Personal Data Protection Bill: Will It Lock Out Competition To Big Tech?
It would be a tragedy for government to stifle Indian startups in a bid to protect Indians from entrenched foreign monopolies.
India’s Personal Data Protection Bill, 2019, which is being examined by a Joint Parliamentary Committee, is the rare Indian law aiming at extra-territorial enforcement. As per Clause 2 of the Bill, it applies to not only data collection and processing within India but also to the collection and processing of data, from India, by overseas entities. This would mean that all foreign data companies offering services to Indian citizens would have to expressly comply with the proposed Indian data protection law. This would mean changing their existing contracts and software to comply with Indian law.
As of now, all Indian users who use Google, Facebook, and WhatsApp enter into contracts with these companies under American law with a dispute resolution clause that requires them to arbitrate disputes with these companies in California! Even Tik Tok’s user agreements with users are governed by Singaporean law with a dispute resolution clause that requires arbitration in Singapore. Most users do not even know they are giving up their rights under Indian law when they agree to use these services. Once the new law is enacted, these companies will have to change the terms of their user agreement and they will have to spend a significant amount ensuring compliance.
However, let us presume that some of the smaller and mid-sized foreign data companies decide that the value of the Indian market does not justify the cost of complying with Indian law—and the penalties that follow—especially provisions like data localisation. Can these companies still make available their applications on marketplaces like Google Play Store for Indian citizens to download?
There are likely to be countless Indian citizens who are willing to access such applications even if it means giving up their rights under the proposed data protection law.
Can the proposed Data Protection Authority take action to block such applications or order marketplaces like Google Play Store to not offer such applications to Indian consumers because they violate an Indian data protection law?
From a simple reading of the law, it would appear that the DPA could request the central government to block such applications or websites under Section 69A of the Information Technology Act, 2000, for violating Indian law.
How Companies Are Likely To Adjust
From a policy perspective, the trade-off for India is the choice between protecting privacy rights at any cost and potentially blocking foreign competition to the largest foreign data companies like Google, Facebook, WhatsApp, and Tiktok that already enjoy a near-monopoly status in their respective areas. It should be remembered that in the tech world, competition can be rapid with small startups outgrowing their bigger rivals in a matter of a few years. Such growth, however, takes place only if these startups have access to markets. Would Facebook or WhatsApp have entered India in their startup days if they had to comply with a law like the draft PDP?
The PDP Bill does provide for a ‘regulatory sandbox’ that relaxes the data protection law for new technologies but it is likely to require a fair amount of paperwork with the regulator and can be enforced only for 12 months. Foreign startups are unlikely to bother themselves with the process given the paperwork and the rather short time-frame of 12 months.
It is, therefore, possible that the existing big data companies will cement their monopolies in India post the enactment of the data protection law and Indian citizens will be denied access to new applications and services.
Skewing The Playing Field?
An equally pertinent question is whether Indian startups, which are required to comply with the heavy requirements of the PDP Bill, will be able to compete with their foreign counterparts who are unencumbered by the baggage of the many requirements and uncertainties under India’s proposed data protection framework? How will this impact long-term innovation by Indian startups in the field of artificial intelligence where data is the raw fuel for innovation? On innovation, will American and Chinese data companies—who have fewer compliance costs and legal risks—outstrip Indian firms complying with the PDP law and European ones that follow the EU’s General Data Protection Regulation? What are the long term implications for the Indian economy?
Also, is it fair to expect Indian startups to compete with existing monopolies that grew and flourished in an ecosystem where they were not restrained by data-protection laws?
While it is always difficult to predict digital markets, it is well accepted that regulation, especially by the Indian bureaucracy, has a way of undercutting innovation and that the lack of innovation will result in lesser competition for the entrenched monopolies like Google, Facebook, WhatsApp, and Tiktok. At the very least, the government should have conducted a competition impact assessment of the proposed law before introducing it in Parliament. This was all the more important in light of the fact that the Justice BN Srikrishna Committee, which drafted the white paper on the data protection law, did not have as a member a single economist or competition law expert. In fact, the word ‘competition’ hardly gets a mention in the final report of the committee.
The Way Forward
It would be a tragedy of sorts for the Indian government to stifle Indian startups in a bid to protect Indians from entrenched foreign data monopolies. There are two solutions.
The first is for the Joint Parliamentary Committee scrutinising the bill to reject it with instructions to the government to split the bill into four smaller legislations:
- one for financial data,
- one for protecting health data,
- one for government data and lastly,
- one for all other data collected by the private sector.
The standards of data protection for the first three should be much higher than the fourth because they deal with sensitive data. The fourth bill should be drafted to ensure competition and innovation are well balanced with data protection. Parliamentary committees in the past have significantly amended bills and even rejected them on occasion.
A second, more workable solution is to rework the existing bill to ensure that the data protection law applies only to data companies that reach a particular threshold thereby automatically keeping out startups and mid-size companies until they reach the threshold. The existing draft of the bill already creates a three-tier structure by imposing different obligations on “significant data fiduciaries”, startups who qualify for the regulatory sandbox and the rest of the industry.
Ideally, only significant data fiduciaries should be subject to regulation under the proposed bill.
This would basically mean amending the existing draft of the law to do away with the default system of the law applying to all data companies.
The next decade is about building the foundations of a data economy and powering the first generation of artificial intelligence programmes. There is nothing like a heavy-handed law to kill a sunrise industry in India. This, of course, should not distract from the need to regulate, with a heavy hand, the shenanigans of big data incumbents, especially those from Silicon Valley.
T Prashant Reddy is a Bengaluru-based advocate and co-author of ‘Create, Copy, Disrupt: India’s Intellectual Property Dilemmas’.
The views expressed here are those of the author, and do not necessarily represent the views of BloombergQuint or its editorial team.