Edition

The New Draft Personal Data Bill 2022 | G20 Agenda on Cross-Border Payments

This issue includes an essay analyzing the new draft Digital Personal Data Protection Bill, 2022 and a review of the publications of the Financial Stability Board on cross-border payment issues for deliberation during India’s G20 presidency.

by Anirudh Burman and Suyash Rai
Published on November 22, 2022

Source: Ideas and Institutions Issue #20

Sign up | Newsletter Archive

  1. Analysis
  2. Review

Analysis

India’s New Light Touch Data Regulation Paradigm

The draft Digital Personal Data Protection Act, 2022 released for public consultations by the government last Friday is a completely different approach to data protection from its predecessors. In this piece, I first highlight the main differences from the earlier versions, before analyzing what they mean for data protection and for India’s economy.

The old and the new

Previous versions of data protection legislation adopted an expansive framework towards data regulation.

The first version, drafted by a government-appointed committee headed by retired Justice Srikrishna proposed a framework that resembled the approach taken in the European Union’s General Data Protection Regulations. It proposed rights for consumers, such as the right to access data stored by businesses, and to have it corrected or deleted. It imposed many new obligations on businesses (defined as “data fiduciaries”) - the requirement of taking consumer consent, purpose and storage limitations, security and transparency requirements, and appointing data protection officers, among others. “Significant data fiduciaries” had additional requirements. The Bill proposed that the DPA would be an independent regulator that would enforce this law by framing detailed regulations. In addition, restrictions were proposed on the movement of certain categories of personal data outside India - sensitive and critical personal data.

In 2019, the Indian government released its version of the legislation, the Personal Data Protection Bill, 2019, largely based on the JSK committee’s version. It rationalized some compliance requirements. For example, (a) it made consent requirements a safe-harbour provision, (b) it reduced criminal penalties, and (c) it permitted greater movement of data outside India, while still retaining restrictions. It made some other significant changes: (a) social media platforms were brought within the ambit of the legislation, (b) one provision gave the government the power to mandate sharing of non-personal data, and (c) the narrow exemptions from compliance given to state agencies in the previous version were expanded significantly.

This approach to regulation had some significant issues that I have explained in detail elsewhere, and have summarized below:
 

  1. The legislation envisaged a quantum jump in regulation. Unlike the EU, India does not have any pre-existing jurisprudence on data privacy that stakeholders and the DPA could rely on while interpreting the new law.
  2. In addition, India does not have prior regulatory expertise to regulate data privacy with such an expansive scope.
  3. The increase in compliance because of this expansive scope would have been significant, and would have hurt small businesses more than big technology firms.
  4. While almost all private entities would be faced with increased regulation and compliance, state power would only increase. The DPA would have significant powers to look at all businesses. In addition, the regulatory burden on government agencies was modest compared to private businesses.
  5. The debate on data privacy was subject to new distractions like debates on data localization and non-personal data sharing. These debates found their way into the legislation, which made it even more expansive.

When the government withdrew the 2019 legislation from Parliament in August 2022, it expressed an interest in adopting a fresh approach, one also in sync with other laws to regulate the IT sector. The 2022 Bill reflects this approach. It has some major changes worth analyzing in greater detail:
 
  1. The somewhat ambiguous classification of personal data into personal, sensitive, and critical personal data has been done away with. The 2022 Bill refers only to digital personal data. This also means that the escalatory set of compliances for sensitive personal data are no longer there.
  2. The 2019 Bill had a definition of “harm” that was meant to guide businesses and government on the level of protections to be accorded to personal data. This definition included some overlapping concepts, some very low-threshold concepts (”humiliation”), and some vague standards (”any discriminatory treatment”). The 2022 version defines harm to include just four things: ID theft, harassment, bodily injury, prevention of lawful gain or causation of significant loss.
  3. There is not going to be any independent data protection regulator anymore. The DPA has been replaced by a Data Protection Board that will be appointed by the government. The composition, qualifications, and conditions of service will be written down in rules by the government, and are not going to be in the law, unlike the 2019 Bill.
  4. This new Board will only do the following: (a) investigate non-compliance with the law and issue penalties, (b) direct data fiduciaries to take remedial measures when data breaches occur, and (c) perform functions that the central government may assign. In short, this is not a regulatory agency anymore. It will not be a standard-setting authority. It will not monitor and supervise data protection against these standards. The Board is a limited agency with a narrow mandate.
  5. Consent and notice are still required. But there is a new provision allowing deemed consent in specific cases. These include cases where there is a reasonable expectation of data being processed, performing any function under law, compliance with court judgements, medical emergencies, epidemics, employment, and in public interest. The last is interesting, because it has been defined broadly so as to potentially include data processing by private entities as well. This is because public interest here includes activities like credit scoring and debt recovery.
  6. Many consumer rights and obligations for businesses are retained from the 2019 version. However, there has been a reduction in compliance. This is mainly because in the 2022 version, there is no DPA who will interpret these provisions to write detailed standards in the form of regulations. For example, businesses will have to implement data storage, safety, and accuracy requirements in accordance with the law, but there is no DPA to mandate how exactly they must do so.
  7. There has been a complete change in approach towards data localization. A strict interpretation of the provision would mean that all data transfers outside India are prohibited by default. The government can allow transfers to certain countries and regions subject to requirements it will prescribe.
  8. Provisions on non-personal data have been removed. The provision criminalising re-identification has been removed.
  9. A framework of financial penalties has been added and there are no longer any criminal provisions. The Board will have powers to impose penalties of up to INR 500 crore (INR 5 billion). The Schedule to the Bill provides different ceilings for different kinds of violations.

