India is at an important crossroads. On Thursday, the Government of India’s Committee of Experts began the next phase of its deliberations on how to develop a data protection framework to protect the privacy of India’s 1.3 billion citizens, but it must also weigh the practical realities of the need to spur economic growth in the sixth-largest economy in the world. As the expert committee embarks on this journey, its approach to important issues related to the scope of personal data, the legal bases for processing data, and the need to facilitate cross-border data transfers will shape India’s future—and the global economy—for years to come.   

India is not painting on a blank canvas. Indeed, a patchwork of laws, such as the Information Technology Act and various laws in the financial sector, have previously touched on discrete data protection issues. But, in the wake of the Supreme Court of India’s decision in Puttaswamy vs. Union of India, in which the court recognized a fundamental right to privacy, the November 2017 release of the expert committee’s wide-ranging data protection white paper, and the conclusion of the comment period on that initiative earlier this week, the journey to begin crafting a comprehensive framework for India has begun in earnest.

As India charts this new path, key questions will arise. The overarching question is how does India develop a framework that provides meaningful privacy protection while also leveraging the economic benefits of data-driven innovation. And, to be sure, those benefits are immense. Cutting-edge technologies that leverage data analysis, such as artificial intelligence, are expected to increase GDP in several developed economies by more than 30 percent by 2035. As BSA | The Software Alliance’s comments to the expert committee highlight, these advances are enhancing public health and safety, strengthening the security of networks, and enabling startups throughout Asia to reach global audiences, substantially improving every industry sector.

Against this backdrop, the expert committee’s consideration of three key issues will have a significant impact on whether India can both protect individual privacy and seize the economic and broader societal benefits of data-driven innovation.

First, the scope of the information that the data protection law covers should be information that, if misused or compromised, would have a meaningful impact on an individual’s privacy. If the definition of personal data is overbroad, it would unnecessarily restrict the use of data to provide innovative services where there is little risk of harm and fail to appropriately tailor protections to circumstances where they are needed the most.

Second, as the expert committee examines the legal bases for processing personal information, it should recognize the myriad circumstances under which organizations process data for legitimate interests and develop a flexible system that allows businesses to conduct operations and deliver valuable services to end users. In so doing, consent—an important principle embedded in privacy laws around the world—can and should remain a basis for processing data. But it should not be the only basis; nor should it be the primary basis. Instead, India’s framework should take into account the varied, and often complex, scenarios where the legitimate use of personal data arise.    

Third, the framework’s treatment of cross-border data transfers will be critical to its success. The seamless transfer of data across borders is essential for cloud computing, data analytics, AI, and other emerging technologies that underpin global economic growth, valuing over $30 trillion globally. In its white paper, the expert committee itself observed that “the ability to move data rapidly and globally has been a key building block of the global economic order.” As India seeks to construct a framework that provides important privacy protections and solidifies the development of one of the world’s fastest-growing economies, an approach that avoids undue restrictions on cross-border data transfers, such as data localization requirements, will lay a strong foundation for India to become a global leader in privacy and innovation. 

Indeed, the circumstances under which data moves across borders are too many to count, and these global data transfers have become integral to services upon which we increasingly rely. Whether it is a cloud-based human resource management system used by a global organization to transfer real-time data to pay employees located worldwide or conduct performance reviews, software that processes data from around the world to detect and address imminent cybersecurity threats, or real-time mobile data shared to deploy resources in the wake of natural disasters, the transfer of data around the globe is ubiquitous in today’s global digital economy.

A flexible framework that facilitates these data transfers is vital both for India and the global marketplace. Flexibility, however, is not inconsistent with strong privacy protections. On the contrary, this flexible approach enables the application of the principle of accountability—an important touchstone of modern data protection frameworks—to ensure that organizations using data for a wide range of legitimate purposes also protect the data throughout its lifecycle, including when it is transferred across borders.   

As Indian Prime Minister Narendra Modi, who has articulated a vision for “Digital India,” acknowledged last week in his speech at the World Economic Forum, “the biggest opportunities are being created by the global flow of data, and the biggest challenges too.” As the expert committee contemplates which path it will take to achieve its dual mission of growing the digital economy and keeping citizens’ data secure, the flexible approach outlined above will enable it to confront any challenges that arise. At the same time, it will also provide India with the opportunity to demonstrate that privacy and innovation are not mutually exclusive and that India can lead in both arenas.

photo credit: ravalli1 The Taj Mahal. via photopin (license)