Super-77 this was the drink that the Janata Government launched when Coca-Cola had to wrap its operations from India years ago. It was one of the most well-known government – corporate tussles over trade secrets in India. Coca-Cola simply denied sharing its formula of the drink citing it as a trade secret and rather opted to leave the market place. The current data protection regime that India Inc. is eying for might see several such disputes. Is there a way India Inc. can look at a smoother approach towards the Personal Data Protection Bill 2019? Here’s an interesting read through.
The narrative around data protection in India reached a crescendo during the hearings in the K.S. Puttaswamy vs. Union of India (2017) “right to privacy” case. In a landmark verdict, a nine-judge bench of the Supreme Court of India affirmed the right to privacy as a fundamental right.
During the case, the Indian government set up an expert committee to devise India’s data protection framework. After a public consultation on a white paper, the committee submitted a draft Personal Data Protection Bill and an accompanying report interestingly entitled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians.” Ultimately, the Personal Data Protection Bill was introduced into Parliament in December 2019.The Personal Data Protection Bill 2019 is currently being examined by a Joint Parliamentary Committee of Parliament as Clause 91 of the bill that allows the government to acquire data from any company operating in India. While this may be sounding familiar when compared to other domains like real estate where government can peruse and acquire private properties for public purposes in lieu of adequate compensation, but there seems to be a very strong wave of hesitation from the corporates on this.
The provision states that “the Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide” any anonymised data to “enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government” in a manner that is to be prescribed in the rules.
What are the stated motivations behind the law? The bill’s preamble identifies three key focal points:
The right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy.
The growth of the digital economy has expanded the use of data as a critical means of communication between persons.
It is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion.
The Economist published an article back in 2017 titled, “The world’s most valuable resource is no longer oil, but data.” These days, the topic has provoked a great deal of discussion, and “Data is the new oil”, a remark made by British mathematician Clive Humby back in 2006, has now become a part of the common refrain. The dynamics of modern civil liberty has changed now. The world is moving into the Orwellian era, where every movement is being monitored, not bodily movements but the likes and dislikes of an individual. We are in an era of data-profiling, where unregulated spying on the contents of one’s social media will easily help anyone figure out one’s religious affiliation, ideological stances and even sexual orientation, something that is inherent to one’s identity and is cherished across the world as sensitive information.
In a historic ruling, India’s Supreme Court brought us into a club of progressive countries such as the US, Canada and the UK that expressly guarantee privacy as a fundamental right. The verdict included informational privacy as a vital facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. The court pointed out to the Centre the need to examine and put in place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state.
However, in the wake of the recent hoopla surrounding the Citizenship (Amendment) Act related protests, the developments concerning the Personal Data Protection Bill 2019 have flown under the radar. However, considering the effect that this Bill will have upon being enacted, it demands acute scrutiny. It was introduced in the Lok Sabha, and thereafter referred to a Joint Parliamentary Committee. The public can offer suggestions and comments on the Bill till February 12; this provides us with perhaps the last chance to voice our opinions before it is presented for voting.
The EU’s General Data Protection Regulation (GDPR) has served as the blueprint for the PDP Bill, with several provisions bearing striking similarity, particularly those granting rights to individuals and those levying penalties. The Bill is a part of the government’s larger agenda to leverage the personal data of individuals, as evident from the draft e-commerce policy, the Aadhaar Act, the data localisation mandate issued by the Reserve Bank of India (RBI), and the upcoming National Level Blockchain Framework.
The Joint Parliamentary Committee under the chairpersonship of Meenakshi Lekhi, which is looking into the Personal Data Protection Bill, 2019, has sought comments on the Bill. The Committee currently includes 28 members, of which 15 are from the BJP, 3 from the INC, 1 from TMC, 2 from BJD, 1 each from DMK, YSR Congress, Shiv Sena, BSP, JDU, AIADMK, and TRS:
20 members from the Lok Sabha: Meenakshi Lekhi, BJP; PP Chaudhary, BJP; SS Ahluwalia, BJP; Tejasvi Surya, BJP; Ajay Bhatt, BJP; Col. Rajyavardhan Singh Rathore, BJP; Sanjay Jaiswal, BJP; Kiritbhai Solanki, BJP; Arvind Dharmapuri, BJP; Dr. Heena Gavit, BJP; Uday Pratap Singh, BJP; Raving Ranjan Singh, JDU; Gaurav Gogoi, INC; Kanimozhi, DMK; PV Midhun Reddy, YSR Congress; Dr. Shrikant Eknath Shinde, Shiv Sena; Bhartruhari Mahtab, BJD; Ritesh Pandey, BSP and
10 members from the Rajya Sabha: Bhupendra Yadav, BJP; Suresh Prabhu, BJP; Rajeev Chandrasekhar, BJP; Ashwini Vaishnaw, BJP; Jairam Ramesh, INC; Vivek K. Tankha, INC; Derek O’Brien, TMC; A. Navaneet Hakrishnan, AIADMK; Ram Gopal Yadav, TRS; Amar Patnaik, BJD. Note that S. Jothi Mani (INC) and Prof. Saugata Roy (TMC) have resigned from the committee, and Manish Tewari (INC) and Mahua Moitra (TMC) have joined the committee.
