This is an audio transcript of The Morning Brief podcast episode:How will India protect its citizens’ data?

BG Sound  

This is the morning brief from the economic times.

Anirban Chowdhury  

For five years, India worked on making laws to protect data or digital information of its citizens. laws that would prevent misuse of information like name, date of birth, address and phone numbers that you and I feed into hundreds of websites, portals and applications every single day. With us, that is already rampant as the country is several years into massive data and tech revolution. Laws that India needs badly. But last Thursday, before the data protection laws could be formalized, the government cancelled them.

BG Sound  

In parliament today, the IT and telecom Minister Ashley rational has announced that a data protection bill brought in two and a half years ago will be withdrawn and replaced by comprehensive framework.

Anirban Chowdhury  

But what was wrong with the earlier ones that took years of research, discussion and debate right? Where their external pulls and pressures on the government to withdraw them? When will the new regulatory framework come? What will it have that's different? And what's the guarantee that the new laws will not have the same problems that the earlier ones had? Do listen in as I tried to find some answers, it's the ninth of August from the economic times I'm an inbound Chaudry. And you're listening to how will India protect its citizens data on the morning brief. In the last decade, a massive tech and telecom revolution has happened. tech firms have gained access to massive amounts of data. Our data, which we have been sharing quite regularly, data ranging from my name and address to where my family and I drove to last weekend, to minutus details such as the fact that I like my cheesecake without the blueberry compote. Data has become extremely valuable. It's become the new oil. In India, companies have been harnessing this freely available and completely unregulated data with a massive surge in users of the internet. Here's Prateek Waghre, policy director at the Internet Freedom Foundation, a non government organization that advocates digital rights and liberties.

Prateek Waghre  

India is estimated to have currently about 700 billion Internet users. And it's expected that by 2055, will be out at around 900 million. Now you have more than 50% of these likely to come from rural areas. And as you're all seeing, right, so today, you have about approximately 346 million Indians to take to engage in various forms of online transactional whether ecommerce digital payments, etc. In Padlet, we're also seeing much greater levels of digitalization for government services. So if you look at health, education, agriculture, etc, they're all They're all seeing more and more schemes relying on digital route, they've all been announced. And this all happened right now, without a data protection law in place.

Anirban Chowdhury  

Most of us still don't understand the massive value of the information we are sharing. In fact, a survey by computer security software firm McAfee in January 2021 found that 90% of Indians would be more serious about protecting their data, if it was traded, like currency. Naturally, misuse and crimes have increased too.

Prateek Waghre  

Every now and then you have these episodic reports of large scale data breaches if they're not, if not hundreds of billions, at least 10s of millions of Indian users whose private or personal information is affected by this. And then you couple this with you know, frequent reports of vulnerabilities in various government websites that either expose or potentially expose, again, personal information of a lot of a lot of people.

Anirban Chowdhury  

And this is not new, reported data breach at the government citizen ID database and heard in 2018 was the largest in the world that year. According to the World Economic Forum. A recent report from Netherlands based virtual private network provider serve shank said India faced the second highest number of data breaches in the world between January and June 2022. In Jan to march, five Indian accounts were breached every minute. In April June, this number grew to 42 This is why India badly needs data protection laws. The data protection bill that was withdrawn on Friday was in the works for half a decade. But the genesis of data privacy laws in India happened way earlier says my colleague Surabhi Agarwal, it is tech editor.

Surabhi Agarwal  

The first draft of India's privacy law was sort of formed in 2009, soon after Aadhar was launched. So that is when the first idea of a Privacy Bill was conceived, a draft was formed. But then it again, you know, went around doing the rounds of various ministries, and it was jumped. There was a committee which was formed headed by Justice AAP Shaw, which gave out a draft, which suggested privacy principles on which a privacy law should be based. Again, nothing happened on that.

Anirban Chowdhury  

That was 2012. 

Surabhi Agarwal  

Fast forward to 2017 when this landmark privacy judgment was announced by the Supreme Court, and that judgment made previously have fundamental right for the country, of course with with reasonable restrictions, and the government sort of committed to the Supreme Court that we will have a privacy bill. That is when the den it Minister Ravi Shankar Prasad asked retired justice, a Supreme Court justice, bn Shri Krishna to head a committee which will again draft a Privacy Bill. And that is how the first draft of this particular bill, what came into being that Privacy Bill was again tweaked by the government, and then it was submitted to the Lok Sabha.

