SYMBIOSIS LAW SCHOOL, PUNE

TRADE RELATED INTELLECTUAL PROPERTY: INTERNAL I

INTERNATIONAL REGIME OF INTELLECTUAL PROPERTY LAWS

AND ITS IMPORTANCE IN TRADE

NAME: RITIKA CHAUHAN

PRN: 16010126460

DIVISION: E
 INTRODUCTION

In 2018, the Indian government released its draft bill for a new and comprehensive data
protection law. This bill is formerly known as the Personal Data Protection Bill of 2018
(hereinafter referred to as “The Bill”). This draft Bill was introduced in response to the landmark
Supreme Court judgment in KS Puttaswamy and Another vs. Union of India and Ors (2017)
wherein the Apex Court of the country directed the Central Government to enact effective laws
for protection of privacy of individual citizens of the country.

The Indian draft of The Bill draws inspiration from European Union’s data processing
regulations as provided in GDPR1 as well as the California Consumer Privacy Act 2 as enacted in
the United States.

BACKGROUND

India has never had an exhaustive data protection law like the European Union or even sector
specific or harm specific data protection law like in the United States. Until the draft Bill comes
into action, the citizens of India will be governed by Article 21 of the Constitution, the
Information Technology Act, 2002 and the Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. In
addition to this, use of data collected by the Central Government under its Aadhaar Program is
governed under the Aadhaar (Targeted Delivery of Financial & Other Subsidies, Benefits &
Services) 2016.

In 2017, a nine-judge bench of the Supreme Court in KS Puttaswamy and Another Vs. Union of
India and Ors recognized ‘right to privacy’ as a fundamental right of the citizens of India, under
Article 21 of the Constitution. It was held that ‘right to privacy’ included within its ambit ‘right
to informational privacy’ i.e. right to protect one’s individual identity that may ascertainable by
any kind of data.3 The Court opined that “privacy permits an individual to lead a life of dignity,

1
Commission Regulation 2016/679, On the Protection of Natural Persons with Regard to the Processing of Personal
Data and on the Free Movement of Such Data, 2016 O.J. (L 119) 1 [hereinafter GDPR]
2
y Lothar Determann, Analysis: The California Consumer Privacy Act of 2018, IAPP ADVISOR (Jul. 2, 2018),
https://iapp.org/news/a/analysis-the-california-consumer-privacy-act-of2018/
3
KS Puttaswamy and Another Vs. Union of India and Ors [10 SCC 1, Supreme Court of India, 2017]
without which the right to life and personal liberty would be meaningless.”4 Justice Sanjay Kaul
also recognized the ‘right to be forgotten’ which entails the right to have one’s data removed
from an information system.

Normally, the fundamental rights of the citizens were enforceable only against the “State” as
defined in Article 13 of the Constitution. However, the majority judges in this case held that the
right to privacy was enforceable not only against the government bodies but also against the
private sector bodies.5

The Supreme Court further directed the Central Government to create a legislative framework
protecting the individual right to privacy that catered to the needs of the global digital economy.

Pursuant to this decision, the Central Government set up the Srikrishna Committee. This
Committee constituted retired Supreme Court Justice Srikrishna as its head, six government
members and three representatives from the industry.6 At the end of its process, the Committee
presented the draft Bill of 2018 along with an explanatory report that was titled “A Free and
Fair Digital Economy, Protecting Privacy, Empowering Indians”7

CRITICAL ANALYSIS

The 2018 Bill is being criticized for multiple reasons. These reasons are discussed below:

1. Lack of public consideration

Firstly, it is believed by many citizens that the bill that is going to be affecting lives of a
majority of citizens of the country has been arrived at without any participation by the
civil society. There are no instances of consideration of the public concern. There is also

