Data is the currency of the digital economy. The ability to move data freely across borders would be key to India’s competitiveness at the international level and will be pivotal to the development of India’s ICT sector. India’s economy has benefitted greatly from the increase in connectivity brought about by market liberalization and the growth of India’s IT and BPO industries. Now, as India seeks to achieve leadership in areas such as cybersecurity, Internet of Things (IoT), cloud computing, and artificial intelligence, it is essential to enable flexible approaches to the use of data and cross-border data flows. The Government should be mindful of the fact that a restrictive data protection framework could put the economy at risk, disrupting not just IT but every industry that depends on information flows.
Moreover, an overly prescriptive framework will drive up the costs of doing business in India and create entry barriers for SMEs and entrepreneurs, many of who hold the solutions to India’s socio-economic challenges such as ICT penetration, and access to healthcare facilities and education. Over-regulating the market could interfere with the freedom of commerce guaranteed under the Indian Constitution; dis-incentivize competition, investment, and trade; and create unreasonable obstacles for business. While developing the data privacy framework for India, policymakers should therefore give due consideration to consumer benefits, business innovation, and the country’s economic growth.
The U.S.-India Business Council (USIBC) supports a light-touch privacy framework that is balanced, flexible, globally interoperable, and which allows the free movement of data, but more importantly, protects the citizens. The framework should allow for risk-based solutions that consider both the nature and the purpose of the data being collected. Developing such a privacy regime will require a judicious and thoughtful approach that draws on the best global privacy principles while continuing to work within India’s existing legal structure.
Help, should it be needed, is at hand. The Organization for Economic Cooperation and Development (OECD) and the Asia-Pacific Economic Cooperation (APEC) have laid out useful principles on privacy, and APEC the Cross Border Privacy Rules (CBPR) offers a forward-thinking implementation models that protect privacy and facilitate the cross-border transfer of data and connectivity that underpins modern economies. Five nations have joined the CBPR system — Canada, Japan, Mexico, South Korea, the United States – with a pending sixth application from Singapore. The Indian government could draw from APEC guidelines and regulatory experiences of states with similar economic and developmental positions to India’s own, and develop a framework which suits its own unique requirements, culture, and economic aspirations.
USIBC suggests that India’s policy framework should be based on three broad guidelines:
a) The privacy regime should outline an overarching set of norms that apply horizontally across different industries and data-processing activities, rather than have numerous regulatory bodies regulating different industry sectors. Such a framework could also be tailored in limited circumstances to apply special protections to sensitive data, as needed.
b) The new privacy regime should ensure compatibility and portability with emerging global norms to develop an Indian jurisprudence that integrates India into global digital global markets. India should, therefore, avoid laying out restrictive models, norms, or prescriptive measures that could stifle innovation, sub-optimize economic benefits, and digital commerce. Global standards should be leveraged to the fullest extent practicable before the Government considers adding other data protection obligations.
c) The privacy norms should allow digital innovation and enable India to maintain its leadership in the global digital economy without impeding the free flow of data. USIBC recommends the Indian Government consider adding the topic of “privacy” to the US-India ICT Working Group (ICTWG) to ensure compatibility of the two countries’ privacy regimes. Approaches to privacy must remain collaborative, flexible, and innovative over the long term. This will enable solutions to evolve at the pace of the market while meeting the needs of the nation and its people.