Source: Ideas and Institutions | Issue #37
Analysis
Data Protection in India: From One Extreme to the Other
On August 3, the union government tabled the Digital Personal Data Protection Bill, 2023 (“DPDP Bill”). On August 7, the bill was passed by the Lok Sabha. This is the latest iteration in a lawmaking process that goes back at least six years. In August 2017, a committee was constituted to draft a bill. The committee released a draft bill in July 2018. The government tabled a version of the bill in Parliament in 2019, and a joint parliamentary committee examined it and submitted a report in December 2021. But the government withdrew the bill in August 2022 and floated a new bill for public comments in November 2022. The latest bill is based on that version.
While much can be said about how the approach to this law has changed over time, one thing is clear: the pendulum has swung to the other side, perhaps too far.
The 2019 bill was quite ambitious about what should and could be achieved for personal data protection regulation in one go. It proposed a comprehensive data protection framework and a powerful data protection authority to make regulations and enforce them on the entire economy. The bill’s focus was preventive. While there were provisions relating to punishment and compensation after a harm occurs, the emphasis was on ensuring that the processing of personal data happens in a manner that is protective of privacy. To this end, the committee proposed two types of obligations.
First, it sought to closely regulate interactions between individuals and those processing their personal data by giving the former certain rights that they may exercise and by obligating the latter to follow certain processes, such as a notice and consent process, to ensure that these interactions are adequately protective of the former’s personal data. The rights accorded to individuals included some basic ones that are constitutive of a right to privacy, such as the rights to confirmation, access, correction, and erasure, and others such as the right to data portability and the right to be forgotten. Second, the committee sought to impose obligations on those processing personal data so that they build and maintain systems and procedures for processing such data in a manner that ensures the protection of data privacy. These included obligations such as those related to privacy by design, transparency, data security, maintenance of records, and so on. These obligations were differentiated based on the type and significance of those processing personal data.
A preventive approach to data privacy makes sense because privacy-related harms are such that relying only on ex-post redress of grievances could lead to poor outcomes. Often, the data principal may not even know that their personal data has been processed in a manner contrary to their wishes, and even if they become aware, the legal process of getting redress itself may cause further loss of privacy. However, this approach could also potentially create large compliance costs, which would eventually be borne by the data principals, as all costs are eventually borne by the consumers.
The 2019 bill would have applied to all entities processing personal data through automated means and even those processing data through manual means, unless they are small entities as specified by regulations. The bill also provided for the power to exempt government agencies from any or all provisions in the interest of the security of the state, public order, the sovereignty and integrity of India, friendly relations with foreign states, and preventing incitement to the commission of any cognizable offense relating to these matters.
Coming against the backdrop of the rather minimal data protection regime that exists under the Information Technology Act, 2000, and the absence of any authority with the expertise to make and enforce data protection regulations, the 2019 bill’s suggested approach was a giant legislative and administrative leap. While not quite as expansive and intrusive as the European Union’s General Data Protection Regulation (GDPR), it came quite close to it. Many supporting the committee’s approach or critiquing it for not going far enough missed an important difference in context: while the GDPR was the latest iteration in a decades-long process of building protection legislation in Europe, the committee was recommending such an expansive legislation in one step. Since there is no already existing public authority with the relevant capabilities, this approach was doubly risky. Much could have gone wrong had the committee’s approach been accepted, from a rise in regulatory uncertainty to a considerable increase in compliance costs to an adverse impact on innovation to a possible misuse of the authority’s draconian powers.
The 2023 DPDP Bill is very different from the 2018 bill. It includes certain rights and protections, such as the requirement of a notice and consent process, the rights to access, correct, and erase one’s personal data, the right to grievance redressal, and a few obligations on those processing the personal data to build systems and processes that could promote data privacy, such as reasonable security safeguards to prevent personal data breaches, limitations on storage and the purpose of processing personal data, and the establishment of a grievance redressal mechanism. Further, there are additional obligations on those deemed to be “significant data fiduciaries,” such as the appointment of a data protection officer, the appointment of an independent data auditor to carry out data audits, the requirement of data protection impact assessments and periodic audits, and so on. These are, however, much fewer obligations than those found in the 2018 bill. This is appropriate because it is better for India to start with a more modest set of obligations in the law and then build from there. That said, there are aspects of this bill that could potentially limit its efficacy.
First, the exemptions given in the bill and the power to give more exemptions are so expansive that practically anyone and any processing activity can be exempted. In addition to an almost complete exemption for government bodies, the bill also envisages broad powers to exempt other entities. Consider, for instance, clause 17(5), which seeks to empower the central government to, before the expiry of five years from the date of commencement of this law, declare that any provision of the law shall not apply to such entity processing the data or any classes of such entities for such period as may be specified in the notification. This means that the government can completely exempt any entity without any guidance in the legislation on the basis for such an exemption. When such powers are given to the government, at the very least there are some criteria stated in the law to guide the decision to exempt, but no such criteria have been provided in the bill.