4
Ibid.
5
Ibid.
6
Surabhi Agarwal, Justice BN Srikrishna to head Committee for data protection framework, ECONOMIC TIMES
(Aug. 1, 2017, 7:32 PM), https://economictimes.indiatimes.com/news/politicsand-nation/justice-bn-srikrishna-to-
head-committee-for-data-protectionframework/articleshow/59866006.cms.
7
0 COMMITTEE OF EXPERTS UNDER THE CHAIRMANSHIP OF JUSTICE B.N. SRIKRISHNA, A FREE
AND FAIR DIGITAL ECONOMY: PROTECTING PRIVACY, EMPOWERING INDIANS (2018) [hereinafter
Srikrishna Report], available at https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report-
comp.pdf
 lack of transparency when it comes to why the drafting committee of the Bill has
included certain provisions and how they serve the people of the country. 8 There is no
expression of intention by the drafters of the Bill that the data protection laws in India are
to function on collaborative basis with the industry stakeholders and that the same would
be given an opportunity to voice their opinions when the Central Government devises
codes, rules, regulations or standards in future. In the absence of such collaborative
approach, the chances of smooth implementation of this Bill are reduced.9

2. Lack of analysis on potential economic impact

Before the GDPR was introduced by the European Union, the legislation was evaluated
in terms of the potential costs involved for the government and for the individuals as well
as the potential revenue that may be generated by these parties. This enabled the
stakeholders to criticize and appreciate the various provisions of the legislations with
adequate regards for the cost-benefits proposed. However, in the Indian scenario, no such
report was published that discussed the potential benefits of the data protection laws. This
implies that no stakeholder has been able to accurately judge how the Bill impact his day-
today life.10

3. Lack of clarity and consistency

Further, it is believed that the even though the Bill draws inspiration from the data
protection laws of other jurisdictions and from the global digital standards, like the
European GDPR, it lacks the “conceptual clarity and consistency” required for the Indian
digital economy to function at par with the global digital economy.11

4. Lack of clarity regarding categorization of data

Certain issues have been identified in relation to how the Bill categorizes different kinds
of data. For instance, the Bill provides for a category of data known as ‘critical personal
data’. Such data is required to adhere to data localization requirements and is prohibited
from moving across the country limits. Neither the Bill nor any other report by the
8
https://www.latestlaws.com/articles/comparison-of-indias-personal-data-protection-bill-2018-with-eus-gdpr-by-
gurmeet-singh-jaggi/
9
https://www.bsa.org/files/policy-filings/09282018BSACommentsonIndiaDataProtectionBill.pdf
10
https://carnegieindia.org/2019/05/15/will-gdpr-style-data-protection-law-work-for-india-pub-79113
11
https://www.bsa.org/files/policy-filings/09282018BSACommentsonIndiaDataProtectionBill.pdf
 Committee shed light on one is to determine whether one’s data falls within this category.
Similarly, other categories such as ‘non-personal data’ and ‘community data’ are referred
12
to in the Bill without any explanation as to what they entail. It is imperative that laws
such as the data protection laws do not impose legal limitations at the cost of any adverse
impact on the country’s economy.

5. No right to erasure in the right sense

Right to erasure of data branches out from one’s right to be forgotten, as recognized the
Supreme Court decision of K.S. Puttaswamy v. Union of India and Ors 13. Right to
erasure ensures that an individual may request a data fiduciary to completely erase his
data from its database and the same would have to be honored. While section 10 of the
Bill madates data fiduciaries to erase the data of a user once ‘its purpose is serves’, it is a
vague provision that can be easily avoided by making claims that the same is needed for
legal purposes or for maintain records, etc.
“Even if we are to assume that the right to be forgotten provided in the PDP Bill extends
to a right of erasure, and after applying to the Adjudicating Officer, he/she determines
that the personal data should be restricted from disclosure, the Bill provides that the
Data Fiduciary should maintain a record of the data erased by it.”14

6. Wide discretionary powers to the DPA

One of the primary concerns about the Bill have to do with the Data Protection Authority
(“DPA”) and its functioning. A report published by the Srikrishna Committee recognized
that the regulatory capacity and expertise needed to carry out DPA’s functions are not yet
present in the Indian setting. Despite this the Bill grants wide discretionary powers on the
DPA that have the potential to adversely impact the business environment of the country.

