<\/strong>
I try to avoid debates, like this one, on the pros and cons of the draft<\/a> Personal Data Protection Bill<\/a>, 2019 (PDP Bill, 2019) — because right now it is just that — a draft<\/a>. Having witnessed our two previous attempts at creating a data<\/a> protection framework fail, I am reluctant to count my chickens before they hatch. That said, the Joint Parliamentary Committee<\/a> seems on the verge of issuing a final report, so we might be closer to seeing light at the end of this tunnel, than ever before.
It is a fact the PDP Bill is based on privacy principles that most modern democracies subscribe to. It is firmly grounded in the notion of consent, requiring all entities that collect personal data<\/a> to provide notice of the purpose for which the data<\/a> that is being collected will be used as well as a whole host of other information essential for informed consent. It requires those who collect data to adhere to principles of collection, purpose and use limitation as well as limits their ability to retain data for only so long as is absolutely necessary to achieve the purpose.
![\"\"](\"\/Themes\/Release\/images\/responsive\/ettelecom-default.jpg\")
In my experience, these are the provisions that most data businesses engage regularly — frequently referring to them to evaluate whether a new line of business is viable from a privacy perspective as well in dealing with circumstances not previously encountered. That our privacy law is globally consistent in this regard gives businesses the confidence that they can process data the same way in India as they do everywhere else in the world.
This is not to say, for a moment, that the draft law cleaves perfectly to international norms. If passed in its current form, it will be the first privacy law anywhere in the world to impose explicit data localisation obligations on the processing of certain classes of data and to offer broad exemptions to the State. And by attempting to extend its reach beyond personal data<\/a> — into the realm of nonpersonal data — it re-defines the regulation of data itself.
These might appear to be significant departures from the norm but if you really get into the weeds you need to ask yourself how much the Indian law really differs from the rest of the world in all these aspects?
Take localisation for example. I would argue that localisation is implicit in any cross-border data transfer restriction. Every country stipulates certain thresholds have to be met before data can be transferred outside its borders. In doing so they are actually saying that the failure to meet these thresholds would require data to be processed domestically. Recently, in the second Schrems decision, the EU showed just how far it could go in this direction by upending its data transfer arrangement with the US on the ground that the data of EU nationals was not adequately protected. What is this if not localisation by another name?
Exemptions for law enforcement purposes are not only commonplace in privacy laws around the world, they are almost part of the standard playbook. Granted, the Indian draft law goes further than even I would prefer, but my disagreement in this regard is with the degree and not the substance. I would like to see exemptions toned down but there isn’t a data protection statute anywhere in the world that has eliminated these exemptions in their entirety and I don’t expect India would — or should.
Finally, non-personal data. There is no doubt that the attempt to regulate non-personal data is a new frontier. If India goes down this path it could well be the first country anywhere in the world to even try and do something like this. But just because no other country is going down this path is no reason to balk. Judging by the growing international interest in India’s non-personal data framework, it is becoming clear that India is more likely to be a pioneer than the outlier in the field.
One of the specific concerns that has been raised is in relation to specific language referring to non-personal data in the PDP Bill 2019 that could interfere with the more detailed regulatory framework being conceptualised by an entirely different committee headed by Kris Gopalakrishnan. Thankfully, in its latest report, the non-personal data committee has described the manner in which its proposed regime will interplay with the provisions of the forthcoming privacy law attempting to resolve any anticipated overlaps by clearly clarifying the scope of each regulator.
No law is ever perfect. Every legislative endeavour is an exercise in arriving at an optimal trade-off between competing interests. The PDP Bill 2019 is no different. But this is, for the most part, a good law — particularly in the areas that count. We are already 10 years late. Let’s not make perfect be the enemy of good and allow another decade to slip by.
Matthan is a partner with Trilegal and specialises in technology, media and telecommunications law in India
<\/em>
Meant to ensure privacy, but gives state control over our personal data
<\/strong>
Here’s a prediction for 2022: India’s Personal Data Protection (PDP) Act, which will be in the infancy of its implementation then, will be the subject of several lawsuits in courts.
