India has become the growth market darling of the world, with a digital economy on track to reach a 1 trillion US-Dollar valuation by 2022. But it is not clear which path Narendra Modi’s government will take in pursuit of that lofty valuation. Will India go the way of Europe or China? Internet users in India – and companies wanting to do business there – are now asking themselves that question. The clues in our opinion are contradictory. Even as the world’s largest democracy considers implementing strong user privacy protections, along the lines of the EU’s general data protection regulation, the government has also proposed Chinese-style rules to exert control over India’s data and proactively surveil and censor its web users. While businesses around the world are familiar with GDPR, comparatively little attention has been paid to India’s proposed data protection law. If passed, the bill would reshape the relationship between 1.3 billion Indians and the companies and government actors to whom they entrust their data.
The bill was born out of legal challenges to India’s controversial biometric ID project, Aadhaar, which the government has pushed to make mandatory. As Indians were forced to link their biometric identity with everything from their mobile phones to their bank accounts and access to food rations, the lack of any meaningful privacy safeguards in law became increasingly untenable. In response, the government set up a committee led by former Supreme Court Justice B N Srikrishna to draft India’s first data protection law. The resulting bill, which has yet to be introduced in parliament, takes a European approach. Companies and the government must generally abide by EU legal principles, which require data to be processed only for a specific purpose, using only the data necessary. The data must be deleted once the purpose is achieved. Like the GDPR, this law would apply to all entities, everywhere, that process Indian’s data. If passed, it would position India as a global leader in users’ rights, on a par with Europe.
Yet, in other areas, India seems to be following the Chinese playbook.
Recently, the government put out a draft ecommerce policy arguing that the personal data of Indians should be treated as a “national asset”. It pushes for government access to the source code and algorithms used by foreign companies. And even the otherwise progressive data protection bill includes a mandate to force all public and private entities that process Indians’ data – including foreign companies – to store a copy of all personal data in the country.
The Modi government has also sought to expand the state’s surveillance powers, issuing a notice at the end of last year empowering 10 government agencies to monitor, intercept, and collect data from any computer. In December last year, new rules were proposed forcing all internet companies to surveil their users and deploy filters to censor any content that the government considers unlawful, indecent or immoral, or which constitutes, “defamation”. If that wasn’t enough, these rules would require all online companies with more than 5 million users in India to incorporate there and set up a permanent office in the country.
India should beware such tactics. While some Chinese companies flourished with the help of the state’s micro-management of the economy, it has also limited their ability to expand into other markets and made it difficult for foreign companies to grow in China. Adopting the same approach would in our opinion harm the Indian economy, killing innovation, imposing barriers on Indian companies’ growth in other markets and hindering foreign investment. The European model, by contrast, offers a compelling path to economic growth. The European model, by contrast, offers a compelling path to economic growth. If the EU were to determine that India’s data protection law offered adequate protections on par with the GDPR, data and services could flow freely between Europe and India, creating the largest addressable market in the world. At the same time, companies that are already GDPR -compliant would easily be able to invest in India and process data there, without the need to design and maintain a separate system.
The Indian government has a simple choice to make. It is difficult to see how the country can abide by its constitution, protect the privacy of its citizens and create the greatest possible economic opportunity, while at the same time dramatically expanding the surveillance and censorship infrastructure of the state. If India is to be a model to the world, it must look to Europe, and take action to protect the privacy and free expression of all its inhabitants.