Second, the proposed data protection board would have no regulatory or supervisory powers, and almost all the rules and regulations would be made by the government. Giving such responsibilities to a ministry of the government is a questionable move—to do this well, it will have to build considerable capabilities that are easier to build in a separate agency. On the other hand, the board would have little incentive to build technical capabilities that could be useful for regulating the digital economy from a data protection perspective. The board will also have less independence than other public authorities in India. For instance, the chairperson and members would be appointed for two years and may be reappointed thereafter, while the standard practice is to appoint such authorities for three or five years. A short duration of appointment typically hampers independence from the government because reappointment can be used as a bargaining chip.
Third, in some ways, the individuals whose personal data is to be protected will be worse off. For instance, the bill seeks to amend the Information Technology Act, 2000, to do away with the provision on compensation to be provided to the affected person in situations where, due to negligence in implementing and maintaining reasonable security practices and procedures, a wrongful loss is caused to a person or a wrongful gain is made. The DPDP Bill does not provide for any compensation to such affected persons. As an aside, the bill also seeks to amend the right to information law to prohibit the release of any personal information, which is a considerable dilution of the law.
The main overall change is that once this law is enacted, the union government will get most of the powers to decide the scope of application and the substance of data protection regulations. How did the pendulum swing so far in the opposite direction? While we do not know the behind-the-scenes actions that may have led to this bill, we can say a few things about the context in which this has happened.
First, we should reflect on how the process started six years ago. During the arguments made in the Supreme Court of India in a high-stakes case around Aadhaar—the biometric identity program of the union government—the government reassured the court of its intent to draft a law on this matter. The government took a stand in court, saying that the Constitution of India does not include a fundamental right to privacy. But, to assuage the court’s concerns by indicating that the government considered privacy an important common law right, it stated that a committee was being formed to draft a law on data privacy. If the government had not made this promise, chances were that the court would consider the absence of such a law as a negative, and this may have affected their judgment on Aadhaar. So, it seemed that the government’s hand was forced on this matter.
This raises a larger point about the role of the courts in the horizontal application of rights. On August 24, 2017, a nine-judge bench released a judgment stating that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.” Although the bench issued a unanimous order in its affirmation of the right to privacy, it returned with six different judgments. Two of the judges—one of them joined by the other three judges of the bench—presented a horizontal reading of the right in the context of data protection, calling for a regulatory framework for the same. In situations where rights of citizens are to be protected from other nonstate parties, regulation is usually required. However, unless the legislature and the government themselves feel the necessity of such regulation, to what extent can the courts force their hand to take the necessary measures? After all, building a capable regulatory framework requires considerable political will and administrative acumen.
Second, the committee’s recommended approach to take an ambitious leap forward faced considerable pushback from within the government, especially the security establishment and the departments that deliver welfare schemes, and from businesses and nonprofits in the digital economy as well as others processing personal data outside the government. There were concerns raised about the consequences in terms of compliance costs, acceptable interpretations of the many obligations proposed in the law, and the timelines for implementation. Some experts were arguing for a less legalistic and more technology-driven approach to data privacy. However, there was not sufficient dialogue between the advocates of the committee’s approach and those who opposed it to find a way to change the bill to make it more pragmatic. Eventually, it seems that one side won the debate, and the bill has moved to the other extreme.
It seems likely that this bill will become law soon. Since laws may evolve over time, one can hope that some middle ground between the two extremes might be found over time. For instance, based on experience, the power of exemptions may be minimized with time, and regulation-making powers may eventually be given to the board. It would help if the government kept an open mind and continued dialogue with various stakeholders.
—By Suyash Rai
Review
Does Land Titling Reform Increase Litigation?
Many have argued that land titling is one of the most important reforms required in India’s land markets. The poor quality of land records leads to disputes over land and property, and a survey in 2017 reported that two-thirds of India’s court disputes are related to land and property. Multiple scholars and researchers have therefore proposed that the Indian state undertake measures to improve the quality of land records. It is argued that improvements in land records will reduce disputes over land and property and make land markets more efficient. A new paper studying the consequences of land titling reforms in Benin challenges this line of reasoning.
The paper “Land Titling and Litigation” (2022), by Benito Arruñada, Marco Fabbri, and Michael Faure, studies a land titling reform measure implemented in Benin in 2010–2011: the Plan Foncier Rural or the PFR. They show that land titling in Benin actually led to a significant increase in litigation. Prior to the PFR, land tenure security in Benin was subject to customary and informal law on the one hand and formal laws based on the Napoleonic Code of 1804 on the other. According to the authors, this dual system “led to insecurity concerning land rights and exacerbated land-related conflicts, allegedly because of judicial decisions not being enforced, uncertainties concerning boundaries, errors in the identification of owners, increasing illegal occupations, and a lack of publicity regarding property titles.”
The PFR’s mandate was to map all the land parcels in a given area, identify the rights of property holders with respect to the land parcels, and to register the property holders with respect to the land parcels. In short, this was a land title issuance program. One key feature of the PFR makes this a unique program for study: the authors state that the implementation of the PFR was preceded by a randomized control trial across hundreds of villages. Following this, of the 576 villages that were deemed eligible under the PFR scheme conditions, the plan was implemented in some 300 villages. The remaining 276 villages, in which the PFR was not implemented, continued to have predominantly customary rights over land.
