have just got into with a broader direction of tech policy in India. But also, maybe I'll ask you to perhaps put it through a different lens, which is, if you're a citizen, you're someone just living your life in one of India's great cities where you all are, or out in the countryside, what changes after the president signs this particular bill into law?

Aditi Agrawal:

I'll address your second part of the question first. What changes after this is signed into the law? It'll take some time for the rules to be made and for it to be implemented in earnest. Yesterday the minister said that could be as soon as six to 10 months. So, we are not looking at a two-year timeline.

What changes as a citizen is there will be two, I would say three clauses, three sections that will affect normal citizens, common citizens the most. And that's something that Prateek and I have talked about.

One is the idea of processing without consent, which is the section called legitimate uses. There's this particular section there, I think it's 7, 7B or 7TB, I forget, which basically says that the state or any of its instrumentalities, in order to give you any kind of service, any kind of benefit, any kind of certificate, license, or permit, can use any data that you have previously given to it. Or it's an "Or" clause. Or it can use any data that it already has on you in digital form or that was submitted in analog form and then digitized.

So, what that means is, even if I'm using the road outside, which is public infrastructure out-and-out, which is a public service, which is a government service, my data can be used in any way, even if it's not required. If I go to a government hospital, any data that they've collected on me can be used against me. And that I intentionally use the word "against" because the power asymmetry between a citizen, one citizen, and the government is so huge that the kind of scope for misuse and abuse is entirely too rampant. Which is why any legislation is supposed to protect the citizens, and not just from the excesses of a private individual or a private entity, but also from its own government. And this bill fails to do that in its entirety.

Now, along with that, the exemptions are so sweeping they allow the government not only to exempt any of its own agencies from any and all of the provisions of the bill, they also allow it to exempt any private data fiduciary or a data processor as it deems fit. So, what this means is that tomorrow, if it's using the services of, say, a company like Cambridge Analytica, the government could say, "Oh, we exempt them." Why? The reasons are not required to be told to the citizenry by the law. And that's a problem. We've all seen the repercussions of that over the last, I would say, seven years across the world, starting from 2016. In India, this was from 2014.

Coming to the question of looking at it from a macro perspective, we are heading to our national elections next year. Generally, we expect a greater centralization of powers to happen. And that is also evidenced by how "productive" our parliament turned in this last one week.

On Monday, they passed four bills in less than four hours. That's ridiculous. You can't pass four laws in four hours. What kind of discussion could have happened, even if they are tiny laws? There's no discussion that's happening. And that kind of centralization, that kind of reserving power for the central government, even divesting, state governments have a lot of powers. It's being seen even across tech policy.

And what's also being seen is that some steps taken are very ad hoc in nature. So, they lead to a lot of uncertainty. Case in point, the notification that came out last week about laptop imports. There was a notification that the Directorate General of Foreign Trade had released and said that there will be restrictions on laptop imports, personal computers, et cetera, et cetera, until and unless you have a license to import.

That immediately led to a number of international companies facing problems with customs. It led to them stopping their exports to India. And then, three days later the government reversed it start and said, "Oh, you have three months to comply." What was the need for that uncertainty?

Semiconductor mission is something that the government is focusing a lot on. And that goes to the hardware question that also leads to the larger geopolitics of technology at large, where the world at large is looking for more resilient supply chain networks when China is not an option. Or when a war like the Russia/Ukraine war breaks out, what do you do? But, even then, there's so much uncertainty about how it'll play out.

For instance, in order to cater to Micron, the American chip making company, there's a great article in the Gazette that was published yesterday, the Indian government tweaked the rules. So, what rules may apply to you, may not apply to me, may not apply to a corporate. And that's a huge problem. We are heading towards a licensed raj. We see that in the telecom bill, as Prateek mentioned, where even services such as WhatsApp, et cetera would have to apply for licenses. How is the internet supposed to work there?

And just reiterating what Kamesh and Prateek have already said, which is about there's a combination of sectoral regulation and public welfare. So, you see that with the National Digital Health Mission as well, for instance. So, National Digital Health Mission is supposedly for public welfare purposes, but at the same time it's a very sectoral kind of initiative by the Indian government dealing with health. But, because it's digital in nature, it deals with technology policy. The entire debate around digital public infrastructure, which has been one of the cornerstones of India's representation as the host of G20, which has been talked about a lot in India, is the digital public infrastructure.

How is that going to play out? Who's going to control it? What does it look like? We have an example in UPI. But, the private companies aren't making money from the infrastructure itself. They're making money from the data that they collect. So, those are larger questions.

