<\/strong>
I try to avoid debates, like this one, on the pros and cons of the draft<\/a> Personal Data Protection Bill<\/a>, 2019 (PDP Bill, 2019) — because right now it is just that — a draft<\/a>. Having witnessed our two previous attempts at creating a data<\/a> protection framework fail, I am reluctant to count my chickens before they hatch. That said, the Joint Parliamentary Committee<\/a> seems on the verge of issuing a final report, so we might be closer to seeing light at the end of this tunnel, than ever before.
It is a fact the PDP Bill is based on privacy principles that most modern democracies subscribe to. It is firmly grounded in the notion of consent, requiring all entities that collect personal data<\/a> to provide notice of the purpose for which the data<\/a> that is being collected will be used as well as a whole host of other information essential for informed consent. It requires those who collect data to adhere to principles of collection, purpose and use limitation as well as limits their ability to retain data for only so long as is absolutely necessary to achieve the purpose.
<\/strong>
I try to avoid debates, like this one, on the pros and cons of the draft<\/a> Personal Data Protection Bill<\/a>, 2019 (PDP Bill, 2019) — because right now it is just that — a draft<\/a>. Having witnessed our two previous attempts at creating a data<\/a> protection framework fail, I am reluctant to count my chickens before they hatch. That said, the Joint Parliamentary Committee<\/a> seems on the verge of issuing a final report, so we might be closer to seeing light at the end of this tunnel, than ever before.
It is a fact the PDP Bill is based on privacy principles that most modern democracies subscribe to. It is firmly grounded in the notion of consent, requiring all entities that collect personal data<\/a> to provide notice of the purpose for which the data<\/a> that is being collected will be used as well as a whole host of other information essential for informed consent. It requires those who collect data to adhere to principles of collection, purpose and use limitation as well as limits their ability to retain data for only so long as is absolutely necessary to achieve the purpose.
In my experience, these are the provisions that most data businesses engage regularly — frequently referring to them to evaluate whether a new line of business is viable from a privacy perspective as well in dealing with circumstances not previously encountered. That our privacy law is globally consistent in this regard gives businesses the confidence that they can process data the same way in India as they do everywhere else in the world.
This is not to say, for a moment, that the draft law cleaves perfectly to international norms. If passed in its current form, it will be the first privacy law anywhere in the world to impose explicit data localisation obligations on the processing of certain classes of data and to offer broad exemptions to the State. And by attempting to extend its reach beyond personal data<\/a> — into the realm of nonpersonal data — it re-defines the regulation of data itself.
These might appear to be significant departures from the norm but if you really get into the weeds you need to ask yourself how much the Indian law really differs from the rest of the world in all these aspects?
Take localisation for example. I would argue that localisation is implicit in any cross-border data transfer restriction. Every country stipulates certain thresholds have to be met before data can be transferred outside its borders. In doing so they are actually saying that the failure to meet these thresholds would require data to be processed domestically. Recently, in the second Schrems decision, the EU showed just how far it could go in this direction by upending its data transfer arrangement with the US on the ground that the data of EU nationals was not adequately protected. What is this if not localisation by another name?
Exemptions for law enforcement purposes are not only commonplace in privacy laws around the world, they are almost part of the standard playbook. Granted, the Indian draft law goes further than even I would prefer, but my disagreement in this regard is with the degree and not the substance. I would like to see exemptions toned down but there isn’t a data protection statute anywhere in the world that has eliminated these exemptions in their entirety and I don’t expect India would — or should.
Finally, non-personal data. There is no doubt that the attempt to regulate non-personal data is a new frontier. If India goes down this path it could well be the first country anywhere in the world to even try and do something like this. But just because no other country is going down this path is no reason to balk. Judging by the growing international interest in India’s non-personal data framework, it is becoming clear that India is more likely to be a pioneer than the outlier in the field.
One of the specific concerns that has been raised is in relation to specific language referring to non-personal data in the PDP Bill 2019 that could interfere with the more detailed regulatory framework being conceptualised by an entirely different committee headed by Kris Gopalakrishnan. Thankfully, in its latest report, the non-personal data committee has described the manner in which its proposed regime will interplay with the provisions of the forthcoming privacy law attempting to resolve any anticipated overlaps by clearly clarifying the scope of each regulator.
No law is ever perfect. Every legislative endeavour is an exercise in arriving at an optimal trade-off between competing interests. The PDP Bill 2019 is no different. But this is, for the most part, a good law — particularly in the areas that count. We are already 10 years late. Let’s not make perfect be the enemy of good and allow another decade to slip by.
Matthan is a partner with Trilegal and specialises in technology, media and telecommunications law in India
<\/em>
Meant to ensure privacy, but gives state control over our personal data
<\/strong>
Here’s a prediction for 2022: India’s Personal Data Protection (PDP) Act, which will be in the infancy of its implementation then, will be the subject of several lawsuits in courts.
There is bound to be a strong challenge to the most egregious of the bill’s provisions: the wholesale exemptions given to the Indian government to access the personal data of citizens, including from private entities. A law that was meant to herald an era of privacy will be seen as violating this fundamental right. There will be calls for surveillance reform, and greater scrutiny on the activities of intelligence agencies. The Government of India would do well to define narrow and proportionate exceptions for state access to data, and limit it to situations where necessary: namely, attacks on critical infrastructure and investigations into terrorist attacks and credible national security threats. These should have the sanction of a highlevel government committee, and be open to scrutiny by a bipartisan Parliamentary committee.