7. Threat to independence of DPA

Furthermore, the Central Government has been empowered to issue directions to the DPA
such that these directions would be binding on the DPA. These directions would even be

12
https://www.bsa.org/files/policy-filings/09282018BSACommentsonIndiaDataProtectionBill.pdf
13
Supra
14
http://rsrr.in/2019/02/10/personal-data-protection-bill-2018-is-it-a-right-to-be-forgotten-if-its-just-being-archived/
 outside the purview of judicial review. This is a clear threat to the independent
functioning of the DPA as envisaged under the Bill.15

8. Issues regarding data localization

An Indian think tank, known as Cuts International has recently pointed out that unless
adequate preparations are made and proper accountability measures are established, the
2018 bill leaves a high scope for “privacy violations, data breaches and cyber-attacks”. 16
According to its report titled ‘Consumer Impact Assessment of Data Localization’, it is
believed that the data localization norms as provided in the 2018 bill facilitate creation of
a “honeypot of consumer data” at a single location. This means that those wishing to
access data, especially consumer data, by illegal means need only figure out how to
breach one location where all data is localized. If this location is breached once, all the
data will be available to the hackers at once. The study recommends that unless that
unless the concerned authorities are fully equipped to combat data hacks and cyber-
attacks and have established an effective and efficient grievance redressal mechanism.
Data localization should not be forced upon.

Another interesting point brought forward by this report is that data localization may lead
to enhanced costs for service providers in India as they would be required to set up data
centers in India. It is possible that many foreign small scale service providers that only
had a virtual presence in the Indian market or were considering entering the Indian
market withdraw on account of these additional costs.

9. Issues concerning specific processing of data

The 2018 provides that while processing data for purposes of law enforcement, legal
claims, state security or journalism, exemptions may be granted from compliance
requirements under the Bill. However, the Act does not provide safeguards against
infringement of the fundamental right of privacy of individuals when referring to such
specific type of processing. For instance, ‘need for a legal basis’, ‘remedies for individual
for breach of right to privacy’, etc. can be provided as safeguards.

15
https://elplaw.in/leadership/european-commission-comments-on-personal-data-protection-bill-2018/
16
https://www.financialexpress.com/industry/data-localisation-may-cause-cyber-attacks-hurt-privacy-business-
competitiveness-says-think-tank/1827985/
 CONCLUSION

“…The specific design of institutional choices that India adopts for data protection is likely to
have a significant impact on India’s economy. These consequences could be direct (such as
increased compliance costs) or indirect (the potential stifling of innovation, and overall
productivity losses).”17

In order to increase the chances of smooth implementation of the data protection laws in India,
the MeitY should consider providing clarity on the underlying principles which the drafters of
the Bill have relied upon. The Central Government must make all attempts to diffuse uncertainty
around the Bill so as to avoid any adverse impact on the digital economy of the country as well
as on the potential of future investments in the country.

It is essential that the Bill is reconsidered by the MeitY, not from the perspective of how strong
the law is but from the perspective of how it helps out the people of the country. The Central
Government must focus on modelling the data protection laws of the country in such a way that
an individual Indian is in integration with the global digital economy. An integrated approach to
the data protection wherein all related needs of the stakeholders are addressed is needed at this
hour.

It is also suggested that data localization norms should be relaxed so as to avoid enhanced costs
for the service providers. Restricting movement of personal data beyond country borders serves
no purpose with respect to data protection. The Central Government must assess the impact of
restricting cross-border movement of data on employment, jobs and small businesses from the
perspective of a developing country.

Further, in order to ensure that the DPA operates in a “fair, transparent and predictable” manner,
the Central Government should reduce the extent of discretionary powers awarded to the
authority under the Bill. The Bill must also be reconsidered to ensure clear bifurcation of liability
between data fiduciaries and data processors.

17
European Commission, “2018 Reform of EU Data Protection Rules,” Text, European Commission, accessed
March 7, 2019, https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-
reform-eu-data-protection-rules_en.
The MeitY must also consider the approach of incentivizing rather than interfering. For instance,
the Bill may provide an exemption from notifying breach requirements under it in cases the data
fiduciary can produce evidence that adequate security and encryption measures were
implemented to maintain the security of the data.

Lastly and most importantly, it is suggested that an individual data subject under the Bill should
be given the right to erasure i.e. the right to have a data fiduciary completely erase one’s data
under circumstances such as withdrawal of consent, unlawful processing, etc.

REFERNCES AND BIBLIOGRAPHY