Future of Data Privacy Laws in India: Building a Rationalized

Framework for a Digital Economy

Introduction - The Indian digital ecosystem would be able to account for one fifth of the
national aspiration to become a $5 trillion dollar economy by 2024-25, provided the sector
accelerates on skilling and product management capabilities, and data privacy laws are framed
and a rationalized framework is built to avoid any conflict of interest. Data protection seeks to
balance the benefits and the risks of personal data processing so that individuals have
confidence that their data is collected and stored safely and used solely for legitimate purposes.
Data protection legislations typically require personal data processing to be lawful, limited,
transparent, accurate and secure. They often seek to protect individuals’ privacy and grant some
control over how their personal data is processed. They also establish institutions with powers
to conduct investigations and enforce obligations. A strong data protection framework provides
certainty which may encourage investment, competition and innovation in the digital economy
and uptake of digital government and private sector services.1

Data Privacy Laws in India - At present there is no law specifically regulating data privacy
regime in India. However, the Information Technology Act, 2000 (the Act) and rules notified
thereunder largely govern data protection in India. In August 2017, a Constitutional Bench of
nine judges of the Supreme Court of India in Justice K.S.Puttaswamy (Retd.) v. Union of India2
upheld that right to privacy is a fundamental right, which is entrenched in Article 21 [Right to
Life & Liberty] of the Constitution. This ultimately led to the formulation of a comprehensive
Personal Data Protection Bill 2019 (the PDP Bill). The enactment of the PDP Bill will overhaul
the personal data protection regime in India. Until such time, the Act and rules provided therein
govern data privacy regime in India. The PDP Bill is currently pending in consideration of the
Indian Parliament and may undergo significant changes to its current form, based on a report
submitted by a Joint Parliamentary Committee formed to analyse the PDP Bill. The PDP Bill
is expected to come into effect in early 2023. The Indian authorities want to bring the country’s
data protection law in line with international best practice, with the European Union’s General
Data Protection Regulation (GDPR) as the preferred model. Hence, the prima facie similarities
between the draft bill and GDPR are no surprise.
Rationalized Framework: Meaning and need - Corporates in India are now stressing about
building a Rationalized Framework for effective regulation but what exactly a rationalized
framework means and why is it so important in Data privacy Regime. Let us understand this
while answering another question - Whether a multinational corporation headquartered in
Germany and providing services in India be liable under Indian Data Privacy Law or the GDPR
for a data breach? To answer this question, we need to compare the provisions of both the
acts and see which law has more stringent provision with regard to the relevant breach, for that
law will apply. This comparison of Laws is done to ensure compliance of data privacy
legislation of one country without violating the legislations of other countries. This method is
loosely based upon the doctrine of Harmonious Construction. The Doctrine states: "Whenever
there is a case of conflict between two or more Statutes or between two or more parts or
provisions of a Statute, then the Statute has to be interpreted upon harmonious construction.”

Data privacy and protection should be priorities for every business, large or small, regardless
of sector or geographic location. Data collection is now a critical component of all business
operations, whether it is client data to perform a simple service or enterprise data to ensure
operations of critical infrastructure. In today’s operating environment and with the continued
expansion of the digital economy, data are a critical corporate asset. Despite the functionality
and importance of data, it is difficult to encourage businesses to protect data on their own. 3
Hence, building a rationalized framework becomes need of the hour as a growing digital
economy like India enacts a legislation dealing with Data Privacy.

Challenges and the Way forward – The provisions of the Data Protection Bill, 2019 are very
similar with the provisions provided under the GDPR. The European legal system governing
data protection issues is widely regarded as an adequate blueprint for late developers to follow.
According to this position, host countries will benefit from receiving the ready-made data
protection law because it has already gone through a process of trial and error in Europe.4 From
an Indian perspective, our country is going to enact a similar law following the tone of Europe
in order to enhance the efficiency of data protection. But is this a compelling position? Will
European data protection laws indeed regulate unambiguously and prospectively? Will
European data protection laws provide clear guidance to Indian judges for resolving data
protection-related cases? And will the court-enforced laws sufficiently solve the broad
spectrum of problems on data use? Understanding the European enforcement mechanism
covering data protection issues, and assessing its efficacy on deterrence, is vital to answering
these questions. Hence, Compliance with the legislation and the regulations framed under it
remains a challenge for future.

Conclusion - Given the current dynamic and constantly expanding scenario in India, which is
replete with challenges, increasing foreign investments and economic growth in an ever-
expanding digital era, there is an unprecedented need to enact privacy and data protection laws
and standards in line with global laws which are tested and already in place. The lack of
comprehensive legislation, while a matter of concern, has been offset by recent initiatives by
the industry, the public and the government. These initiatives seek to bring in the needed legal
framework while complementing the existing regulations and the proactive opinions and to
stand by the judiciary to ensure defaulting entities are held accountable for not adequately
protecting personal data. It behooves companies seeking to establish business in India to adhere
to the local laws especially in the context of the increasing sensitivity of the Indian legal system
towards data privacy concerns.
 Endnotes

1
Brief: The role of data protection in the digital economy, UNCDF Policy accelerator,
https://policyaccelerator.uncdf.org/policy-tools/brief-data-protection-digital-economy (2020).
2
Justice K.S.Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1.
3
Data Privacy and Protection, Kiersten E., The Cyber Defense Review, Vol. 4, No. 2, p. 02, Army Cyber
Institute (FALL, 2019).
4
Incomplete Data Protection Law, Kunbei Zhang, German Law Journal, Vol. 15, Issue 6, p. 01 (October, 2014).