BG Sound  

I moved for leave to introduce a bill to provide for protection to the privacy of individuals relating to their personal data, specify the flow and uses of personal data create a relationship of trust between persons and entities. Personal personal data, protect the rights of individual whose personal data are processed to create a framework for organizations and technical measures in processing of data, laying down norms for social media intermediary cross border transfers, accountability of entities processing, personal data, remedies for arthritis and harmful processing, and to establish a Data Protection Authority of India.

Surabhi Agarwal  

Now, when the government sort of tweaked it, it also introduced certain new things, which were not there in the Shri Krishna draft, these pertain to social media. And this also in a line, they said that this bill will also take care of non personal data. Say for example, an Uber collects about people who are using their cabs. Similarly, in the case of, say, a Google Google would know because people use its maps extensively, that who is going where now that is where I feel that the seeds of this entire chaos was sort of sown, where the government introduced non personal data into a personal data protection bill, the scope of the bill was expanded to also include other things apart from just data protection.

Anirban Chowdhury  

The bill had already started inflating. It was then given to a 30 member joint parliamentary committee, a group of lawmakers to turn it over and if need be, make further changes to it. In between COVID-19 hit and meetings were stopped, a cabinet reshuffle happened, new members came into the committee and made even more changes, lots of changes. By December 2021.

Surabhi Agarwal  

The shape and the size of the bill had completely changed from what it was right. They were provisions on hardware security. They were provisions on social media where the recommendation of the committee was that social media companies should be classified as publishers, which means that they should be liable for content, which say news organization is so there were a lot of such changes, the clauses of non personal data were continued. In fact, the committee recommended that non personal data should be a big part of this bill, so much so that the name of the bill would be changed to become data protection and not personal data protection bill.

Anirban Chowdhury  

The bill had 98 sections 81 amendments and several notes of dissent. In the words of it, Minister Ashwini Vaishnav of

Unknown Speaker  

it was practically rewriting the entire bill. Then, apart from those amendments, there was some very major about 12 Major, other suggestions which were there from the committee. So to make sure that we do a very good comprehensive bill, it was important to withdraw the old bill.

Anirban Chowdhury  

On top of that, there were still disagreements between various factions of the government. And there was tremendous pressure from global and Indian tech companies to withdraw the bill, something which minister rational has denied.

Unknown Speaker  

So there is absolutely no question of coming under any pressure. It is a very conscious decision.

Anirban Chowdhury  

The withdrawal of the bill has been criticized as a win for big tech and a loss for India's citizens. Was there an alternate route for the government?

Prateek Waghre  

Even in a tricky situation it was having to to choose between a flawed build and noble. But even in that context, having imperfect bill being passed, was still a step in the direction towards operationalizing, a data protection regime, which could then have been improved on either through judicial review or subsequent legislative effort. 

Surabhi Agarwal  

It's a classic story of too many cooks spoil the broth. I mean, nothing else explains this sort of analogy better than what happened with the data protection bill or the privacy bill as it was supposed to be.

Anirban Chowdhury  

Before we get into what the new bill can and should look like, it's important to understand the problems with the current one, in addition to the whole confusion on whether there should be one or more sets of laws for personal and non personal data, and the most stringent set of rules for social media companies. There are other points of contention. One is on data localization, which basically means that big tech companies operating in India, such as Google, or Facebook, will have to set up huge data centers to store and process information of its users in the country. This will increase compliance costs for the companies. The tech firms have been opposing this in regulatory filings. both Facebook and Google have called India's emphasis on data localization matter of concern.

BG Sound  

What is the India us a battle over data? Well, the government wants foreign firms to localize that is housed there India user data in India, US tech giants, they are opposed to localization of data and India because of course, it will cost them a lot more.

Anirban Chowdhury  

Here's what Pratik thinks. All through,

Prateek Waghre  

there's been this, this idea of data localization being introduced in there, as if just because data is stored in India, it's protected from misuse in any way. And that's not actually the case.

Anirban Chowdhury  

The section that is the most contentious is the one that gives the government the power to exempt all its agencies from the application of the law. I spoke to Mr. Patnaik, a member of parliament and one of the strongest voices of dissent in the joint parliamentary committee.

