Business implications of the Personal Data Protection Bill, 2019
The Personal Data Protection Bill, 2019, will have significant economic and commercial impact on Indian business, technology startups and the outsourcing industry. From demanding access to placing restrictions on data flows, the Bill needs some work as the joint parliamentary committee analyses the draft.
Unfettered access will discourage business
The Bill has a few recurring, stand out themes, and unfettered access to data stands out as one of the critical ones. Under clause 35, the government can exempt any agency from the applicability of the law, meaning that to preserve the nation’s integrity, the government can mandate access to any personal data of a business enterprise functioning in India. The real challenge with this lies in the lack of checks and balances, and proper judicial oversight, meaning that there is limited or no recourse to prevent misuse of such data.
For a business, knowing that their data and insights could be accessed anytime to preserve the nation’s sovereignty without a proper framework could ring alarm bells, as well as impact the future decisions of the investor community.
The need to have ‘unfettered’ access to data first came in the RBI April 2018 notification of localising payments data in India. RBI’s decision will not only impact investments, but will also increase the cost of doing business in India. Moreover, it will also limit the quality of services for Indian users and make Indian data more vulnerable to cyber attacks as global data flows are critical to prevent online fraud. This thinking mirrors the Bill and there are challenges that must be overcome before it becomes the letter of the law.
Non-personal data in personal data bill?
The Bill, under clause 91, states that the government at any time holds the luxury of accessing anonymised personal data or non-personal data of any company as they may deem fit, for planning and policy purposes.
This might discourage innovation and stifle investments in India, as it could infringe upon their intellectual property rights. Clause 91 along with the waide definition of ‘personal data’ that possibly includes insights as well, could hamper the sentiments of small and big businesses alike. Seeking data is one thing, however, demanding insights, which are business intelligence, is a totally different ballgame and will conflict with intellectual property rights of a company operating out of India.
This is worse for Indian tech startups who might struggle to seek investments or grow in India. It will impact job growth and employment opportunities in India. Additionally, regulating non-personal data in a personal data protection bill is procedurally flawed and sends an inconsistent message to the global community.
Why would any investor want to bet in an Indian startup, knowing that their business intelligence might be taken away, which means that the selling point or the uniqueness of the company might get diluted, effectively reducing its competitiveness?
Restricting cross-border data flows and impact on startups
On the other hand, although the government has taken a step forward from the previous iteration of the Bill, towards allowing greater leeway to allow data to flow across the border, there is however still a lot to play for. Restrictions on the flow of sensitive and critical personal data will still hamper India’s local processing industry, as well as limit the ability of Indian startups to leverage the cutting edge ability of global cloud service providers.
Access to data must be through bilateral and multilateral agreements, and localising sensitive and critical personal data will affect India’s ability to take its IT sector forward. There are sub-clauses that talk about adequacy and I believe that India should work with bilateral and multilateral forums to arrive at privacy and data access agreements.
Moreover, other countries might restrict Indian startups to access foreign markets, as a reciprocative measure against localisation, thereby impacting our startups abilities to go global.
Restrictions of cross-border data flows will limit the ability of Indian startups to access cutting edge solutions, provided by cloud service providers that operate out of global markets. For young startups, minimising operating cost is essential in the early stages. Towards this, cloud storage is key as it provides various solutions while ensuring that the cost of storage stays low. With restrictions on cross border data flows, cost of operations will increase, and also their ability to develop and deliver services.
Impact on processing industry
Moreover, under Clause 31(3) the Bill mandates that the data processor will act on the instructions of the data fiduciary. To ask the data processor to share non personal or personal data will have a huge impact on businesses who are leveraging India talent for data processing and offering insights from data. No clear transition time has been given in the bill. So the industry may not know how much time it has to prepare and rework its compliance measures.
We risk 126 billion dollar exports and 4 million jobs in the IT Sector. Under clauses 33 and 34, it appears that foreign nationals’ data might be processed in India. The exemption under clause 37 is not clear, and to demand case-to-case exemption will make the exercise compliance heavy, which can impact India’s outsourcing sector.
Moreover, the concept of significant data fiduciary is very wide, as all large businesses might have to prepare for greater compliance requirements, which might affect India’s ease of doing business rankings. Additionally, the Bill needs to provide clear transition time for companies to prepare for it. Now, Indian data analytics companies process foreign data and provide backend services to fiduciaries. The Bill requires processors to comply through a contract even if the fiduciary is located outside, meaning that foreign data might also be localised, which will trigger significant challenges for India’s processing industry, and might make India less lucrative compared to other destinations such as the Philippines.
Foreign fiduciaries might not send data to India for processing, as localising the same will affect their businesses. Also, there is no clarification whether the government will also regulate non-personal data of foriegn nationals in India, which will confuse investors wanting to bet in India.
Kazim Rizvi
Kazim Rizvi is founding director of emerging public policy think-tank, The Dialogue. The views in this article are his own.