Link to article
The making of techno-commercial laws in India is often devoid of strong conceptual underpinnings. This is partly because the starting point for all legal drafting in the country is similar—we want to get the best of all worlds without any hint of compromise. Consequently, we end up with muddled outcomes that serve niche interest groups and confuse the rest. Additionally, as lawmakers pretend to be acutely attuned to local market realities, they also tend to characterize unclear outcomes as necessary instances of Indian exceptionalism. An aspirational India, with all its structural infirmities, often forgives them. However, the digital economy is less forgiving. Bad laws will be put to test and found wanting in much shorter feedback cycles.
In this context, much has been written about the draft Personal Data Protection Bill, 2018, and the accompanying explanatory report authored by the Justice Srikrishna Committee. To its credit, the committee has, prima facie, adopted a strong conceptual lens in both documents that seems to follow from the Supreme Court’s directions to ensure that individuals enjoy their informational privacy online. It has, therefore, proposed that the relationship between companies and individuals on the internet is akin to a fiduciary relationship. Users or consumers of internet services are called “data principals”, and data controllers or online businesses that provide such services have been deemed “data fiduciaries”. Although this seems like a robust point of departure for a framework determined to overcome the pitfalls of nebulous privacy policies, the conceptualization is riddled with several challenges which indicate that past mistakes are being repeated.
First, the framing of this intimate relationship between users and service providers was not part of wider stakeholder consultations. Unfortunately, this characterization of the relationship has a distinct irreversibility attached to it. Subsequent consultations, if any, are unlikely to revisit this central premise.
Second, the framing is also applied incorrectly. The committee borrows the concept from US constitutional scholar Jack Balkin’s work on “information fiduciaries”. According to this original theory, not all data controllers can be characterized as information fiduciaries. Only businesses with a wide scope of impact on society like social media companies, search engines and online transport aggregators, are classified as fiduciaries. Such a distinction feels intuitively correct, as common law equates fiduciary obligations with the highest standards of care. In contrast, the implication of the committee’s overbroad interpretation is that any business looking to scale digitally must invariably attract heightened fiduciary obligations.
Even if a reinterpretation of this concept is warranted under the premise of Indian exceptionalism, it should be explained. Instead, the Bill conveniently uses “data fiduciaries” as an umbrella term that has led to absurd outcomes. For instance, the Bill classifies all financial data as “sensitive personal data”. Sensitive personal data is the most intimate class of data associated with individuals in data protection laws globally. This is why 67 out of 68 countries studied by the Data Security Council of India do not categorize their financial data as “sensitive”. This is partly because such an interpretation can stymie innovation by restricting usage. In India’s case, financial innovation such as credit-scoring based on financial data can enhance key objectives like financial inclusion. Clearly, an overbroad conceptual underpinning has skewed important provisions.
In the committee’s defence, Balkin has himself proposed that countries can leverage his information fiduciary theory for law-making. The committee has taken this recommendation very seriously, at the expense of other recommendations. For instance, Balkin recommends a system wherein self-identified “information fiduciaries” can voluntarily accept greater responsibilities in exchange for economic incentives or legal benefits. For this, he proposes an approach akin to “safe-harbour” frameworks, which afford digital intermediaries fewer liabilities on complying with prescribed safeguards. India must begin to adopt similar nuance and flexibility in all techno-commercial frameworks, to provide an enabling environment for investments and growth.
Third, even if the fiduciary framework is conceptualized incorrectly, it stands to reason that the re-imagined concept must at least be applied consistently. In this connection, the committee’s normative push towards “data localization” warrants scrutiny. A natural corollary of the fiduciary obligation would be the expectation that businesses handle personal data in a manner which upholds basic security principles of confidentiality, integrity and availability. Towards this end, digital businesses tend to distribute data in disparate locations. This reduces concentration of risks in a single geography. However, with localization restrictions, cross-border data flows are artificially restricted, hampering such hedging operations. Therefore, in this case, the committee inadvertently undermines the fiduciary relationship and increases risk.
The committee also mandates exclusive localization of “critical personal data”, a class of data that is so strategic that the committee has left it to government to define. In a strange twist, this important data will in effect be made the most vulnerable to “single point of failure” risks that arise from concentration of data.
India’s new economy is hostage to old mindsets. The architects of our laws still value convenience over conviction and discretion over transparency. Some of this will change as consultations become more inclusive. But real change will only come with a fearless embrace of the future. For now, domestic consultations are reminiscent of global governance conversations, where India is often called in to complain once the conceptual basis for international rules are already established. It seems for the state, there is no irony in bringing this hypocrisy home.
Vivan Sharan and Sidharth Deb are technology policy experts based in New Delhi.