And just reiterating what Prateek said about our national security and maintenance of public order have been key concerns for this government. What this government has done through different laws, not just in tech policy but generally as well, is that it has normalized the state of exception. In the state of exception, the central government can reserve for itself a lot of powers that it won't have otherwise.

Now, that state of exception has been normalized. So, you have riots breaking out on the borders of Delhi? It's a state of exception, internet shutdown down. You have riots breaking out in Manipur? Internet shutdown. You are not going to deal with what's causing them because the moment you shut down information, you shut information dissemination, you shut down communications, you have control. And that's what it all boils down to eventually.

And to end on a slightly positive note, you asked me if there's anything positive about this bill. I would say there's one positive right that they've introduced, which I don't think I've seen in any other legislation around the world. Which is the right to nominate, in case of incapacitation or after death, which is an interesting right. It's not clear how it could play out. But, I haven't seen any other privacy legislation talk about that.

Kamesh Shekar:

Just quickly coming in, Justin, I guess just I had some couple of points that I guess we didn't discuss and which maybe have to be discussed, which also falls within the differentiation of what the other legislations does and how India sees it. A, we actually have two provisions within the new version of the bill, which actually gives the power to the central government to seek any information from the data fiduciaries, intermediaries, and the board itself.

And the second one is of the clause 37, which actually can order content blocking, which I am not sure whether it's present in any other legislation. I guess briefly, China has some version of it somewhere I've heard. I have not tested it. But, yeah. So, it has somewhere. But, these are two different options, two different provisions that have been recently added in the new version of the bill, which was not put for consideration.

And the third thing is that, of the difference itself, is the publicly available personal data. So, we are moving into a paradigm where we have artificial intelligence and generative AIs which actually scrapes data from all over the place to give you the solutions that they actually have. In Europe, if you see publicly available personal data, it's not considered to be a personal information under the GDPR. But, in India's act, the difference to that is only if Kamesh asked me, as a point of principle, has put my personal data outside over a blog or over an article, that will be allowed to be used by the data fiduciaries without the consent. Otherwise, any other publicly available information out there has to be consented by the individual. So, that is a key difference, which is actually present there.

But, that also brings into the question of can consent as an artifact itself be the way forward for us to have any privacy regulations? Because within the generative AI context, how are we even going to have consent artifact manifested or implemented? So, maybe we have to move a little bit and see innovations.

Third aspect is that we have been talking a lot about Indian context, and et cetera, and stuff. But, as I was mentioning for internet survival, data have to move. So, and there's borderless, which also was emphasized by the minister yesterday in the Rajya Sabha. But, though we have our own regulation, how this regulation is going to stand at the international level, when we are actually planning to apply for adequacy or anything, is still a debatable with various flaws, as Prateek was now mentioned many times in terms of exemptions, and et cetera. Which was the case for [inaudible] to happen twice.

So, one has to wait and see how this legislation is going to fare when it comes to interaction with the other international legislations, which are there in terms of digital trade, and data transfers, and et cetera. So, with that, there are a lot of laudable clause obviously within the bill. But, there are so many things which has been there from the previous versions of the bill, still there in this version of the bill, though we have come six years ago. And also, there are some key new things have been added into the bill, which brings both positive and negative concerns.

Justin Hendrix:

Thank you, Kamesh. Prateek, last word.

Prateek Waghre:

I'll just answer your specific question about what happens the moment it's, let's say, signed and then notified by the Gazette. And so, at that particular moment, to be a little flippant about it, not so many good things and quite a few bad things. And I'll just briefly elaborate in the sense that whatever we've discussed as some of the positive things about in terms of obligations on fiduciary, et cetera, none of that kicks in at that moment. All that is going to take some time to kick in. But, what will be effective immediately are the exemptions on the state government, on state instrumentalities, and their ability to use your information.

The duties that have been imposed on data principles, which is I think unique to India, to my knowledge, I've not seen any other data protection legislation do this. I could go on because I think we've covered a lot of the not so positive aspect of it. But, that's what I'll just say in terms of the exact moment when this is signed into law. We still have to wait for the positive aspects of it to start taking shape. But, as it so happened, the thing that we're unhappy about, a lot of those go into effect pretty much immediately.

Justin Hendrix:

Well, I know that each view will be bringing a critical eye as this continues to unfold, as the rulemaking begins. And I hope that I can have each of you back on this podcast and on the pages of Tech Policy Press in the future. Aditi, Kamesh, Prateek, thank you so much.

Aditi Agrawal:

Thank you, Justin.

Kamesh Shekar:

Thank you.

Prateek Waghre:

Thank you.