Dr Amar Patnaik  

There was, of course, a lot of discussion on the exemption clause section 35. In the earlier bill, which gave the government of India the power to exempt itself from the regardless of the rest of the provisions of the bill. In case it involves issues relating to sovereignty, national security, or public order, because if the exemption clauses give more power to the government, whether it is the central government, whether it is the state government or any government institution, then if a breach of the data of the people from citizens data takes place, then the government agencies get away with it, but the harm would anyway would have been caused. So therefore, there is probably no merit in giving too much of leeway to the government, maximum number of cases in India, for transmission of fundamental rights of citizens filed by citizens is against the government. And if privacy is a fundamental right, is translation would result in an affront to the fundamental rights of a citizen. So it is most likely to be against government, and therefore, exempting the entire government machinery out of it may not be in order, and it still is pushed through we it would be not acceptable.

Anirban Chowdhury  

Another thing to be worried about is the role and power of the Data Protection Authority, the main regulator of these laws.

Prateek Waghre  

So subsequent versions of the bill, we've seen that the independence of the Data Protection Authority was was impacted. It started off with having having a committee that would recommend members to ultimately being pretty much solely at the executives discretion.

Anirban Chowdhury  

Now, in the years that the government sat on the privacy laws, discussed, tossed and turned them around and kept adding to the draft. Other countries were way quicker on the uptake

BG Sound  

of companies that collect data from citizens in the European Union will now need to comply with new rules protecting customer data starting the 25th of May, the federal

government is proposing hefty fines for companies that fail to protect the information of Canadians or abused that information. The new measures will help Canada's privacy protections get up to international standards.

The Saudi Arabia data and AI authority announced that the personal data protection law had been approved by the Council of Ministers,

companies with operations in China could be impacted by a new law going into effect. Data Security law dictates that companies both foreign and local will have to store process and transfer and manage their data accordingly. 

Dr Amar Patnaik  

In many countries, in fact, somewhere I got the figure that more than 100 countries have some form of privacy law or the other. And data protection laws are separately there, either from a sectoral point of view, for example, the health ministry in a, in a country who'd have a health data protection law, that is the data which is collected from patients as or citizens as regards their health attributes are protected. And it's, it's all in the United States it is there. And it could be another sector, for example, the E commerce sector, so they could be having a separate regulator. So all countries have this either a sectoral regulator, or some kind of authority, which manages this. But there are others who have full fledged privacy laws, Canada has a full fledged privacy law. The EU GDPR, of course, is an example Australia has a full fledged privacy law.

Anirban Chowdhury  

In fact, India's planned framework is modeled on the European privacy laws, the General Data Protection Regulation, or the GDPR. Are those adaptable in a country like India, that has big tech firms headquartered in the US, whose data protection guidelines are largely self regulatory? Is this something the government needs to keep in mind while formulating the new bill?

Dr Amar Patnaik  

That may not be entirely true, because these big tech companies which you are talking about which you're referring to, they operate also in the European Union. And the European Union all said and done is a huge geography. And they have been operating there from before. Even in the United States, it is not self regulation. Some of the states have their own, the California has its own regulations for data protection and privacy. And there are sectoral regulators in the US. So the big tech companies, which we're referring to are actually currently facing a number of antitrust cases, both in the United States, as well as in the European Union. In fact, their first conflict rather or dispute with the state has happened in the United States. So it's not true that they are completely self regulating itself themselves. In fact, it is in G 20, that these concerns have also been expressed.

Anirban Chowdhury  

So what's next on this? When is the new bill coming?

Prateek Waghre  

Now we're looking at introduction, possibly in the winter session, or maybe the budget session, you want to ensure that now that the bill has been withdrawn, there is ample time for public consultation for for deliberation. Because if the bill has been withdrawn, you want it to ideally want it to be replaced by a bill that's significantly better. So you don't want to rush the process. And we're potentially looking at a minimum of maybe 12 to 18 months to allow for this consultation period to allow for deliberation to allow for compliance from companies. And if that's the delay, it has to be significantly better than the current build, in terms of protecting you the rights, which we'll have to see.

Anirban Chowdhury  

This is what syrupy says, the new set of floors may look like.

