The 30-member Joint Parliamentary Committee (JPC) reviewing the Personal Data Protection (PDP) Bill 2019 has proposed 89 amendments, an additional clause and amendments in the schedule following a marathon 66 sittings and 160 hours of deliberation—the highest for any bill. The importance attached to the subject is evident. More than 130 countries now have data protection regulations in some form to tackle the quagmire of data ecosystems: A near black box on personal data gathering and processing by governments; service providers; cloud and data centres; applications; websites; platforms; browsers and plugins; operating systems; network intermediaries; sensors; device manufacturers; payment processors; third parties; security solutions providers; auditors; researchers, etc. Data protection legislation is the need of the hour as we orient our lives more digitally in a tech-infused world. Ideally, users should be able exercise control over their information processed across layers. Practically, the law should lead to empowered consumers, result in significantly more transparency and visibility on data processing ecosystems, curb excessive and bad faith processing, and advance digital economy goals. With tech evolution defying Moore’s law and the data ecosystem blooming, the need to modernise the Bill is paramount.
Recent news of instant money lending applications harassing—calling family and friends after gaining access to contacts, publishing morphed photographs accessed from phone gallery—and publicly shaming defaulters have resulted in multiple suicides, which is peak harm. ‘Recovery of debt’ is listed as a reasonable purpose (Section 14, PDP Bill) for processing data without consent, but such processing drastically impacts the rights and reasonable expectations of data principals. Malware and spyware (e.g., Pegasus) are covertly installed on phones to surveil targets and siphon data. Private chats gathered during investigations are broadcasted on prime time television in “public interest”.
Blackmail, extortion (and sextortion) and intimidation using personal information are punishable offenses under central and state laws. But the law upholding privacy protection should limit unreasonable processing and ensure the individual’s right to appeal and to remedy privacy violations.
Provisioning blanket exemption to government agencies from the application of the data protection law and processing obligations (Section 35, PDP Bill) poses a challenge to reforming and upgrading the data access and surveillance regime. The importance of procedural safeguards, the right to effective recourse, and necessary and proportionate access principles has been reiterated by numerous Supreme Court judgments like PUCL v. Union of India and K.S. Puttaswamy v. Union of India.
Such an exemption might inadvertently curtail the government’s stated vision of becoming the data processing and analytics hub of the world, and dent digital economy goals. According to the updated draft of the Standard Contractual Clauses (SCCs) by the European Commission on personal data transfers outside the European region, data exporters must take into account the laws and overall regime that enable public authorities to access personal data through binding requests in the destination country, and gauge if they meet “necessary and proportionate” requirements expected from a “democratic society”. If governments and businesses find the exemption under Section 35 of the PDP Bill excessive, digital trade and investments, and the ability to forge agreements, might be impacted.
Exempting data processors from following any obligation for processing the personal data of foreigners received from clients abroad using contracts (Section 37, PDP Bill) might appear a tempting quick fix for the business process management sector. However, it could potentially result in the mushrooming of a “sinister” data processing industry that runs on unsanctioned processing and contractually legitimised abuse of personal data.
The current (and previous) draft of the Bill also does not provide effective means or remedies to users against the collection and processing of personal data by foreign government agencies either directly or through the private sector. The Court of Justice of the European Union (CJEU) in Schrems-II suspended the EU-US Privacy Shield governing personal data flows from the EU to the US, citing a lack of safeguards and the limited recourse to EU residents against processing by US government agencies as reasons. The Indian law needs to address this sooner rather than later as such matters will hit Indian courts. But the tricky part is in determining how national laws will uphold sovereignty and individual’s rights in foreign government processing—for instance, through bulk surveillance programmes or by requiring forceful access to cell phones and social media accounts at entry points, or when companies and individuals are lawfully obliged to share data (including from foreign operations) with the government agencies where they are headquartered.
Section 34 of the PDP Bill restricts cross border transfer of sensitive personal data for processing unless contracts provide effective protection of rights of data principals and assign liability (accountability) to the exporting entity (data fiduciary) for any harm caused. Besides, if harm resulting from information processing is not restricted by borders, should protection and exercise of the fundamental right to privacy be similarly restricted?
