Decision to scrap proposed data privacy law sidesteps rules that threatened the likes of AWS and Alphabet, along with India’s own outsourcing industry
(Originally published Aug. 12 in “What in the World“) India’s decision this month to scrap its Personal Data Protection Bill is a huge win for Big Tech and its customers there. Just don’t expect to hear any audible cheering from Silicon Valley.
Several countries have imposed rules restricting the export of personal data or require that copies remain onshore. China’s Cybersecurity Law has helped the government further isolate the nation behind its so-called Great Firewall. Critics argue Europe’s own General Data Protection Regulation has hurt EU competitiveness and innovation. The fear was that India‚ the world’s second-most-populous nation and largest democracy, might be headed down the same road.
India’s proposed law would, among many other stipulations, have severely restricted the movement of personal data offshore. Concern about the sweeping surveillance powers the bill appeared to give the government helped doom it. The government explained its decision to withdraw the bill by saying it had just become too complicated. It says it’s working on new ways to regulate and protect personal data.
The implications for Big Tech are profound. With nearly 1.4 billion people, India is a major market for their services. Placing restrictions on moving data out of a country like India forces companies to invest in domestic facilities to collect and process that data. That creates costly duplication of their infrastructure and reduces profits gained by pooling that data in larger centers. It also reduces how much tech companies can learn by aggregating the data of vast numbers of customers, generating ancillary income for the likes of Amazon and Alphabet on top of what they earn managing data on behalf of corporate clients.
Perhaps worse, laws like the one India was considering create legal liability that threatens the data outsourcing model. Imagine there’s a breach, either because data is mistakenly lost, moved offshore, or hacked as it sits in servers overseas. If the law holds the company collecting the data responsible, companies will be reluctant to outsource data to a third-party data manager without legal guarantees that offset their own risk. And if the law also holds third-party data managers responsible, they expose themselves to mistakes made by their customers.
India has a lot at stake, too. India is a favored processing center for the data Big Tech generates on customers globally, from financial transactions to medical records. As a result, India is a net importer of data. Limiting the export of its own citizens’ data—combined with potential controls in the bill on how companies could handle data of non-Indians sent to India for processing—stood to isolate the country’s $167 billion business process outsourcing industry. The restrictions also stood to inhibit the ability of India financial institutions and companies to expand the delivery of services to include the estimated 190 million Indians without access to a bank account.
While the economic case against the bill may have seemed a slam dunk, it became complicated by rising nationalism in India and calls for “data sovereignty.” In a nation still sensitive about its colonial past, the rising influence of Western tech giants has become controversial, particularly when social media has been used to foment unrest. Local companies have been able to wrap themselves in the flag to exploit this, enabling them to grab market share and turn erstwhile competitors into minority investors. This also made it difficult for Silicon Valley companies to make an overt case against the bill.
Fortunately, India’s civil society did the work for them.