As privacy becomes a hot topic, this week’s debate focuses on the data protection bill. Will you do enough to protect your digital data? | India News
I try to avoid debates, like this one, about the pros and cons of the Personal Data Protection Bill, 2019 (PPD Bill, 2019), because right now it is just that: a draft. Having witnessed the failure of our two previous attempts to create a data protection framework, I am reluctant to count my chickens before they hatch. That said, the Joint Parliamentary Commission appears to be about to issue a final report, so we could be closer than ever to seeing the light at the end of this tunnel.
It is a fact that the PDP bill is based on the privacy principles that most modern democracies adhere to. It is firmly grounded in the notion of consent, which requires all entities that collect personal data to report the purpose for which the data being collected will be used, as well as a host of other information essential to informed consent. It requires those who collect data to adhere to the principles of collection, purpose, and use limitation, as well as limits their ability to retain data only for as long as is absolutely necessary to achieve the purpose.
In my experience, these are the provisions that most data companies use regularly, referring to them frequently to assess whether a new line of business is viable from a privacy perspective, as well as to deal with circumstances that are not. they had met before. The fact that our privacy law is consistent globally in this regard gives companies the confidence that they can process data in the same way in India as anywhere else in the world.
This is not to say, for a moment, that the bill conforms perfectly to international standards. If passed in its current form, it will be the first privacy law anywhere in the world to impose explicit data localization obligations on the processing of certain kinds of data and will offer broad exemptions to the state. And by trying to extend its reach beyond personal data, into the realm of non-personal data, it redefines the regulation of data itself.
These may seem like significant deviations from the norm, but if you really get into the weeds, you have to wonder how much Indian law really differs from the rest of the world in all these respects.
Let’s take location, for example. I would say that location is implicit in any cross-border data transfer restrictions. All countries stipulate that certain thresholds must be met before data can be transferred outside their borders. By doing so, they are actually saying that failure to meet these thresholds would require the data to be processed domestically. Recently, in Schrems’ second decision, the EU demonstrated how far it could go in this direction by overturning its data transfer agreement with the US. On the basis that data from EU citizens does not they were adequately protected. What is this but the location by another name?
Exemptions for law enforcement purposes are not only commonplace in privacy laws around the world, they are almost part of the standard playbook. Of course, the Indian bill goes beyond what I would prefer, but my disagreement in this regard is with the degree and not the substance. I would like to see the exemptions watered down, but there is no data protection statute anywhere in the world that has removed these exemptions in their entirety and I don’t expect India to do so, or should.
Finally, non-personal data. There is no doubt that the attempt to regulate non-personal data is a new frontier. If India follows this path, it could well be the first country in the world to try something like this. But the fact that no other country is going this way is no reason to object. Judging from the growing international interest in India’s non-personal data framework, it is becoming clear that India is more likely to be a pioneer than an outlier in the field.
One of the specific concerns that has been raised is in relation to the specific language referring to non-personal data in the 2019 PDP Bill that could interfere with the more detailed regulatory framework that is conceptualizing a completely different committee headed by Kris. Gopalakrishnan. Fortunately, in its latest report, the non-personal data committee has outlined how its proposed regime will interact with the provisions of the upcoming privacy law that attempts to resolve any anticipated overlap by clearly clarifying the scope of each regulator.
No law is perfect. Every legislative effort is an exercise in reaching an optimal balance between competing interests. The 2019 PDP bill is no different. But this is, for the most part, a good law, especially in the areas that count. We are already 10 years late. Let’s not make perfection the enemy of good and let another decade go by.
Matthan is a partner at Trilegal specializing in telecom technology, media and law in India.
It is intended to ensure privacy, but gives state control over our personal data
Here’s a prediction for 2022: India’s Personal Data Protection Act (PDP), which will be in the initial stage of its implementation, will be the subject of various lawsuits in court.
There is likely to be a strong challenge to the most egregious of the bill’s provisions: the blanket exemptions granted to the Indian government to access the personal data of citizens, even private entities. A law that was intended to herald an era of privacy will be seen as violating this fundamental right. There will be calls for surveillance reform and greater scrutiny of the activities of intelligence agencies. The Government of India would do well to define narrow and proportionate exceptions for state access to data, and limit it to situations where necessary: namely attacks on critical infrastructure and investigations into terrorist attacks and credible threats to national security. These must have the sanction of a high-level government committee and be open to scrutiny by a bipartisan parliamentary committee.
Emphatically, this is not the same as accessing data for the purpose of day-to-day law enforcement. Ideally, the bill should allow for a separate law on state surveillance reform. The implementation of facial recognition systems and drones for the police, especially in Delhi and Telangana, invites legal challenge.
There are other problems with the bill: data localization, based on the idea of data segmentation into personal data, sensitive personal data, and critical personal data. This cumbersome exercise is not always practical to implement. For example, if someone puts their caste information on a resume uploaded to a global job platform, how will it be segmented as sensitive personal information? For small businesses and startups, including healthcare and financial apps, such targeting and localization will result in disproportionate costs, so they might choose not to serve the Indian market. India should embrace the global nature of the Internet, seek to apply its jurisdiction to the data of Indian citizens regardless of where the data is stored, and seek adequacy agreements with jurisdictions with a similar approach to data.
The age change is another point of concern in the PDP bill. The Covid-19 pandemic has accelerated the adoption of digital services for education and entertainment, especially among children. Requiring the consent of a guardian for anyone under the age of 18 creates a situation where some data fiduciaries will end up inadvertently breaking the law or disenfranchising a vast majority of teens. In a country with shared mobile devices, the consent requirement for adolescent girls to use internet-enabled devices will eventually disenfranchise them. Maturity levels differ greatly between the ages of 13 and 16. The PDP bill should require the consent of a guardian only for those under 14 years of age to allow supervision of young children without disabling Internet access for those transitioning to adulthood. Ensuring compliance even with the consent of a guardian is difficult without the mass collection of ID cards, which will create privacy damage. The collection of parental consent should be done with the best possible effort to avoid burdensome liability. Frankly, decisions on how the bill regulates children’s data are best left for further consultation by the Data Protection Authority.
In the same way, the governance of inferred personal data requires further consultation. It has implications for the ability of companies to provide services, especially with the potential transience of such data and the automated generation using machine learning algorithms. Also, one of the strangest parts of the bill is the inclusion of “non-personal data”: why a law on personal data would have a clause regulating data that is explicitly defined as non-personal, is difficult to understand or justify . Even the committee that MEITY has created to regulate non-personal data has recommended that its clause be deleted.
Finally, for a regulation as significant as this, the Personal Data Protection Authority must be independent and empowered. In its current form, it depends on the central government for its appointments and its powers, leaving room for the government to influence its operation. The government of India is the largest data collector and processor in this country, and one only has to look at its handling of Aadhaar data or the flawed implementation of the Aarogya Setu protocol to understand why the negligence of government departments get worse. Appointments to the Data Protection Authority should be made by a committee comprised of the Chief Justice of India (or his designee) as president and the secretary of the cabinet, and the Authority should work with experts in the domain who can advise her on data protection matters, artificial intelligence, technology and other aspects.
The Data Protection Authority must inspire trust in citizens, to be truly effective: it must serve as an organization that works for the privacy of citizens, even if that means holding government agencies, departments and officials accountable.
Pahwa is the founder of MediaNama