There is bound to be a strong challenge to the most egregious of the bill’s provisions: the wholesale exemptions given to the Indian government to access the personal data of citizens, including from private entities. A law that was meant to herald an era of privacy will be seen as violating this fundamental right. There will be calls for surveillance reform, and greater scrutiny on the activities of intelligence agencies. The Government of India would do well to define narrow and proportionate exceptions for state access to data, and limit it to situations where necessary: namely, attacks on critical infrastructure and investigations into terrorist attacks and credible national security threats. These should have the sanction of a highlevel government committee, and be open to scrutiny by a bipartisan Parliamentary committee.
This is emphatically not the same as accessing data for day-to-day law enforcement purposes. Ideally, the bill should enable a separate law on reforming state surveillance. The implementation of facial recognition systems and drones for policing, especially in Delhi and Telangana<\/a>, invites legal challenge.
There are other issues with the bill: the localisation of data, based on the idea of segmentation of data into personal data, sensitive personal data and critical personal data. This cumbersome exercise is not always practical to implement. For example, if someone puts their caste information in a resume uploaded on a global job platform, how will that be segmented as sensitive personal data? For small businesses and startups, including health and financial apps, such segmentation and localisation will lead to disproportionate costs, because of which they might choose not to service the Indian market. India should embrace the global nature of the internet, look to apply its jurisdiction to the data of Indian citizens irrespective of where the data is stored, and seek adequacy arrangements with jurisdictions with a similar approach to data.
Age-gating is another point of concern in the PDP bill. The Covid-19 Pandemic has sped up the adoption of digital services for education and entertainment, especially among children. Mandating a guardian’s consent for anyone below the age of 18 creates a situation where some data fiduciaries will end up inadvertently breaking the law, or disenfranchise a vast majority of teenagers. In a country with shared mobile devices, the requirement of consent for teenage girls to use internet-enabled devices will end up further disenfranchising them. Maturity levels differ vastly between 13 and 16-year-olds. The PDP Bill should require consent of a guardian for only those below the age of 14 in order to enable oversight for young children without disabling Internet access for those transitioning to adulthood. Ensuring compliance even for a guardian’s consent is difficult without the mass collection of ID cards, which will create privacy harms. The collection of parental consent should be on a best-efforts basis, to avoid onerous liability. Frankly, decisions regarding how the bill governs children’s data, are best left for further consultation by the Data Protection Authority.
In the same way, the governance of inferred data as personal calls for further consultation. It has implications on the ability of businesses to provide services, especially with potential transience of such data, and automated generation by machine learning algorithms. Also, one of the strangest parts of the bill is the inclusion of “non-personal data”: why a law concerning personal data would have a clause governing data that is explicitly defined as non-personal, is hard to understand or justify. Even the committee that MEITY has created for governing non-personal data has recommended that his clause be dropped.
Lastly, for a regulation as significant as this, the Personal Data Protection Authority must be independent and empowered. In the current form, it depends on the central government for its appointments and its powers, which leaves scope for the government to influence its functioning. The government of India is the largest collector and processor of data in this country, and one only has to look at its handling of Aadhaar data or the flawed implementation of the Aarogya Setu protocol to understand why negligence by government departments cannot be allowed to fester. Appointments to the Data Protection Authority must be done by a committee comprising the Chief Justice of India (or their nominee) as chairperson, and the cabinet secretary, and the Authority must work with domain experts who may advise it on matters of data protection, artificial intelligence, technology, and other aspects.
The Data Protection Authority must inspire trust in citizens, to be truly effective: it should serve as an organisation that works for citizens’ privacy, even if that means holding government agencies, departments and officials accountable.