This is emphatically not the same as accessing data for day-to-day law enforcement purposes. Ideally, the bill should enable a separate law on reforming state surveillance. The implementation of facial recognition systems and drones for policing, especially in Delhi and Telangana<\/a>, invites legal challenge.
There are other issues with the bill: the localisation of data, based on the idea of segmentation of data into personal data, sensitive personal data and critical personal data. This cumbersome exercise is not always practical to implement. For example, if someone puts their caste information in a resume uploaded on a global job platform, how will that be segmented as sensitive personal data? For small businesses and startups, including health and financial apps, such segmentation and localisation will lead to disproportionate costs, because of which they might choose not to service the Indian market. India should embrace the global nature of the internet, look to apply its jurisdiction to the data of Indian citizens irrespective of where the data is stored, and seek adequacy arrangements with jurisdictions with a similar approach to data.
Age-gating is another point of concern in the PDP bill. The Covid-19 Pandemic has sped up the adoption of digital services for education and entertainment, especially among children. Mandating a guardian’s consent for anyone below the age of 18 creates a situation where some data fiduciaries will end up inadvertently breaking the law, or disenfranchise a vast majority of teenagers. In a country with shared mobile devices, the requirement of consent for teenage girls to use internet-enabled devices will end up further disenfranchising them. Maturity levels differ vastly between 13 and 16-year-olds. The PDP Bill should require consent of a guardian for only those below the age of 14 in order to enable oversight for young children without disabling Internet access for those transitioning to adulthood. Ensuring compliance even for a guardian’s consent is difficult without the mass collection of ID cards, which will create privacy harms. The collection of parental consent should be on a best-efforts basis, to avoid onerous liability. Frankly, decisions regarding how the bill governs children’s data, are best left for further consultation by the Data Protection Authority.
In the same way, the governance of inferred data as personal calls for further consultation. It has implications on the ability of businesses to provide services, especially with potential transience of such data, and automated generation by machine learning algorithms. Also, one of the strangest parts of the bill is the inclusion of “non-personal data”: why a law concerning personal data would have a clause governing data that is explicitly defined as non-personal, is hard to understand or justify. Even the committee that MEITY has created for governing non-personal data has recommended that his clause be dropped.
Lastly, for a regulation as significant as this, the Personal Data Protection Authority must be independent and empowered. In the current form, it depends on the central government for its appointments and its powers, which leaves scope for the government to influence its functioning. The government of India is the largest collector and processor of data in this country, and one only has to look at its handling of Aadhaar data or the flawed implementation of the Aarogya Setu protocol to understand why negligence by government departments cannot be allowed to fester. Appointments to the Data Protection Authority must be done by a committee comprising the Chief Justice of India (or their nominee) as chairperson, and the cabinet secretary, and the Authority must work with domain experts who may advise it on matters of data protection, artificial intelligence, technology, and other aspects.
The Data Protection Authority must inspire trust in citizens, to be truly effective: it should serve as an organisation that works for citizens’ privacy, even if that means holding government agencies, departments and officials accountable.
Pahwa is the founder of MediaNama<\/em>
<\/body>","next_sibling":[{"msid":80322850,"title":"View: Budget 2021 should fund data infrastructure and Artificial Intelligence skills","entity_type":"ARTICLE","link":"\/news\/view-budget-2021-should-fund-data-infrastructure-and-artificial-intelligence-skills\/80322850","category_name":null,"category_name_seo":"telecomnews"}],"related_content":[{"msid":"80320602","title":"Ninan","entity_type":"IMAGES","seopath":"india\/as-privacy-becomes-a-hot-topic-this-weeks-debate-centres-around-the-data-protection-bill-will-it-do-enough-to-protect-your-digital-data\/ninan","category_name":"As privacy becomes a hot topic, this week\u2019s debate centres around the Data Protection Bill. Will it do enough to protect your digital data?","synopsis":false,"thumb":"https:\/\/etimg.etb2bimg.com\/thumb\/img-size-995288\/80320602.cms?width=150&height=112","link":"\/image\/india\/as-privacy-becomes-a-hot-topic-this-weeks-debate-centres-around-the-data-protection-bill-will-it-do-enough-to-protect-your-digital-data\/ninan\/80320602"}],"msid":80323302,"entity_type":"ARTICLE","title":"As privacy becomes a hot topic, this week\u2019s debate centres around the Data Protection Bill. Will it do enough to protect your digital data?","synopsis":"\"The Data Protection Authority must inspire trust in citizens, to be truly effective: it should serve as an organisation that works for citizens\u2019 privacy, even if that means holding government agencies, departments and officials accountable.\"","titleseo":"telecomnews\/as-privacy-becomes-a-hot-topic-this-weeks-debate-centres-around-the-data-protection-bill-will-it-do-enough-to-protect-your-digital-data","status":"ACTIVE","authors":[],"Alttitle":{"minfo":""},"artag":"TNN","artdate":"2021-01-18 10:59:22","lastupd":"2021-01-18 11:00:17","breadcrumbTags":["Personal Data Protection Bill","draft","Joint Parliamentary Committee","data","Telangana","personal data","policy"],"secinfo":{"seolocation":"telecomnews\/as-privacy-becomes-a-hot-topic-this-weeks-debate-centres-around-the-data-protection-bill-will-it-do-enough-to-protect-your-digital-data"}}" data-news_link="//www.iser-br.com/news/as-privacy-becomes-a-hot-topic-this-weeks-debate-centres-around-the-data-protection-bill-will-it-do-enough-to-protect-your-digital-data/80323302">