India became the world’s fifth-largest economy last year. This achievement was only possible through strategic economy-boosting regulatory policies and lowered control on foreign trade and investments (World Population Review). Unfortu-nately, the rules proposed by the new Personal Data Protection (PDP) Bill seem to contradict this growth mindset. Will this hit Indian businesses and their employees the most?
India’s economic liberalisation began in the 1990s and accelerated over the past few decades. Indian businesses such as Tata and Infosys are powerful entities globally. As a result, India’s massive $185 billion IT industry employs 4 million (direct) and 10 million (indirect). On the startup front, in 2019 alone, over $10 billion in investments poured into India (Bain). Industry-friendly regulations, low-cost cloud computing, and our large pool of young talent are critical drivers for global investment. India now boasts of 25 Indian-born Unicorns (billion-dollar startups) servicing the global economy.
None of these accomplishments would have happened without the government’s help. India’s growth trajectory has been steady but it may now become shaky. While the PDP Bill’s intent is excellent, several stipulations may adversely affect our economy and the job market.
For starters, take the mandate for data localisation. It requires “sensitive” and “critical” data to be stored on Indian servers. This raises several concerns. What is personal and what is sensitive is subject to interpretation. This matters because critical data can be shared with a foreign entity only with explicit consent and other requirements. One man’s “critical” is another man’s “sensitive”. Who decides?
Additionally, storing massive amounts of data in physical servers locally is extremely expensive. It will drive up costs and make it harder to do business in India — without proof of being effective in protecting data. Running data servers is a very high-cost initiative. It requires land, incredible amounts of uninterrupted power, advanced security measures, and more. Indian infrastructure is not currently equipped to handle this.
The Supreme Court granted Indians privacy as a fundamental right in the landmark Puttaswamy verdict of 2018. This means Indians should enjoy data protection — from all entities. The data protection Bill has a curious exemption. The central government can grant access to select government agencies and override protections at any time. They will also appoint the overseeing authority, the Data Protection Authority (DPA). How is our information being protected if anyone from any government agency can seize data in local servers, at any moment? So, if we are not protecting data, why traverse this maze of regulatory hoops and hurdles?
Also, how will the PDP Bill affect Indian fintech industry? Indian fintech raised $7.4 billion in investments in the last decade and is a valuable contributor to the Indian and global economy. The PDB Bill’s restrictions on cross-border data flows could severely slow this industry down. In this digital world, cross-border data flows are integral to growing the economy. Data flows across borders raised global GDP by 3.5 per cent ($2.8 trillion) in 2014 and could reach $11 trillion by 2025 (McKinsey). Protectionist policies like data localisation will obstruct our growth (Bauer, 2013). Why not specify that data needs to be secured and protected? If there is justified cause for contest, procuring a court order will offer access to data — like in any criminal case.
Most products and services rely on the internet and cloud computing. The mobile economy contributes significantly to India's GDP. Digital India could offer $1.3 trillion in business opportunities for the future. Light-touch industry-friendly regulations are the key to realising these dreams.
Unfortunately, the rules around consent might be too cumbersome for small- and medium-sized businesses. User consent contracts and agreements are standard practice. The new rules place all decisions around consent in the hands of the DPA and not organisations. Excessive reliance on consent to drive any data processing can create consent fatigue. Apart from lawyers, there are very few who read each word of their smartphone or app user agreements. Also, how will this affect third-party contracts? Detailed and specific consent gathering in all transactions will slow down and hinder business growth — except for compliance lawyers.
The PDP Bill also created a separate category of organisations called “social media intermediaries”. It is practically impossible to segregate purely “social media” organisations. Are news websites social media intermediaries? After all, they collect user comments. This move is also redundant since intermediaries (communication channels) are already covered under the IT Act, 2000, and Intermediaries Guidelines, 2011.
In the end, what problem are we solving? Placing more roadblocks to growth can hamper our economy and drive global investors away. Industry-friendly policies are the foundation that permits Indian enterprise to thrive and secure Indian job opportunities for the future.
(Research inputs by Chandana Bala)
The author is president of Broadband India Forum and founder & CEO of Advisory@TVR
Views are personal
To read the full story, Subscribe Now at just Rs 249 a month
Disclaimer: These are personal views of the writer. They do not necessarily reflect the opinion of www.business-standard.com or the Business Standard newspaper