Pahwa is the founder of MediaNama<\/em>
<\/body>","next_sibling":[{"msid":80322850,"title":"View: Budget 2021 should fund data infrastructure and Artificial Intelligence skills","entity_type":"ARTICLE","link":"\/news\/view-budget-2021-should-fund-data-infrastructure-and-artificial-intelligence-skills\/80322850","category_name":null,"category_name_seo":"telecomnews"}],"related_content":[{"msid":"80320602","title":"Ninan","entity_type":"IMAGES","seopath":"india\/as-privacy-becomes-a-hot-topic-this-weeks-debate-centres-around-the-data-protection-bill-will-it-do-enough-to-protect-your-digital-data\/ninan","category_name":"As privacy becomes a hot topic, this week\u2019s debate centres around the Data Protection Bill. Will it do enough to protect your digital data?","synopsis":false,"thumb":"https:\/\/etimg.etb2bimg.com\/thumb\/img-size-995288\/80320602.cms?width=150&height=112","link":"\/image\/india\/as-privacy-becomes-a-hot-topic-this-weeks-debate-centres-around-the-data-protection-bill-will-it-do-enough-to-protect-your-digital-data\/ninan\/80320602"}],"msid":80323302,"entity_type":"ARTICLE","title":"As privacy becomes a hot topic, this week\u2019s debate centres around the Data Protection Bill. Will it do enough to protect your digital data?","synopsis":"\"The Data Protection Authority must inspire trust in citizens, to be truly effective: it should serve as an organisation that works for citizens\u2019 privacy, even if that means holding government agencies, departments and officials accountable.\"","titleseo":"telecomnews\/as-privacy-becomes-a-hot-topic-this-weeks-debate-centres-around-the-data-protection-bill-will-it-do-enough-to-protect-your-digital-data","status":"ACTIVE","authors":[],"Alttitle":{"minfo":""},"artag":"TNN","artdate":"2021-01-18 10:59:22","lastupd":"2021-01-18 11:00:17","breadcrumbTags":["Personal Data Protection Bill","draft","Joint Parliamentary Committee","data","Telangana","personal data","policy"],"secinfo":{"seolocation":"telecomnews\/as-privacy-becomes-a-hot-topic-this-weeks-debate-centres-around-the-data-protection-bill-will-it-do-enough-to-protect-your-digital-data"}}" data-authors="[" "]" data-category-name="" data-category_id="" data-date="2021-01-18" data-index="article_1">
- Telecom乐动扑克News
- 8分钟阅读
随着隐私成为一个热门话题,本周的辩论中心数据保护法案。它将足以保护你的数据吗?
“数据保护机构必须激发对公民的信任,真正有效:它应该作为一个组织,适用于公民的隐私,即使这意味着持有政府机构、部门和官员的责任。”
比尔基于隐私原则大多数现代民主国家订阅
我尽量避免争论,就像这一个,的优点和缺点草案 个人数据保护法案2019 (PDP法案,2019)——因为现在它只是一个草案。目睹我们前两次在创建一个数据保护框架失败,我不愿数鸡蛋未孵出。也就是说,联合议会委员会似乎即将发布最终报告,所以我们可能会接近看到光的隧道,比以往任何时候都要多。
事实上PDP比尔是基于隐私原则,大多数现代民主国家订阅。牢牢植根于同意的概念,需要收集的所有实体个人资料提供通知的目的数据正在收集将使用以及一大堆其他信息必不可少的知情同意。它需要那些坚持原则的收集,收集数据的目的和使用的限制以及限制只保留数据的能力实现这一目标,只要是绝对必要的。
在我的经验中,这些规定大多数数据业务进行定期——经常指评估新业务是否可行的从隐私的角度以及在处理环境没有以前遇到的。我们的隐私法是全球一致的在这方面给企业的信心,他们可以以相同的方式处理数据在印度在世界上其他地方一样。
这并不是说,一会儿,法律草案劈开完美国际规范。如果在目前的形式通过,它将是第一个隐私法在世界任何地方明确数据本地化义务强加于某些类的处理的数据和提供广泛的豁免。试图扩大其超越个人资料- nonpersonal领域的数据重新定义数据本身的规定。
这些可能出现重大偏离常态,但如果你真的进入杂草,你需要问自己多少印度法律真正有别于世界其他国家在这些方面?
以本地化为例。我认为,本地化是隐含在任何跨境数据传输限制。每个国家规定某些阈值必须见过数据可以转移到境外。这样做,他们实际上是说,未能满足这些阈值需要在国内处理数据。最近,在第二Schrems决定,欧盟显示它能走多远这个方向通过颠覆其地面数据传输协议与美国,欧盟公民的数据不是充分保护。这个如果不是本地化的另一个名字是什么?