Surabhi Agarwal  

So the first thing that they're saying is that we just have a privacy bill, which is focused on data protection, and not on anything else. So for example, I had a chat with Rajiv Chandra Shekar. And who's the MO is it. And he explained to me that the framework of the future tech regulation in India will largely comprised of three main laws, the one is the national data governance framework, which is what deals with the non personal part of it. And this time around, they've kept private enterprises out of it. And they've only talked about government and the do's and don'ts of government control of this kind of data and how they share it and not share it etc. So that's, that's already at an advanced stage, because consultation has already happened and the government is very close to releasing the final draft. The other part will be the the new data protection bill, which will just be focused on privacy. And then the third and the major part of it, the biggest part of it will be the revamped it AG. If we look at the ITR it act is 22 years old listeners would be very surprised to know that the India's it Act, which is like the master regulation, governing tech, all kinds of tech in the country does not even contain the word smartphones, because it was written even before smartphones became common. It does not even have the word internet. So it is that old and archaic. And the government has been talking for the last many years to revamp that act to make it make sure that it's updated to make sure that it's in line with the current trends.

Anirban Chowdhury  

I asked her to tell me the three top things that the government should keep in mind while drafting the next bill.

Prateek Waghre  

Three things it needs to rethink the exemption that it has given itself. The Data Protection Authority has to be independent, like we saw with the cases of UK and Australia being able to take up investigations and things on their own. And thirdly, needs to operationalize a regime based on consent and accountability, and also start thinking about enforcement. Because that's another complicated thing altogether.

Anirban Chowdhury  

But there will be challenges even as the government tries to ensure that previous mistakes and conflicts aren't repeated in the next bill.

Dr Amar Patnaik  

The challenges for the government will be how to balance all these interests, your pivots are, the new law should be able to protect citizens data, that's important, the most important thing, but at the same time, develop for markets, digital markets in various areas, and should not stifle innovation. Now, this balancing act, which has to be done by the government is not easy, it's not easy at all.

Anirban Chowdhury  

The second challenge is regulating cross border flow of data and giving confidence to other countries, that their citizens data is safe in India,

Dr Amar Patnaik  

many of the processes in the United States many of the banking processes are offshore to India. Now, those data which are coming into India are getting processed and again, sent back to us they are of American citizen. Now, if there is a feeling that there is the data of such citizens of the United States, who would not be protected under the new legislation, then there will be difficulties in trade, difficulties in E commerce difficulties in digital trade. The third challenge, and that's important would be also, it's a small chapter in this book, that is the protection of privacy rights of children and young girls. Why I say this is because after the pandemic, what the world has seen is the use of internet, the use of digital methods for communication between teacher and student. So the adult education sector has undergone a change. And many of the young students less than 18 years of age, who are getting education through the digital medium, how to protect their privacy, because they are very vulnerable. Fourth point, and for the size of country, the geography of country. And since there is a technological inequity in our country, very, very deep iniquity, rural areas where 85% of the people who do not have access to mobile phones, about 30% do not have a quality internet throughout the day. So I think the government cannot be oblivious of this fact, because, as I said, the citizens data could be collected in a manual form and getting processed in an electronic form. And if there is a leakage there, if there is a breach of data, if that level, or even if a harm is caused with the data principle, then I think the responsibility would squarely be on the government.

Anirban Chowdhury  

So that's where we are at a country like India needs data privacy laws. Indians need to know that their data is valuable, that they have the fundamental right to protect it. And that there are laws and regulators they can turn to in case that data and information is in danger. The laws need to be strict. There need to be penalties. But the government also has to keep the tech companies happy. It can't afford to disturb the digital ecosystem and its growth, which is touted to be worth a trillion dollars by 2025. It can't afford to earn too much. The drivers of this tech field tech aid, or as the government itself calls it, the tech aid. It's a massive balancing act. One of the many that the government is doing right now, between Indians and industry, citizens and corporates. You will listening to how will India protect its citizens data on the morning brief. This episode was produced by Vinay Joshi from the economic times and Soundarya Jayahandran from us. Sound Editors in Indranil Bhattacharjee and Rajas Naik from the economic times and Swati Joshi from Aawaz. Executive Producers are Anupriya Bahadur and Arijit Barman from the economic times. Do like share and subscribe if you like the episode, the morning brief drops every Tuesday, Thursday and Friday. do tune in to et play our platform for all things audio, or catch the episode on Spotify, Apple, Google, and other streaming platforms. Thank you, and have a great week. All clips used in this episode belong to their respective owners. Credits are given in the description

This transcript has been automatically generated. If by any chance there is an error please send the details for a correction to: themorningbrief@timesgroup.com We will do our best to make the amendment as soon as possible.