India’s Proposed Digital Governance Framework

Back to the Future: India’s Proposed Digital Governance Framework

A first draft of the proposed Digital India Act (“DIA”) may be ready by June for public review, while a corresponding bill may be introduced before parliament soon thereafter, pursuant to industry feedback. Meanwhile, further to consultations between the Ministry of Electronics and Information Technology and select stakeholders across Bengaluru, New Delhi, and Mumbai in March and May 2023, the following principles appear likely to define the main thrust of the new law: (1) an open internet, (2) online safety, (3) a revised intermediary framework, (4) the regulation of new technologies, (5) non-personal data sharing, and (6) limited (or no) safe harbor.
This note, the third of S&R Data+ – a multipart series on data governance focused on personal and non-personal information – discusses these principles with respect to the DIA.


India’s digital governance framework

India’s Proposed Digital Governance Framework: Past Developments and Present Status

This is the second note of S&R Data+, a multipart series on data governance focused on personal and non-personal data, including with respect to their separate regulatory, legal, and commercial implications. The previous note summarized India’s existing data protection framework and provided an overview of India’s legislative trajectory in that regard. Here, we provide a snapshot of the gradual build-up to India’s proposed digital governance framework, including by analyzing past trends which have led to present developments.
While a recent flurry of legislative and policy activity promises to transform the country’s digital future, two landmark laws with respect to digital personal and non-personal data, respectively, may attain concrete shape by the end of 2023 itself – thereby replacing India’s existing data protection framework under the Information Technology Act, 2000, as amended, along with its allied rules.
While recent reports suggest that India’s current draft of the Digital Personal Data Protection Bill, 2022 is likely to be tabled before parliament in the month of July (as potentially revised pursuant to stakeholder comments), a proposed ‘Digital India Act’ has simultaneously gathered consultative traction – further to which a draft bill is expected around the same time. Thus, July 2023 promises to be a significant period for the country’s future.
Later in the series, we will examine the possible impact of such present developments on the shape of laws to come.


Personal and Non-Personal Data

Personal and Non-Personal Data in Digital India: Before and After

Over the past few years, the ripple effects of GDPR and the EU’s wider data governance regime have spread to, and influenced, the rest of the world – including India – especially with respect to the latter’s ongoing efforts to overhaul its domestic data protection framework. Furthermore, certain recent developments, involving key legislative and policy interventions, promise to fundamentally transform the country’s digital future, much like Europe’s. For instance, by the end of the year, two far-reaching laws – a ‘Digital Personal Data Protection Act’ (“DPDP”) and a ‘Digital India Act’ – may both reach fruition with respect to digitized personal data and non-personal data, respectively.
However, major gaps persist when it comes to distinguishing between the two. This distinction has assumed additional importance today for India – poised as it is on the cusp of a new governance architecture, replete with consequences related to collection, consent, processing, storage, protection, breach, exploitation, sovereignty, ownership, and localization. Accordingly, it is time that the unique techno-legal challenges and opportunities connected with personal and non-personal data, respectively, were separately examined – including to analyze their discrete regulatory requirements and commercial scope. At the same time, paradigmatic boundaries within the personal/non-personal continuum have increasingly blurred on account of the rising use of mixed datasets and de-anonymization techniques, the regulation of which has demanded urgent governmental attention.
In light of the above – ‘Data+’ – a special multipart series on data governance, will focus on analyzing personal and non-personal data separately while exploring the various legal, business, and regulatory issues associated with the two – including with respect to certain extraordinary innovations proposed under DPDP relative to GDPR, such as in respect of ‘deemed’ consent; sensitivity, volume, and harm; and relatedly, ‘significant data fiduciaries’. This note – the first of this special series – is divided into two sections. In Section I, we provide a brief summary of whether, and how, India’s existing data protection framework addresses the definitions of, and the distinction between, personal and non-personal data, respectively. In Section II, we provide an overview of India’s staggered legislative trajectory in this regard. Further into the series, we will analyze India’s proposed digital governance paradigm, including with respect to differences between personal and non-personal data.


Data Embassies

Readying the Law to Host ‘Data Embassies’ in India

Consistent with India’s stated aims of becoming a data storage and cloud computing hub, as the country seeks to encourage foreign governments and businesses to establish ‘data embassies’ at Gujarat’s GIFT City, a bespoke policy may soon be formulated along the lines of Bahrain’s cloud law, as well as for the purpose of defining a ‘data embassy’ appropriately such that its underlying and/or associated infrastructure qualifies for diplomatic protection under international law. Alternatively, such entities could be instrumentalized through customized bilateral agreements that re-interpret the Vienna Convention (like Estonia and Monaco signed with Luxembourg in 2017 and 2021, respectively) in respect of granting regulatory immunity to potentially both personal and non-personal information (as if it were physical premises), including with regard to non-sovereign commercial digital databases.
Clause 17 of India’s current draft of the Digital Personal Data Protection Bill, 2022 (“DPDP”) permits digitized personal data to be stored overseas, albeit at locations that satisfy the government in terms of political and protectional adequacy. In that regard, a revised iteration of DPDP (or rules framed thereunder) may subsequently include the principle of reciprocity in a way that foreign state or private entities are able to use local cloud ecosystems through state-of-the-art data centers located inside an Indian SEZ, including for the purpose of storing copies of critical government or business information for continuity, backup, and/or recovery-related reasons – in case the main servers back home get compromised – including on account of sustained denial-of-service attacks, a natural disaster, full-scale military invasions, or any other national emergency. 
Nevertheless, since DPDP deals exclusively with digitized personal data, if India’s data embassy policy envisages the storage of non-personal information only, it may need to rely on a different legislation – such as the proposed Digital India Act. Meanwhile, although certain Tier 3 and Tier 4 data centers with business continuity and disaster recovery functions are already operational at GIFT City, data embassies may require a new approach by leveraging diplomatic agreements bolstered by cloud technology solutions. Accordingly, India may want to develop a separate legal framework for the purpose of being perceived as a reliable host with respect to sensitive foreign databases.
With this background, this note examines how countries and companies (especially vulnerable and/or at-risk ones) that want and/or need digital continuity solutions may evaluate available options – given policy, legal, and logistical constraints in this regard.


