Discussion on India’s Data Protection Law
- Attended by lawyers, public policy professionals/ managers, industry representatives, start-ups, and journalists.
Session 1: Users & Data Fiduciaries
- Speakers: Nehaa Chaudhari (Ikigai Law), Arjun Sinha (AP & Partners), Kriti Trehan (Panag & Babu Law Offices)
- The timeframe for companies for compliance is uncertain. Comparison with the 2018 bill was made which was going to come into effect in phases and scared some companies already.
- Compliance will GDPR means compliance with PDP Bill.
- Even doing data inventory is a challenge, one of the reasons being that the bill is principle-based. Companies also have to await delegated legislation, even though they will be preparing for the bill before that.
- Lessons from GDPR & CCPA: The PDP Bill is different from both: it’s a data protection bill, but also a ‘data is oil’ bill. Large parts of it depend on the DPA’s regulations.
- The equivalent of a consent manager is the Account Aggregator for NBFCs. The consent manager has access to one’s info that a user has fed, and it has access to users’ personal data from other services. It should be subject to all obligations that apply to data fiduciaries.
- Consent managers will be data fiduciaries, where the user can manage their consent. It will be a new category of data fiduciaries.
- The consent dashboard is like the permissions settings on smartphones. A consent manager would be a third-party service, where a user would manage which apps or services have consent, for how long, and for what.
- Operationalizing data portability: Companies are required to provide data to the users, when asked, in a machine-readable format, among other things. BUT how do I ensure that tech companies are not penalized for using their proprietary material on my data?
- There are at least three typos in the PDP bill 2019.
- The consent manager essentially would hold users’ data in escrow. The specifics may even come via sectoral regulations which are unclear now. Is a consent manager a pipeline, or can a user do his/her own analysis? Can the manager use this data to cross-sell products?
- Deleting the consent manager can be considered. It’s unclear why it’s even in the bill – it needs to more specific or needs to be deleted.
- The bill is all right is terms of rights. But so much will depend on regulations and the conduct of the Adjudicating Officer. The bill should have allowed individuals to make complaints to the DPA.
- The bill does live up to Right to Privacy/ Puttaswamy judgment wrt private companies, not so much wrt government.
- Data Breaches: DPA’s power to choose whether to inform the user about a breach is unfortunate. BUT this provision may be there to protect the risks of misuse by bad actors, by informing users about the breach.
- The DPA is maybe holding our rights in confidence, but there is a case for a delayed timeframe to be defined wrt to data breaches.
- If sensitive personal data is leaked, users should be informed ASAP. Breach notices of other kinds of personal data may not be necessary, it depends on the data which has been leaked. BUT the discretionary power cannot be left to a body that doesn’t have experience (DPA, in reference).
- The government is taking the decision to decide what is sensitive personal data, not the individuals.
Session 2: Data Protection Authority
- Speakers: Bhairav Acharya (Facebook), Smriti Parsheera (NIPFP), Ujwala Uppaluri (Advocate – Supreme Court of India)
- Govt thinking appears to be overlooking privacy for innovation and the digital economy.
- We need to also seal the DPA from the judiciary, and not just the govt. The DPA should be left to substantially interpret the applicable laws. The other courts should defer to the regulators since they aren’t experts in the sector.
- The concept of having independent regulators was when functions shifted from the govt to the private sector, and the need for experts arose. The objective is a prevent market failures, create an oversight mechanism specializing in the sector.
- The DPA is going to be a market regulator. It will cater to three people: users, companies, and the government. A market regulator’s role is to balance everybody’s interests. Market regulators are all relatively new: 20-30 years old.
How to fix the DPA:
1. The bill took away powers from the DPA and gave it to the Centre. Reverse this.
2. Regulators also play the role of being nation-builders. TRAI’s aim was to grow the telecom market and contribute to the economy. Centre’s ability to direct DPA takes away from its independence.
- At some point, the CCI invoked the nation-building and passed a controversial judgment on the manufacturing of mobile phones in India. Decisions of CCI were always appealed, and then the courts saw the CCI as a competitor, impacting the decisions.
- How does the DPA resolve the conflict between innovation and protecting user privacy? Is it a conflict? Do we need to separate this? Should the DPA be in the business of innovation?
- The govt should determine adequacy since it’s not simply a technical function.
Session 3: Government and its access to data
- Speakers: Prasanna S. (Independent advocate), Vrinda Bhandari (Advocate – Delhi High Court), Faiza Rahman (NIPFP), Shivangi Narayan (Ph.D. Candidate, JNU)
- Calls made to Delhi Police are mapped, according to the location. It isn’t really profiling people per se, but they have predetermined to a large extent who might be criminals. They want to map crimes on Delhi’s map to show areas that have high crime rates.
- Police have been recording protests in Delhi. How is the footage stored? What is the protocol for sharing this data? Is the data centralized? Ans: It’s not being centralized but it’s their incompetence that’s saving the people from ill-effects of information monitoring.
- Is there any restriction on what data surveillance agency has?
- Extreme powers are given to the Government bypassing the fundamentals of personal data protection.
- In fact, the center can exempt any and all provisions of the PDP Bill. This can be done by reasoned order per the Bill, which isn’t even a judicial order but just passed by the govt. Technically it means that Delhi Police can be exempted from complying with the PDP Bill.
- The bill not only exempts state but also private companies who might be involved in the ecosystem of the state. This is just to retrofit all the problems with the Aadhaar judgment.
- There is no judicial oversight into data requests.
- Section 36 gives a lot of exemptions to a state beyond cognizable offenses. That is a wide power that law enforcement agencies will get.
- Section 35 looks like an attempt to exempt mass surveillance.
Session 4: Cross-border data flows
- Speakers: Udbhav Tiwari (Mozilla), Bishakha Bhattacharya (IBM Corporation), Yolynd Lobo (Amazon Web Services)
- If India chooses the adequacy approach, that is, India defines 10 countries where data can go, nobody will have a problem.
- Financial industries might still be okay, but other industries will struggle as they are just starting out their digitization journey.
- The entire exercise of data segregation is v. difficult. What is sensitive personal data in one context might not be in another.
- A lot of onus will fall on the cloud service providers to segregate data.
- For compliance time, 2 years that GDPR gave were not enough.
- Anyone who claims that they have effectively localized all data is practically impossible.
- At the Global Tech Summit, Justice Srikrishna appreciated the question: ‘Shouldn’t I, as a user, be able to store my data in another country because I don’t trust my govt?’
- Data is usually fragmented and stored in different locations around the world.
- PDP Bill should not focus on localization requirements and instead look at safe and secure transfers.
- It’s important that users have explicit consent, but there are so many situations where explicit consent cannot be given like reading of RFID number plates in a traffic jam.
- The bill is silent on the retrospective application of data localization requirements.
- There are a lot of IoT devices that fall out of the scope of the Bill. Like data generated by machines about machines.
- Mozilla representative presented his concern about the impact of PDP bill on internet browsers like Firefox that do not store any data on servers but asks the user to let the browser save information like passwords, credit card details, etc. He proposed a distinction to be made about saving of data in cache or local machines and on servers.
- Will a VPN or tunneling service to a remote location in the world be adequate to the bill?
- Xiaomi asks for the location of the server but not every company may afford the infrastructure.
- The bill will restrict innovation and new startups to emerge because of the financial burden of data localization.
- Many international mobile apps will have to restrict some functions or move out of the Indian market.