豁免为执法的目的不仅仅是在世界各地的隐私法,他们几乎标准剧本的一部分。当然,印度的法律草案进一步甚至比我更喜欢,但我在这方面的分歧是学位,而不是物质。我希望看到豁免缓和了但没有数据保护法规在世界任何地方,消除这些豁免全部和我不指望印度将——或者应该。
最后,非个人数据。毫无疑问,试图规范非个人数据是一个新的前沿。如果印度下降这条路很有可能是世界上第一个国家甚至试着这样做。但是仅仅因为没有其他国家沿着这条道路是没有理由拒绝。从印度的非个人的兴趣日益增长的国际数据框架,越来越清楚的是,印度是比局外人更可能是一个先驱。
的一个特定的问题是与特定语言指非个人数据在PDP法案2019年,可以干扰更详细的监管框架被一个完全不同的概念化委员会由克里斯葛。值得庆幸的是,在其最新报告中,非个人数据委员会称其拟议机制相互作用的方式与即将到来的隐私法的规定显然试图解决任何预期的重叠,每个监管机构澄清的范围。
没有法律是完美的。每一个立法奋进号是到达最优的运动相互竞争的利益之间的权衡。PDP法案2019年也不例外。但是这是,在大多数情况下,一个好的法律——特别是在计数的领域。我们已经晚了10年。我们不要让完美成为优秀的敌人,让另一个十年。
马是一个合作伙伴Trilegal和专门技术,媒体和电信法律在印度
为了确保隐私,但给了国家控制我们的个人资料
这是对2022年的预测:印度的个人数据保护(PDP)法案,将实施的阶段,将几个诉讼法院的主题。
必定有一个强大的挑战,最令人震惊的法案的规定:批发给印度政府豁免获得公民的个人资料,包括从私人实体。法律是为了预示着一个时代的隐私将被视为违反这一基本权利。会有要求监督改革,对情报机构的活动更严格的审查。印度政府应该好好定义狭隘的国家访问数据和比例的异常,并限制情况下必要的:即攻击关键基础设施和调查恐怖袭击和可信的国家安全威胁。这些应该有高标准的政府委员会的批准,并开放给两党议会委员会的审查。
这是断然不一样的访问数据用于日常执法目的。理想情况下,该法案应该使一个单独的法律改革状态监测。面部识别系统的实现和无人机的治安,尤其是在德里和Telangana,邀请法律挑战。
还有其他问题与比尔:本地化的数据,根据数据细分到个人资料的,敏感的个人数据和关键的个人数据。这笨重的运动并不总是实用的实现。例如,如果有人把他们的种姓信息在简历上传在全球的工作平台,将如何被分割为敏感的个人信息吗?小型企业和创业公司,包括健康和财务应用程序,这样的细分和本地化将会导致不成比例的成本,因为他们可能会选择不服务印度市场。印度应该拥抱互联网的全球性,看其管辖权适用于印度公民的数据无关的数据存储,并寻求适当的安排与类似的方法对数据进行司法管辖区。
Age-gating PDP法案中是另一个值得关注的点。Covid-19大流行已经加快采用数字服务教育和娱乐,特别是儿童。要求监护人的同意对任何18岁以下的一些数据创建一个情况受托人最终会无意中触犯了法律,或剥夺绝大多数青少年。在一个共享的国家移动设备,少女的要求同意使用上网设备最终将进一步剥夺他们。成熟度级别不同大大13和16岁之间。PDP法案应该要求监护人的同意只有14岁以下为了使监督孩子没有禁用互联网接入的过渡到成年。确保合规即使对监护人的同意是困难没有大规模收集身份证,这将创建隐私伤害。的父母同意应该在最大努力的基础上,以避免繁重的责任。坦率地说,决定法案如何管理孩子的数据,最好留给数据保护机关进一步磋商。