Data Centres in India

Data Centres in India: Opportunity and Incentives

In the backdrop of India’s growth story as a major IT-ITes hub in the last two decades, the Indian data centres industry is now emerging as the next attractive opportunity for investors and developers.  The demand for data centres in India is being driven by the need for data storage given the Government’s Digital India and data localization policies, increased data consumption and 5G roll-out which is expected to enable adoption of data intensive technologies such as internet-of-things (IoT) and artificial intelligence (AI).  The proliferation of data centres in India has also created growth opportunities in various sectors of the Indian economy, including real estate, manufacturing and renewable energy.
While the draft national data centre policy is yet to be implemented, various Indian states have adopted their respective state data centres policies to attract private investment in this capital and technology intensive sector.  In this article, we compare the incentives offered under data centre policies adopted by certain Indian states which have received major investments in the data centre sector.


EU law

EU Law: Is Your Industrial Data Yours Alone?

Since data-dependent markets have high levels of concentration and entry barriers, EU policymakers have been trying to enhance business-to-business (B2B) and business-to-government (B2G) data sharing since 2020. In addition, the EU hopes to ramp up data access through collaborative cloud infrastructures. Despite GDPR, many recent EU legislations have focused on removing barriers to the free flow of data. Although existing EU laws, such as those related to digital markets and services, include newer rules, the obligation to ensure compliance falls primarily on gatekeepers and large providers. Moreover, it does not create portability between cloud service providers (CSPs). Likewise, the EU’s Data Governance Act, which promotes voluntary data-sharing, does not apply to CSPs. It is in this context that the European draft Data Act (DDA) facilitates switching between CSPs and other data processing services. Further, the DDA puts in place safeguards against unlawful international data transfers by CSPs. In addition, it imposes obligations on data holders to make their information available without discriminating between comparable categories of data recipients, including in respect of partner or linked enterprises.


digital markets

Digital Markets Must be Defined Well for Competition Regulation

The rise of the digital sector has presented unique challenges for Indian regulatory authorities, including the Competition Commission of India (“CCI”), thanks to significant differences in the way such markets operate compared to traditional markets. There is growing demand, worldwide and in India, to hold digital platforms responsible and accountable for adverse impacts caused by them. A preliminary step involved in such probes is that of defining a ‘relevant market’ within which such digital platforms operate. This note analyzes the CCI’s approach on defining a ‘relevant market’ in the digital sector so far, and the need of the hour in terms of considering all substitutable and interchangeable products or services while defining such markets.


data centers in india

Legal Considerations for Investments in Data Centres in India

With the continuing focus on digitisation accelerated by Covid lockdowns and rising demand for sustainability and green goals, there is an increase in activity relating to data centres for operators and investors as well as policymakers and regulators. In order to attract investment in data centres in India with a vision “to make India a global data centre hub”, the new Government policies intend to provide various incentives and exemptions to promote data centre industry growth. In the recent past, several multinational and domestic companies have set up data centres in India. Given the focus on data localization, there appears to be significant potential for growth for the data centres industry. In this background, the Government’s move to grant ‘infrastructure’ status to data centres and introduce a national data centre policy are welcome measures which will promote investments in data centres in India. In addition, two other policy initiatives announced in the budget speech which are expected to incentivize data centre investments are the 5G spectrum auction and the widening footprint of optical fibre.


Data Protection and Competition Law: Developments and the Way Forward

In the last decade the digital sector has witnessed tremendous growth – while this has given rise to new business models, opened up new markets, and unlocked significant efficiencies, it has also raised concerns that tech giants may use the excessive amounts of user data they hold, to influence digital markets to their advantage. However, there are also apprehensions regarding the use of competition law (instead of privacy and consumer legislations) to address such concerns. This note provides a brief overview of the existing legal framework on data privacy in India, analyses the CCI’s decisional practice in this regard, and suggests an appropriate way forward for the CCI on this matter.


Regulating Big Data: Contextualising CCI Probe into WhatsApp’s Privacy Policy

The CCI’s recent order directing an investigation into WhatsApp’s privacy policy provides us with the opportunity to look at how competition regulators, both in India and abroad, have sought to regulate data collection and sharing. There are multiple concerns to be balanced in this process – the ability of businesses with large data sets to better serve customers, entry barriers to new business with access to comparatively smaller data sets, and increased consumer dependency on a limited set of players. The CCI’s recent order could be indicative of its recognition of these concerns and its intention to take a more interventionist approach where it believes that user data is being exploited in a manner that creates entry barriers or otherwise adversely impacts competition or consumers’ interests.