Editorial – September 2018

A report and a draft Bill have raised the hackles of the American tech companies in India. These are: the BN Srikrishna led committee of experts 176-page report, “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians”, and a 67-page draft Bill, titled “The Personal Data Protection Bill, 2018.”

Most of these companies are speaking the language of American brinkmanship and threatening consequences for the Indian IT companies who export their services to the US. What the draft Bill proposes is in broad alignment with the EU GDPR (General Data Protection Regulation), which was implemented on May 25, 2018. The EU GDPR requires all companies operating in the EU countries to have local data centres. They also have comprehensive data protection norms. All European requirements are complied with. Apple has two data centres in Europe but none in India. Facebook has three data centres in Europe, it has none in India. Google has 18 data centres in Europe and two in Mumbai, Microsoft has 13 in Europe and three in India, Amazon has 12 in Europe and two in India.

The citizen, the state and the businesses are the three important vertices in the bill. Citizen privacy is a top priority, certain rights are vested with the state related to data protection. The provisions related to these two domains have become the basket of issues for the American companies and in the public consultation process, they have launched a shrill campaign. This is echoed and cascaded through networks like BIF, and industry associations, like Nasscom, Ficci, and CII.

The BIF wants self-regulation; the Data Protection Authority of India is to be only a facilitator. It has cited costs and bad infrastructure as reasons for not storing data in India. They find the penalty structure related to data compromise and subsequent harm entirely unacceptable. And yet, they find similar provisions very agreeable in EU GDPR. They want greater processing flexibility on grounds of contractual necessity. All in all, they have coalesced the Bill into singular issue – where the data will be stored, in India or outside. And if data is required to be stored in India, they are threatening costs for Indian businesses.

However, with the RBI also mandating that all data pertaining to payments systems be stored in India, it would make the demands of these companies unrealistic and non-meaningful. Major American tech companies want to start payment services. After demonetization, digital payments have burgeoned. In May 2018, Indians clocked transactions worth Rs 180 lakh crore using their 900 mn credit and debit cards. The magnitude of this market is expected to increase with government making strides in payment acceptance infrastructure. In this environment, therefore, the Data Protection Bill is attracting biased criticism.