同样,推断数据治理的私人电话进行进一步的磋商。它影响企业提供服务的能力,尤其是与潜在无常的数据,通过机器学习算法和自动生成。同时,比尔的最奇怪的部分之一是“非个人数据”的包容:为什么一个有关个人资料会有条款规定管理数据显式地定义为非个人,很难理解或证明。甚至为管理委员会MEITY创造了非个人数据建议放弃他的条款。
最后,监管这么重要,个人数据保护机构必须独立和授权。在当前的形式,这取决于中央政府任命,其权力,这让政府影响其功能范围。印度政府是最大的收藏家和处理器的数据在这个国家,和一个只有看Aadhaar的处理数据或的缺陷实现Aarogya是以协议由政府部门不能理解为什么疏忽溃烂。数据保护机构任命必须由一个委员会由印度首席大法官(或者他们的候选人)主席,和内阁部长和权力必须与领域专家可能会建议在数据保护方面,人工智能技术,和其他方面。
数据保护部门必须让公民信任,真正有效:它应该作为一个组织,适用于公民的隐私,即使这意味着持有政府机构、部门和官员负责。
Pahwa MediaNama。一家的创始人是
我尽量避免争论,就像这一个,的优点和缺点草案 个人数据保护法案2019 (PDP法案,2019)——因为现在它只是一个草案。目睹我们前两次在创建一个数据保护框架失败,我不愿数鸡蛋未孵出。也就是说,联合议会委员会似乎即将发布最终报告,所以我们可能会接近看到光的隧道,比以往任何时候都要多。
事实上PDP比尔是基于隐私原则,大多数现代民主国家订阅。牢牢植根于同意的概念,需要收集的所有实体个人资料提供通知的目的数据正在收集将使用以及一大堆其他信息必不可少的知情同意。它需要那些坚持原则的收集,收集数据的目的和使用的限制以及限制只保留数据的能力实现这一目标,只要是绝对必要的。
在我的经验中,这些规定大多数数据业务进行定期——经常指评估新业务是否可行的从隐私的角度以及在处理环境没有以前遇到的。我们的隐私法是全球一致的在这方面给企业的信心,他们可以以相同的方式处理数据在印度在世界上其他地方一样。
这并不是说,一会儿,法律草案劈开完美国际规范。如果在目前的形式通过,它将是第一个隐私法在世界任何地方明确数据本地化义务强加于某些类的处理的数据和提供广泛的豁免。试图扩大其超越个人资料- nonpersonal领域的数据重新定义数据本身的规定。
这些可能出现重大偏离常态,但如果你真的进入杂草,你需要问自己多少印度法律真正有别于世界其他国家在这些方面?
以本地化为例。我认为,本地化是隐含在任何跨境数据传输限制。每个国家规定某些阈值必须见过数据可以转移到境外。这样做,他们实际上是说,未能满足这些阈值需要在国内处理数据。最近,在第二Schrems决定,欧盟显示它能走多远这个方向通过颠覆其地面数据传输协议与美国,欧盟公民的数据不是充分保护。这个如果不是本地化的另一个名字是什么?