The authors of the paper were therefore able to compare the causal effects of land titling on litigation across villages that received PFR implementation and villages that did not. This research was based on an analysis of the available information as well as a survey conducted in forty-three villages out of the overall group of 576. The survey was designed to investigate whether conflicts over land increased after the period of PFR implementation and the nature of the dispute/conflict.
The authors find that participants in villages where PFR was implemented reported much more litigation than in non-PFR villages. The frequency of reporting litigation was significantly higher in PFR than non-PFR villages. A large number of these disputes were about the boundaries of the parcels, though some of them were related to inheritance-related issues as well. Their regression analysis also reports that participants from villages with PFR reform are 75 percent more likely to experience land-related conflicts.
A supplementary inquiry of the authors was to understand the degree of change in the intensity and likelihood of violence due to PFR implementation. Their survey revealed that the frequency of “violent episodes…and beliefs regarding the likelihood of an escalation into violent conflicts” were almost the same across PFR and non-PFR villages. The authors also asked villagers whether they first approached local village authorities or the formal court system for conflict resolution in land disputes. While most of the respondents first approached the village authorities, most respondents who stated that they had solved the conflict said that the final adjudication had been done in a state tribunal. The fact that these responses did not differ significantly across PFR and non-PFR villages underscores the fact that the increase in litigation was not due to a change in perception about conflict resolution mechanisms.
So why does formalization lead to an increase in litigation? The authors construct a simple model to explain this: In any given situation, if the value of the land is higher for landowners after improving their titles by spending a fixed amount per parcel, then the landowners will spend such fixed amount. When the government introduces land titling for all land parcels independent of the value of the land and without any costs for owners, it causes an “increase in land value driven by formalization” since it reduces the risk of eviction. The authors note that even after such a titling program, there may still be scope for further improvements to the title. However, the fixed amount per parcel that would have to be spent to make such improvements would be reduced. This makes judicial recourse for improving titles much cheaper compared to earlier and creates incentives for increased litigation.
Last, the authors also find that the increase in litigation was driven mostly by those owning low-value land parcels. Those with high-value land parcels already had sufficient degrees of tenure security under customary laws and had taken other measures such as fencing, litigating, and so on.
Each of these findings has important implications for land titling reforms. In India, the federal government has run a land record digitization program with the ultimate goal of conclusive titling since 2005. Earlier called the National Land Records Modernisation Programme, in 2015 it was rechristened the Digital India Land Records Modernisation Programme (DILRMP). One of India’s most reputed economic think-tanks has created an index to measure how well states are implementing the DILRMP. The need for improving land titles was pressed repeatedly in India, with some arguing for the state to become the guarantor of land titles through conclusive titling (Wadhwa, 1989; Vohra, 2023). This argument for titling received a boost from the publication of Hernando de Soto’s work, The Mystery of Capital, which argued that creating land rights into contractable, monetizable assets would enable the poor to capitalize on their property assets. In recent years, NITI Aayog has framed a model law on the subject, and the state of Rajasthan has enacted a land titling law as well. Land titling is, therefore, clearly perceived as an important problem in India. However, it would be wrong to presume that better land titling will necessarily lead to a reduction in litigation.
The paper by Arruñada and others highlights the fact that litigation can be complementary to the process of cleaning up land titles through state action. State-led titling reform reduces the private cost of clearing up land titles and incentivizes individuals to pursue litigation. This is not a criticism of land titling reforms. Litigation that is complementary to land titling is societally optimal if it leads to the greater clarity of property rights in land overall. Indeed, one of the implications of the paper is that either (a) land titles are in such poor shape that cleaning them requires an implicit state subsidy—through the state’s action to reform titles—before their market value can increase, or (b) the cost of judicial access is so high for improving these land titles that, absent the state’s role in improving titles to some extent, it is too expensive to approach the formal legal system.
What the paper does demonstrate is that an improvement in land titles may not lead to a reduction in litigation. If the argument presented for doing more on land titling is that poor land records lead to a huge amount of litigation, land titling reform is likely to worsen that problem first before it improves. Another implication arising from this paper is that there is likely no escape from judicial dispute resolution for improving titles. In my writing on the subject, I have highlighted the complementary role of land title insurers in improving land titles. However, one of the main activities of title insurers is to, in fact, conduct litigation on behalf of their insured clients to protect their title.
In conclusion, this paper examines the relationship between land titling reforms and litigation in Benin and shows that land titling reforms can lead to an increase in litigation rather than reduce it. In doing so, the paper makes an important contribution to the design of land titling measures and to understanding their consequences. By showing the details of the litigation following the PFR implementation, the paper contributes to an understanding of how land titling reform subsidizes the cost of litigation for owners of low-value land. Each of these insights has important implications for policy design in India’s land markets.
—By Anirudh Burman