India’s Committee of Experts, under the chairmanship of Justice B.N. Srikrishna (the Srikrishna Committee), has submitted a draft Data Protection Bill (the Bill) for review by the Ministry of Electronics and Information Technology. The Srikrishna Committee tabled the Bill alongside a report entitled “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians” (the committee report).
India Charts its “Fourth Way”
The Bill represents an important milestone for India, which has yet to enact comprehensive, principles-based data protection regulation, lagging a trend set in recent years by Singapore, the Philippines and others in the region playing catch up to Hong Kong and Japan, which have both had such regulation in place for years now.
The Srikrishna Committee in the Committee Report promises the approach set out in the Bill to be a “template for the developing world”, a “Fourth Way” that attempts a triangulation amongst the three existing models of data protection regulation put forward by the US, the EU and China respectively. The Srikrishna Committee writes that the “Fourth Way” should reflect India’s unique understanding of the appropriate balance to be struck between individual freedoms recognized by its Supreme Court in the Puttaswamy decision and the common good.
It raises a number of striking points of comparison to international developments. At a high level, many of the Bill’s provisions suggest that the Fourth Way is most closely aligned to positions taken in the GDPR, but there are important departures here and much will need to be resolved in the details of administration of the law.
There has been much critical commentary on the Bill in India across a range of issues. Some focus on how government use of personal data would be constrained under the law, a key issue in light of privacy concerns already raised in connection with India’s Aadhaar biometric-based identity system.
The data localization measure has also attracted significant attention, representing a clear outlier from the Bill’s overall alignment with the GDPR. The technology sector in India has raised concerns about this measure, which could hinder the international expansion of Indian technology businesses, and would of course impose constraints on market access to India by foreign-based players. More broadly, there are concerns that ambitions for a growing and robust technology sector, stated to be a key ambition for India, are not best served by alignment with the EU model.
We expect to see a vigorous and robust debate in the coming months as India refines its vision for the Fourth Way.