“The ideals of privacy and data protection in today’s world will never be achieved by a regulatory bearhug.”
Member of Parliament Rajeev Chandrasekhar has said that cross-border data transfer restrictions and data localisation mandates are “likely to create a huge barrier to market entry” to companies in India. “India at present does not have the physical infrastructure to host large scale data centers,” Chandrasekhar said. These comments are part of his filing to the IT Ministry’s public consultation for the Srikrishna committee’s data protection bill, provided to MediaNama.
“These restrictions appear to be motivated only to facilitate law enforcement and Security agencies access to data and does not lead to any meaningful bolstering of privacy rights while it can be argued that the impact of such restrictions is also far reaching and disproportionate to the benefits,” he said.
Chandrasekhar is a member of the BJP. His views notably diverge from that of Vinit Goenka, who has called for ‘data sovereignty‘ and strongly supported data localisation requirements. Chandrasekhar has previously argued against localisation, questioning its effectiveness. But, he said, “I won’t stake my parliamentary career on fighting data localisation,” choosing instead to push on fairer ways to regulate data collection and regulating for harms that come out of it.
According to the draft bill, data localisation and cross-border data transfer restrictions essentially require companies to host a large amount of user data within India, and in some cases only in India. Internet companies have traditionally pushed back against such restrictions, arguing that costs will rise and that the internet is inherently global.
In his five-page submission, Chandrasekhar argued that the Srikrishna committee’s bill needed to go through months of consultation before it was finalized. The Srikrishna Committee Report is a good start. But the structural deficiencies in the draft bill however defeat these objectives.
Vague and capricious regulatory regime: Chandrasekhar warned that the bill was creating a framework that was too broad which is “subject to the whims of the man on the wheel.”
He called for an alternative to “highly intrusive and expensive regulation”. He pointed to the threat of ‘consent fatigue’, echoing the much-debated idea that accountability should be the primary basis of a data protection law, rather than consent.
Chandrasekhar’s filing does not, however, question the primacy of consent. He also raised concern on the “astonishing civil and criminal penalties”. Criminal penalties like jail time are highly unusual in data protection legislation enacted abroad.
Trump administration may retaliate to localisation: Chandrasekhar said, “The restrictions of on cross-border data transfers has the potential to create a case for isolating the Indian market. It is highly likely that countries such as the United States, under the Trump administration will respond kindly, in line with its terse stance on free trade. The great dividends of efficiency created by the internet will be lost to these measures that fragment it.”
Irreversible anonymisation is impossible: “The bill requires ‘irreversible’ anonymisation which is arguably technically impossible,” Chandrasekhar pointed out. The bill’s standards for anonymisation surpass even those of Europe’s General Data Protection Regulation (GDPR), Chandrasekhar said. “Despite adopting a progressive outlook, the overarching objectives are frustrated,” he says.
Compliance for small businesses: The bill’s compliance framework does have differential rules for small and large businesses in terms of compliance, Chandrasekhar said, but the lack of clarity on that distinction could cause uncertainty, he said.
“The ideals of privacy and data protection in today’s world will never be achieved by a regulatory bearhug,” Chandrasekhar said, adding that upto a year of further consultation may be required before the bill goes to parliament.