Last February, the Ministry of Electronics and Information Technology (MEITY) released the ‘Draft India Data Accessibility & Use Policy, 2022’. The document showed MEITY has plans to set up an India Data Management Office (IDMO) to oversee the metadata frameworks and their implementation. It also suggested forming a regulatory body, India Data Council (IDC). The IDMO will consult with relevant ministries and state governments to revise the National Data Governance Framework rules. 

Internet consumption in India. Source: CISCO

Why do we need data regulation laws?

“The private sector may be granted access to select databases for commercial use. Given that the private sector has the potential to reap massive dividends from this data, it is only fair to charge them for its use,” noted the 2019 National Economic Survey. The Draft India Data Policy aligns with the government’s data monetisation push.

The idea is to keep all the datasets open by default, except for a few that will be marked ‘negative’. The India Data Council will sort the high-value datasets based on their “degree of importance in the market, degree of socio-economic benefits, impact on India’s Al strategy and performance on key global indices.” The IDC has the power to determine the metadata and data standards for every central department. Last October, Karnataka became the fifth state after Telangana, Odisha, Sikkim and Punjab to monetise citizen data. 

  Number of connected devices (in millions) in India. Source: Ericsson Mobility

Privacy protection

The policy proposal drew flak over the lack of data protection laws. While the policy promised anonymity, there was no regulatory framework to support it. The Non-Personal Data Governance Framework had been on the backburner since 2020. 

The government is working on a ‘Digital India Act’ to replace the Information Technology Act 2000. The act will replace the Personal Data Protection Bill. The PDP bill tried to introduce data localisation– inspired by GDPR–to restrict information flow geographically. However, the data localisation was promptly rejected by corporate stakeholders as it would require companies to overhaul their data architectures. 

Revisions

The draft has been revised to include anonymisation standards in the wake of the backlash. MEITY has also noted that private companies must be “encouraged” to share non-personal data with startups and Indian researchers through a proposed initiative called the India Datasets programme. 

“The constitution of an Appellate Grievance Redressal Committee is another major highlight of the proposed amendment. This is a crucial and positive policy action that will provide adequate recourse for users against the decisions of grievance officers. However, to ensure adequate checks and balances on the powers of the committee, the Rules must also envisage mandatory public disclosure of their orders and its periodic review by an oversight body as prescribed in the Blocking Rules. It will also be important to envisage a robust appointment process with an adequate number of judicial and technical members in the committee to ensure an informed decision making process,” said Kazim Rizvi, founding director of the public policy think tank, The Dialogue. 

Rizvi said, while the introduction of the updated regulations was the right direction, changes are due. “The proposed amendment to the IT Rules, 2021 is a progressive step that will ensure that our laws and policies remain updated to cater to the emerging challenges in the digital space. We welcome the Ministry’s invitation for inputs on the proposed amendments and hope that this exercise will be helpful in understanding the concerns on other key aspects of the Rules as well and create a more inclusive regime for Platform Regulation. 

The proposed changes effectuate the objective of greater transparency and accountability in the digital ecosystem which is critical for realising the goals of a free and rights enabling online space. The introduction to the draft also notes that the changes will not impact startups and will only be applicable to the Big Tech platforms. This step reverberates the government’s commitment to ease entry barriers in the sector and promote Ease of Doing Business. However, appropriate change must also be made to the relevant Rule 3 of the IT Rules given that its title still reads that the mandate is applicable to all digital intermediaries.

The proposed amendments themselves emphasise on the duty of the intermediaries to respect constitutional rights. It is imperative to realise that stringent timelines without content gradation according to the anticipated degree of harm can lead to chilling effects on online free speech of the citizenry, a concern well discussed by the Hon’ble Supreme Court in the Shreya Singhal judgement. A risk based approach needs to be adopted and the timelines for takedown should be revisited accordingly,” he added.

Global data protection laws 

Most countries have strict data protection laws. The European Data Protection Board (EDPB) drafted rules for transferring sensitive and personal data outside EU countries. Organisations were required to take consent from individuals before transferring their personal data. Post-Brexit, Britain had to adopt GDPR to facilitate the free flow of data between the former and the EU. 

China also drafted its Personal Information Protection Law (PIPL) in the second half of 2020. The PIPL granted the residents the power to withdraw permission to share their data and the right to delete data while ensuring protection during cross-border data transfers. Canada is revamping its data protection laws to include the private right to action and hefty fines. In sum, India has a lot of catching up to do.