Manpreet Anand and Nikhil Sud on data protection in India
GDPR is just the beginning: India may pose new challenges
India is crafting its own data protection regime, which will pose new challenges.
The GDPR has landed. As companies focus on complying with the EU’s General Data Protection Regulation, a far-reaching data protection law, they should not lose sight of developments in India. India is crafting a data protection regime that has the potential to empower users to control their own data but may present new challenges for companies with Indian customers – not merely the specific legal requirements, which may of course differ from the EU’s, but three fundamental risks that companies may not have encountered in the EU.
The Risk of a Fragmented Landscape
Last year after the Indian Supreme Court declared privacy a fundamental right, India’s Ministry of Electronics & Information Technology (MeitY) formed a committee to develop a data protection law. The committee collected public input in January, and is expected to submit its draft law in June. This law, like the GDPR, is expected to apply across sectors.
However, the Cambridge Analytica incident, which unfolded in March, triggered calls for urgent and harsh data protection measures – and since then, other sections of the Indian government have undertaken data protection initiatives, including the Reserve Bank of India’s localization mandate for payments data, the Ministry of Health and Family Welfare’s draft law protecting health data, and the Ministry of Commerce’s think tank to contemplate (among other things) data protection for e-commerce. Because each of these efforts is separate from MeitY’s cross-sector initiative, a fragmented landscape may emerge with conflicting and unclear obligations. This could also raise compliance costs.
The Risk Associated With India’s Vision of Data Empowerment
While other regions (like the EU) focus on making data safer, India seeks also to empower individuals with their data – by maximizing their ability to easily and quickly access, manage, and move that data. This vision may bring significant consumer benefits. For example, extracting records of commercial transactions in a suitable format and sharing them with a lender can help individuals secure loans; porting data from universities to prospective employers can make applying for jobs more efficient; and a consumer may more easily adopt different technology platforms (e.g., a music service, a social network, a mobile operating system) if she can easily port data to those platforms from platforms she already uses. In addition, India’s vision includes “account aggregators” – entities that coordinate the movement of data. For example, if an individual seeks to move data between two companies, she may not need to interact with the companies but only with the account aggregator who, based on her consent, would move the data.
This vision requires not just legal support but also advanced technical tools, and the technology behind India’s Aadhaar initiative may form a key part of the account aggregator architecture. However, this technology has been publicly associated with breaches. If account aggregators cannot ensure they move data securely, not only will consumers suffer, but companies doing business in India may be wrongly blamed by the public for breaches even if the breach was not the company’s fault, but resulted from a shortcoming in the technology behind the account aggregator architecture. Such companies could incur significant reputational costs, lose customers, and even face liability if the law is ambiguous regarding which entity is liable for breaches.
The Risk of Losing a Critical Innovation Hub
Many modern and emerging technologies, including internet services, rely heavily on data flow. Stringent data protection measures, such as data localization requirements, can hinder this innovation. They can also impose substantial compliance costs on companies, diverting financial resources away from innovation. And all of this can discourage companies from investing in the region. While this may be true in any region with stringent data protection measures, companies may feel the impact more strongly in a region like India, which is widely acknowledged as a critical innovation hub – for the present and the future.
A staggering array of multinational and home-grown companies are increasingly innovating in India, given India’s rapidly rising adoption of technology and the internet, the enormous customer base, and the government’s championing of innovation through initiatives like Digital India. Data protection measures that prevent companies from innovating in India can significantly undermine their global ambitions, while depriving India of the vital socioeconomic benefits of innovation.
Manpreet Anand is Senior Vice President at Albright Stonebridge Group (ASG) where he leads the South Asia practice in Washington, DC.
Nikhil Sud is a Regulatory Affairs Specialist with ASG’s South Asia practice.