What should we make of this new approach?

The 2022 draft Bill is refreshingly pragmatic. This is reflected in its preamble, which recognizes the tension between protecting privacy and the economic need to process data. It also speaks to India’s economic context, which, though digitizing rapidly, is not yet a mature digital market. In addition, macroeconomic headwinds have negatively affected many technology firms, and it is possible that existing business models need to change. In this situation, it is good that the Bill creates regulatory certainty, and allows considerable leeway for adaptation while focusing more narrowly on privacy issues.

The Bill does so in the following ways:
 
  1. The removal of the DPA means that businesses will not have to design privacy by regulatory fiat. They will have leeway to implement data protection requirements in the manner that is most appropriate for their business. Rather than privacy through compliance, the proof of the pudding will now be in the eating. If the Board is an active agency, potentially hefty penalties will incentivise businesses to focus on guaranteeing privacy outcomes, rather than having them focus on undertaking expensive compliance.
  2. In addition, because there is no independent regulator with extensive regulatory powers, there will be lower regulatory uncertainty. The standards set out in the Bill are a complete set of requirements in themselves, and do not require further interpretation, deliberation and negotiation. Conceptual simplification will also help. For example, distinctions between different categories of data (personal, sensitive, critical), with escalating sets of protections, which, in turn would be specified by the DPA, would have been additional sources of uncertainty.
  3. The 2022 Bill dispenses with ideas like sharing non-personal data, that, at best, had incidental relevance to data privacy issues. The focus on protecting consumer data is clearer. Other issues will be dealt with in other legislation.
  4. There is greater regulatory certainty also due to the limited role of the Board. Unlike the DPA, it will not have to balance an expansive list of responsibilities and powers. The Board is designed to be a limited agency that will, for the most part, focus on misconduct and remedying data breaches. The scope for surprising markets with new regulations, something endemic in India, is therefore reduced.

There are also provisions that need greater discussion. One is the design of the Board and the role of the government in relation to it. Since the Board will have powers to issue hefty financial penalties, the qualifications of board members should ideally be set out in the law, and the law should also guarantee tenurial independence to its members. This should not be left completely to executive discretion.

Another is the provision on cross-border data transfers. As drafted, data flows will be prohibited unless permitted. In some ways, this is a regression from the 2019 version. While this provision is intended to allow the government the power to decide which jurisdictions are adequate for storage of Indian data, the provision should explain the considerations or principles that the government will use while determining whether to allow data transfers.

The provision on deemed consent that potentially permits private businesses to process data for activities like credit scoring, ostensibly in public interest, requires greater deliberation. It is unclear what public interest is served in these commercial activities.

Perhaps the major continuing disappointment with all versions of data protection legislation is the exemption given to government agencies. As in the 2019 version, the government will continue to exempt itself from most requirements set out in the Bill. The big silver lining, if one may call it that, is that we will no longer be faced with the irony of having a powerful and intrusive DPA tasked to protect privacy.

—By Anirudh Burman

Review

What India’s G20 Presidency Can Do To Promote Cross-Border Payments: A Review Of FSB Publications

In many countries, the retail payment experience has improved considerably in recent years. Due to the advent of fast payment systems like Unified Payment Interface (UPI) in India, Pix in Brazil, PayNow in Singapore, PromptPay in Thailand, and others, payments have become faster, cheaper, and more secure. As of December 2021, around 60 jurisdictions had implemented such systems, and many others were planning to do so. Technological advancements have made this possible, and almost all major jurisdictions are adopting these technologies.

The story is, however, very different when it comes to cross-border payments, which continue to be slow and expensive, and the transaction failure rate is not trivial. Progress has been slow. This is not due to the lack of technological knowhow, but to the challenges of coordination.

In this essay, I consider the Financial Stability Board’s (FSB) publications on this issue since 2020, when the G20 took up cross-border payments. The context for this essay is India taking over the presidency of G20. Like all countries that have chaired this forum, India will have to set its priorities. Cross-border payments is an issue that India’s G20 presidency should prioritize, and the reasons for this are threefold.

