Communication and transactions in the digital ecosystem are fuelled by collection and processing of enormous amount of ‘personal data’ of billions of users and even non-users. It is further classified as ‘Personally Identifiable Information’ (PII) and ‘Personally Sensitive Information’ (PSI), even as boundaries blur.

PII includes identifiers like name, address, phone number, email, Aadhaar, voter card, PAN, bank account and payment card/wallet details, passport, driving licence and social security numbers, and even passwords or PIN. PSI could be about a disease or debt, sex life or sexual orientation, religious or political affiliation. It is pertinent to note that even trade union membership is treated as PSI in Europe!

However, like any other tool or technologies, digital technologies can also be misused and abused. The impact can range from identity theft to reputational loss; illegal surveillance, self-censoring; and creation and dissemination of fake images, news, videos, and narratives. Hence, laws are needed to protect personal data.

Evolution of GDPR

“Innovation is the specific tool of the entrepreneur” said the management guru Peter Drucker. The US has a vibrant innovation ecosystem of government, academia and industry working in sync, while the European Union (EU) often leads with regulations and standards, leveraging its convening and market power. For example, GSM became the de facto global standard for mobile communications trumping other contenders and euro is the common currency across most of the EU countries.

Passed in 2016, EU’s General Data Protection Regulation (GDPR) became enforceable on May 25, 2018, superseding the 1995 EU Privacy Directive. The directive provided a broad framework but was implemented variedly through the respective national laws, but the GDPR applies uniformly across the EU.

Notwithstanding Brexit, the UK continues to mimic it even as there is no imminent consensus on federal privacy law in the US. Most of the data protection frameworks are significantly influenced by GDPR even outside the EU not least because of strict norms around data transfers to third countries and strict fines.

Notwithstanding the country of incorporation or principal operations, an entity can be fined under GDPR up to ‘four per cent of global revenue’ for significant harm due to loss, breach, or misuse of personal data of European residents. Actual fines can be as little as €2,000 or even the record €1.2 billion fine on Meta last week. Small hospitals and even football clubs are listed alongside marquee names like Google, WhatsApp, British Airways and Marriott.

Most BigTech companies are headquartered in the US and frequently transfer personal data of users in other countries to the US for storage and processing. After the 2015 invalidation of long-standing Safe Harbor agreement between the EU and US, ‘Privacy Shield’ was formalised in 2016 but even that was found inadequate in 2020. Following the 2022 in-principle agreement, the new EU-US framework is yet to be concluded.

Clearly, whether one finds the five-year old GDPR awesome, fearsome or flawsome, ignorance or non-compliance can indeed be very costly and cumbersome.

India — the churn continues

Besides certain enabling provisions on data protection under the IT (Amendment) Act, 2008 several privacy provisions already exist, albeit applicable to specific situations only. For example, media is not allowed to publish names of juveniles in conflict with law as well as those of rape victims.

However, public discourse on data privacy predates even the Information Technology Act, 2000. For example, in 1999, I had flagged privacy risks in the context of e-commerce in India but the real trigger was Aadhaar.

In fact, the government began consultations in 2010 even before the first Aadhaar enrolment, followed by a group of experts chaired by Justice AP Shah in 2012 that did take note of the GDPR.

After the Supreme Court upheld privacy as a fundamental right in August 2017, Justice Srikrishna committee recommended a Draft Data Protection Bill in 2018 that had numerous references to GDPR even as it did diverge in some respects.

After a round of seeking comments on the same, the government introduced the Data Protection Bill, 2019 in Parliament and the same was referred to the Joint Parliamentary Committee (JPC). In 2021, the JPC recommended numerous modifications. Subsequently, the government sought comments on the Digital Personal Data Protection Bill (DPDPB), 2022, a significantly concise version.

Though much has happened over the past five years, the underlying principles of DPDPB align with GDPR. However, it does differ significantly in terms of institutional architecture and powers. Concept of ‘deemed consent’ is over-broad and numerous concerns have been voiced about exceptions and exemptions for government agencies.

The way forward

However, being a major data fiduciary and processor, the government must become a role model in the realm of data protection. Hence, an independent and empowered data protection board with parliamentary or judicial oversight is sine qua non, On the other hand, overtly prescriptive and severely restrictive norms would stifle innovation and restrict trade by retarding, if not, inhibiting cross-border data flows.

A comprehensive framework for digital governance, however, goes beyond data protection which is just one piece of the jigsaw where it must snugly sit alongside frameworks for cyber security, competition, artificial intelligence, etc.

For example, the EU is proceeding with additional instruments such as the Data Act, Digital Services Act, Digital Markets Act and the AI Act.

The Indian policies must be cognisant of the social milieu, political economy, technical prowess, market maturity as well as be compatible with the business allocation rules, resources and capabilities. Even the proposed Digital India Act may not cover all these aspects. Hence, first we need a comprehensive national framework for digital governance that in turn should guide and inform all other components — including, but not limited to, the data protection law.

The writer is Senior Visiting Fellow, ICRIER. Views are personal