Everything shouldn't be hardcoded into data protection Bill: Vaishnaw

But it should provide the foundation over which you should be able to build any other regulation required for a particular sector, the minister said

The government has chosen the middle path while writing the draft Digital Personal Data Protection Bill, 2022, by not going to the extremes of complete government control or a free hand to Big Tech companies, says Ashwini Vaishnaw, Union communications and electronics & information technology minister, in an interview with Surajeet Das Gupta & Sourabh Lele. He discusses a range of provisions in the Bill, including a list of trusted countries and penalties for violations. Edited excerpts: 

What was the reason for changing the strong stance on data localisation?

Frankly, there is not much of a change. Even the previous draft, if you read the fine print, allowed a flexible approach. What we have attempted here is to bring that simplicity to the law itself, instead of keeping it ambiguous.

There are certain geographies that have got everything under government control. There are certain geographies that have given the entire thing to Big Tech. Here, we have created a platform where there is a public-private partnership that involves public digital platforms and private innovators using those digital platforms to provide services.

What will be the basis for determining the countries where the free flow of personal data is allowed?

The fundamental principle is that Indian citizens’ data should be well protected. Does the other country have a good, safe, privacy-preserving ecosystem, and a legal framework where we can have recourse to any grievance that a person has? Such factors are going to play an important part.

The process will happen on a country-by-country basis. Diplomacy will be a very important part of it. Bilateral negotiations and global understanding of the digital economy have to be clearly understood. We will have our sovereign rights. Whatever is good for India is what we always do and that’s where we have aligned our foreign policy or diplomatic policy. Determining the list of countries will be an ongoing process.

Does the Bill conflict with many sectors like the RBI which have made rules requiring for localisation of data in certain areas?

Digital permeates all sectors of the economy. To create a good framework, we need certain horizontal laws which cut across all sectors -- which is the foundational component of a digital economy. Then you have the vertical-like modular approaches, like financial services, health care, gaming, and sports, etc. Horizontals include the telecom Bill, which is a carrier for all sectors, so is the privacy Bill.

The digital economy is a very fast-changing economy. We must have an agile piece of legislation, which is able to adapt to various circumstances. Everything should not be hardcoded into this one Bill, but it should provide the foundation over which you should be able to build any other regulation required for a particular sector. In case there is a particular sector that needs its data to be localised, it can very well prescribe that. Every sector will have its own specific needs. Foundational principles remain the same, but over that, sector-specific principles, regulations can be made by that particular sector. There is no conflict on this.

Would the personal data protection board have regulatory powers? Or would it basically resolve disputes when they come to it?

The board has been given the primary purpose to resolve disputes, solve grievances, and make sure that everything in this Bill is properly implemented. It is going to be digital by design; it will be born digital. It will be a totally online kind of process, so that the accessibility to justice for a person sitting in Delhi or Bengaluru is the same as for a person sitting in the remotest parts of the country.

The power of having voluntary undertaking and online dispute resolution framework will prevent a set of litigation. As a result of this, we want the digital economy to flourish, people’s rights to be protected, and to create an ecosystem that becomes an example for other countries.

The strength, the composition of the board, and the criteria for the appointment and removal of its members have not been defined in the Bill. Can you provide clarity on this?

We are working on the rulebook very rapidly. It would prescribe everything that is needed to operationalise the Bill. Again, the rulebook would be as simple as this Bill is. It would also go through the consultation process.

Our target for this Bill is basically the Budget Session. There is a 30-day consultation; post-consultation, whatever changes have to be made, we will make those changes and take them to the Cabinet. We would enforce this Bill within five-six months after converting it into an Act, as the rule book gets ready.

By the end of next year, we should have the digital data protection Bill, the telecom Bill, and hopefully also the Digital India Bill in place.

There are some concerns over the autonomy of the data protection board as the government would establish it. What would you say?

The fact that the data protection board has been mentioned in the bill and will be created out of an act of Parliament makes it independent. Some people ask, will it be independent? Now, today who's appointing the authority for Trai or Sebi? It is the government. Does it make them non-independent?

Even for the RBI, who appoints the governor of RBI? The government. Just the government appointing them doesn't make somebody non-independent. The criticism that some people are making is that the government will appoint it. The independence of these authorities comes from the law, not from who appoints whom.

What will be the time limit up to which a data fiduciary can notify its users and the board? After what time limit, will they be liable to pay a fine?

Notices of data breaches are of different types. A breach should not be seen simply as hacking or a breach in the technical sense. It should be seen in the techno-legal sense. That is the construct we are using here. For different types of breaches, there will be different time limits. The (data protection) board will be able to prescribe that and rapidly adjust it according to the need.

The new draft has done away with criminal penalties and has come up with fines of up to Rs 500 crore for each instance. Do you think it is a significant amount for global technology giants?

The penalty is for every instance of non-compliance. Imagine a big technology company trying to create problems for say 1000 data principals. Multiply that 1,000 by the penalty amount. It is huge. Ultimately, the aim of this Bill is to protect the citizens, while making sure that our digital economy is growing. It’s a very complex task.  

Will the consultation process take place as open house discussions or will it be closed-door consultations?

It will happen both ways. Our consultation process is very robust. During the consultation process for the telecom Bill, I have personally met with almost 18 different sets of stakeholders; there would be many other stakeholders with whom the department has met.

Will this draft Bill also go to the parliamentary committee for review?

We have already asked the standing committee to take it up for their analysis. We have requested the standing committee to examine the draft and share its views so that we can incorporate those views before we go to Parliament.