First, much work has been done to analyze problems in this area and identify the way forward, and it is now time for vigorous action. Over the last two years, the FSB and the Bank for International Settlements have, on behalf of the G20, focused on diagnosis of problems and preparing a path for progress on cross-border payments. In 2020, FSB developed a roadmap to enhance cross-border payments in coordination with other international organizations and standard-setting bodies. This high-level document allows for jurisdiction-specific flexibility. They identified 19 building blocks across five areas that could enable progress on cross-border payments. A publication with priorities for the next stage of the work was released in October this year. In November this year, the FSB published a report to the G20 with further details of the implementation approach, including key performance indicators (KPIs) to monitor progress toward the G20 targets for cross-border payments. The next one year will be crucial to accelerate coordination efforts in the priority areas.

Second, India can genuinely claim leadership on this issue. It has not just implemented one of the most successful fast payment systems (UPI), but also taken certain key steps that would help in improving cross-border payments. For instance, India is one of the four jurisdictions in the world that have their real time gross settlement (RTGS) systems operating for 24-hours on working days. This extension of the operating hours can help manage liquidity and settlement risks in cross-border payments. India has also entered into agreements with other countries, such as the interlinking of UPI and Singapore’s PayNow. Such arrangements can significantly shorten the transaction chains for cross-border payments, making them faster and cheaper.

Third, in many countries, there has been progress on some of the enabling conditions that can expedite cross-border payments. For instance, the ISO 20022 standard is now being implemented in most major jurisdictions. Many countries and regions have also taken steps to create liquidity bridges to enable settlement of these payments.

While the G20 remains basically an informal international organization, it has played an important role since the global financial crisis. This role has been particularly crucial for international coordination in the development and regulation of the financial system. The establishment of the FSB created a forum through which many substantive issues requiring international coordination could be discussed and specific recommendations made. Jurisdictions are then assessed on their consistency with these recommendations, even though they are not binding. The work on cross-border payments is progressing along a similar pattern. Since the G20 countries account for about 80 percent of the world’s GDP, they will essentially set the agenda for the world on this issue.

So, what should be the priorities? The FSB’s publication on priorities for the next stage of work identifies certain building blocks where progress could prove significant.

First, interlinking arrangements, which allow banks and other payment service providers to transact with each other without requiring them to participate in the same payment system or use intermediaries such as correspondent banks, can shorten transaction chains, reduce costs, and increase the transparency and speed of payments (BIS, 2022). Interlinking could cover different types of payment systems (wholesale or retail) and be underpinned by different types of currency arrangement (single currency, multicurrency, cross-currency).

Second, extension and alignment of operating hours for settlement systems could reduce liquidity costs and settlement risks. According to a recent report that covered 82 jurisdictions, RTGS systems in these jurisdictions are open for about 11 hours on an average. India is one of the leaders on this front, along with Mexico, South Africa, and Switzerland, with RTGS systems operating for 24 hours or nearly 24 hours on working days.

Third, improving direct access for a wide variety of payment service providers to payment systems like RTGS that settle in central bank money could help. According to the BIS, only a minority of systems settling in central bank money currently provide direct access to non-bank payment service providers, foreign banks, and financial market infrastructures. India opened up access to non-banks in 2021.

Fourth, regulatory coordination across jurisdictions will be key. This includes coordination to supervise cross-border payment service providers and multicurrency payment infrastructures. Since cross-border payments involve multiple jurisdictions, each one of them cannot on its own regulate the risks of such arrangements. This is an important area in which coordination at the G20 will be required. Similarly, applying anti money-laundering/combating the financing of terrorism (AML/CFT) frameworks consistently and comprehensively across jurisdictions with a risk-based approach can reduce uncertainty in cross-border payments by improving trust and protecting the financial system from abuse. Further, the country frameworks for data governance and regulation may need to be adapted. Countries have been developing data access, data protection, and data flow frameworks to respond to the demands of their respective political economies. However, as cross-border payments involve the flow of data across borders, these frameworks may interact with the systems for cross-border payments, sometimes creating frictions for the latter.

Fifth, harmonising message formats and application programming interfaces (API) protocols can, as BIS has suggested, lead to efficiency gains by “avoiding the need for processing interfaces, system schemas or data enhancement, thus facilitating data interoperability and potentially reducing operational costs for new adopters, and allowing movement towards fully automated straight through processing functionalities”. Message formats and API protocols have been developed in response to specific needs. It will be important to consider some harmonisation in these formats and protocols. For instance, ISO 20022 as the common messaging standard can help in interoperability and in addressing data standards and quality and quantity restrictions in cross-border payments. Many jurisdictions have adopted ISO 20022 as the messaging format for their fast payment systems, and many others are moving towards it.

While in most of these areas, India has already shown leadership, in some (for example, the development of a data regulation framework), it seems to be lagging. However, it is not necessary for India to lead on all these issues by example. That is not how the politics of such forums work. If India is able to catalyze progress on these issues over the next 12 months to make significant progress on cross-border payments, it would be a memorable achievement for its presidency of the G20.

—By Suyash Rai

Carnegie India does not take institutional positions on public policy issues; the views represented herein are those of the author(s) and do not necessarily reflect the views of Carnegie India, its staff, or its trustees.