豁免为执法的目的不仅仅是在世界各地的隐私法,他们几乎标准剧本的一部分。当然,印度的法律草案进一步甚至比我更喜欢,但我在这方面的分歧是学位,而不是物质。我希望看到豁免缓和了但没有数据保护法规在世界任何地方,消除这些豁免全部和我不指望印度将——或者应该。
最后,非个人数据。毫无疑问,试图规范非个人数据是一个新的前沿。如果印度下降这条路很有可能是世界上第一个国家甚至试着这样做。但是仅仅因为没有其他国家沿着这条道路是没有理由拒绝。从印度的非个人的兴趣日益增长的国际数据框架,越来越清楚的是,印度是比局外人更可能是一个先驱。
的一个特定的问题是与特定语言指非个人数据在PDP法案2019年,可以干扰更详细的监管框架被一个完全不同的概念化委员会由克里斯葛。值得庆幸的是,在其最新报告中,非个人数据委员会称其拟议机制相互作用的方式与即将到来的隐私法的规定显然试图解决任何预期的重叠,每个监管机构澄清的范围。
没有法律是完美的。每一个立法奋进号是到达最优的运动相互竞争的利益之间的权衡。PDP法案2019年也不例外。但是这是,在大多数情况下,一个好的法律——特别是在计数的领域。我们已经晚了10年。我们不要让完美成为优秀的敌人,让另一个十年。
马是一个合作伙伴Trilegal和专门技术,媒体和电信法律在印度
为了确保隐私,但给了国家控制我们的个人资料
这是对2022年的预测:印度的个人数据保护(PDP)法案,将实施的阶段,将几个诉讼法院的主题。
必定有一个强大的挑战,最令人震惊的法案的规定:批发给印度政府豁免获得公民的个人资料,包括从私人实体。法律是为了预示着一个时代的隐私将被视为违反这一基本权利。会有要求监督改革,对情报机构的活动更严格的审查。印度政府应该好好定义狭隘的国家访问数据和比例的异常,并限制情况下必要的:即攻击关键基础设施和调查恐怖袭击和可信的国家安全威胁。这些应该有高标准的政府委员会的批准,并开放给两党议会委员会的审查。
这是断然不一样的访问数据用于日常执法目的。理想情况下,该法案应该使一个单独的法律改革状态监测。面部识别系统的实现和无人机的治安,尤其是在德里和Telangana,邀请法律挑战。
还有其他问题与比尔:本地化的数据,根据数据细分到个人资料的,敏感的个人数据和关键的个人数据。这笨重的运动并不总是实用的实现。例如,如果有人把他们的种姓信息在简历上传在全球的工作平台,将如何被分割为敏感的个人信息吗?小型企业和创业公司,包括健康和财务应用程序,这样的细分和本地化将会导致不成比例的成本,因为他们可能会选择不服务印度市场。印度应该拥抱互联网的全球性,看其管辖权适用于印度公民的数据无关的数据存储,并寻求适当的安排与类似的方法对数据进行司法管辖区。
Age-gating PDP法案中是另一个值得关注的点。Covid-19大流行已经加快采用数字服务教育和娱乐,特别是儿童。要求监护人的同意对任何18岁以下的一些数据创建一个情况受托人最终会无意中触犯了法律,或剥夺绝大多数青少年。在一个共享的国家移动设备,少女的要求同意使用上网设备最终将进一步剥夺他们。成熟度级别不同大大13和16岁之间。PDP法案应该要求监护人的同意只有14岁以下为了使监督孩子没有禁用互联网接入的过渡到成年。确保合规即使对监护人的同意是困难没有大规模收集身份证,这将创建隐私伤害。的父母同意应该在最大努力的基础上,以避免繁重的责任。坦率地说,决定法案如何管理孩子的数据,最好留给数据保护机关进一步磋商。
同样,推断数据治理的私人电话进行进一步的磋商。它影响企业提供服务的能力,尤其是与潜在无常的数据,通过机器学习算法和自动生成。同时,比尔的最奇怪的部分之一是“非个人数据”的包容:为什么一个有关个人资料会有条款规定管理数据显式地定义为非个人,很难理解或证明。甚至为管理委员会MEITY创造了非个人数据建议放弃他的条款。
最后,监管这么重要,个人数据保护机构必须独立和授权。在当前的形式,这取决于中央政府任命,其权力,这让政府影响其功能范围。印度政府是最大的收藏家和处理器的数据在这个国家,和一个只有看Aadhaar的处理数据或的缺陷实现Aarogya是以协议由政府部门不能理解为什么疏忽溃烂。数据保护机构任命必须由一个委员会由印度首席大法官(或者他们的候选人)主席,和内阁部长和权力必须与领域专家可能会建议在数据保护方面,人工智能技术,和其他方面。
数据保护部门必须让公民信任,真正有效:它应该作为一个组织,适用于公民的隐私,即使这意味着持有政府机构、部门和官员负责。
Pahwa MediaNama。一家的创始人是
评论
现在评论 阅读评论(1)所有评论
找到这个评论进攻?
下面选择你的理由并单击submit按钮。这将提醒我们的版主采取行动