The government in its comments to the ‘United Nations Open-ended Working Group on information and telecom development in context of international security’ recommended a new form of sovereignty based on ownership of data, i.e., jurisdiction based on individual citizenship irrespective of location of data storage/processing. Data protection law should carefully navigate different approaches of jurisdiction applicability based on the location of entities, location of storage/processing facilities and origin of data (with extra-territorial reach) as it will chart the future direction of the global digital economy.
Bilateral digital economy trade agreements (US-Japan, Japan-UK, Australia-Singapore etc.) and multilateral arrangements like Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), US-Mexico-Canada (USMCA), and the Regional Comprehensive Economic Partnership (RCEP) all discuss limiting restrictions on cross border data transfers and curbing ‘localise as much computing facilities’ tendencies in varying degrees. There seems to be a rough consensus of sorts though on the localisation of financial data, and healthcare and certain biometrics data might be next following the COVID-19 pandemic. Localisation can address some concerns but seeing it as a panacea to privacy and geo-tech-data strategic woes will be counterproductive in the long run.
Implied localisation also significantly impacts global value chains. After Schrems-II, three European Data Protection Agreements (DPAs) (German, French and Irish) issued transfer suspension orders. Policy uncertainty on data flows becomes a nightmare for businesses’ cross border operations. And with the burden of assessing adequacy of regimes falling on individual organisations, the way out for most is rather simple—drop the idea of transfer and settle for something local.
The US and EU are now attempting a third bilateral solution for personal data transfers. India and the EU too expressed their desire for “reciprocal adequacy”. Shedding silos, perhaps, it is time democracies developed acceptable standards for transfers, processing and access before trust deficit peaks and data islands become the norm.
Privacy-invasive technologies like facial identification, drones and public CCTVs by government entities, or programs like theNational Intelligence Grid (NATGRID), need the backing of laws, regulations and information systems should meet privacy-by-design requirements approved through regulatory sandbox (Section 40, PDP Bill) before active deployment. Similarly, tnew form of entities and community players (like consent managers and account aggregators) envisaged in multiple regulations and frameworks need to be legally formalised before they start to function.
The increasing power being wielded by big tech firms is becoming the centrepiece of regulatory focus everywhere. Privacy violations and anti-trust cases are being pursued across continents. More is expected and required from large firms to repose trust in the digital economy. SDFs with their principal place of business or headquarters outside India should self-certify that no data and inferences from Indian operations are shared with other governments, except necessary and proportional lawful access requests. Their boards should be required to approve data processing privacy risk assessment periodically, akin to board approved cyber security policy mandated in the banking sector by the Reserve Bank of India. If SDFs repurpose/reverse data processing commitments made during mergers and acquisitions or when amalgamating multiple services under common platforms, regulatory intervention is warranted.
High compliance cost coupled with the provision of heavy fines could hamper the growth of MSMEs, that are already reeling under pressure. Conversely, exempting start-ups that engage in systematic data processing will adversely affect the privacy landscape. If an accidental data breach is followed by responsible reporting, organisations should be allowed to earn back a substantial portion of penalties if they demonstrate corrective practices over time. The law aims to build a culture of privacy protection and security enhancement in organisations, and penalties should not be treated as revenue streams for the government. The government can also help by providing open-source tools for data processing management to registered Indian MSMEs, like GSTN offers free accounting and billing software.
Lastly, the Bill should address some open-ended questions. What happens to data with apps that are banned and companies that get dissolved? Who remains accountable for retention/security and how are the principles of lawful processing and legitimate access observed? What are the reasonable expectations for processing the data of the deceased? Should the Bill envisage a legal ‘digital heir’ (or nominee) of personal data post an individual’s demise?
The trust deficit in the global data ecosystem is nearing its peak. A well-rounded data protection law will help bridge gaps, instil user confidence, power trusted innovation, fuel economic progress and could serve as a reference model for other countries looking to advance digitisation and their data protection journey. A lot depends on implementation and effective enforcement. Hopefully, the PDP Bill will become an Act in 2021.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Rahul is founder of The PerspectiveTM &: Grade AceTM. With more than a decade experience working in Technology Public Policy Cyber Security and the Privacy ...Read More +