The provision which allows exemptions for government agencies is necessary for any government to function. But while these are necessary measures, the safeguards may not be sufficient. There may not be an easy enough articulation that gives adequate power to the government without allowing for it to misuse it. A government with the motivation to do so can misuse the provisions available, but the intention of the provision is necessary and it needs to be allowed. In a sense, we are required to trust the government and rely on it to do its job in the spirit of the laws that are applicable. Use of data that is collected under the provisions available in Chapter 8, Section 36 or 35 for commercial purposes will definitely amount to a breach of law. However, I do not think there is a cause of concern with respect to commercial use of the data. There may not be an easy enough articulation that gives adequate power to the government without allowing for it to misuse it. A government with the motivation to do so can misuse the provisions available, but the intention of the provision is necessary and it needs to be allowed. In a sense, we are required to trust the government and rely on it to do its job in the spirit of the laws that are applicable. Use of data that is collected under the provisions available in Chapter 8, Section 36 or 35 for commercial purposes will definitely amount to a breach of law. However, I do not think there is a cause of concern with respect to commercial use of the data.
The government cites that corporates have access to data sets that can be of immense usage and relevance for it to discharge its functions like framing public policy etc. For instance, companies like Uber, Ola etc can have great data set contributions to government’s planning mandates for town infrastructure, traffic flow etc. Similarly, healthcare diagnostic chains would possess data which will be key to developing the next generation of artificial intelligence for the healthcare industry and will be a necessary raw material for public funded research institutes working in this area.
One might wonder and the reactions coming in could be a bit of an exaggeration as there have been laws of similar intent and so-called right to the government machinery when it comes to access to data held by entities in India. The Collection of Statistics Act, 2008, arms the government with some rather draconian powers to acquire information from anyone in the country to compile statistics. That law, however, does come with a purpose limitation that allows the government to use the collected data only for statistical purposes and nothing else.
There have been several debates around compensation for the data that the government plans to source from corporates. While on one hand, the same real estate and infrastructure assets come into play for comparison, there is also a strong sentiment of defense from the government’s side that private property has always been an aspect of high emotive values and hence drawing conclusions or parallels for data compensation would not be a justified one.
Whether Article 19(f) or Article 31 later, there is always a manipulated approach towards the compensatory part when it comes to real estate, property and similar assets.
The question, in the context of the PDP Bill, is whether a property right exists in data. The PDP Bill does not expressly confer the status of ‘property’ on data. Rather the draft law uses the conceptual framework of a ‘fiduciary’ relationship between the citizen and the corporation to bestow on the corporation a duty to protect the data, guided by the best interests of the citizen. Does this however prevent a court from protecting data within the ‘property’ framework or does data by its very nature completely evade the definition of ‘property’? Contrary to common conception, property does not have to be tangible. Copyrights have been classified as property by Indian courts in some cases despite the Copyright Act never using the phrase “property”. In the public discussions leading to the PDP Bill, there were calls to classify data as property.
This is not the first time an organization has raised its voices against the set norms in the PDP Bill. Experts have demanded clarification in several areas of ambiguity that exists in the draft Bill which needs to be better clarified for businesses to fully comprehend the extent of adjustments businesses will have to do to comply with them.
In December, the Internet and Mobile Association of India (IAMAI) shared its concerns about the PDP Bill. IAMAI had said that some of the norms of the bill can be restrictive for service providers and enterprises and may not be inclined towards India’s target of a $1 Trillion digital economy by 2024.
Modelled on similar concepts of the European Union’s General Data Protection Regulation (GDPR) that came into existence on May 25, 2018, the PDP Bill bears some striking similarity with the former, particularly in areas of granting rights to individuals and those levying penalties.
For example, a company may have to pay a penalty of up to Rs 15 crore or 4% of its global turnover if found violating norms under the Bill. Failure to conduct a data audit will attract a fine of Rs 5 crore or 2% of the annual turnover of the company. This automatically involves a lot of costs, which may be extremely difficult for smaller companies to bear.
Further, a provision in point is Section 25, which allows the Data Protection Authority, the designated regulatory body, the discretion of informing an individual of breach of his/her data. Such a provision should be done away with, and leaks, and should be directly intimated to the concerned individual, believe experts.
An observation of various sectors such as banking and insurance illustrate that the concerned authorities namely, RBI and IRDA, have formulated rules and regulations concerning data protection in that particular sector. For a seamless and comprehensive data protection law, it is imperative that such powers must reside solely with the Data Protection Authority. Moreover, with the latter consisting of technological experts, it is only natural that the guidelines regarding data protection be formulated by them. Currently, the Bill makes no clear mention of such provisions, and the same can be added.
MediaNama held discussions in Delhi and Bangalore on the main aspects and impact of the Bill with a wide set of stakeholders. The discussions were held with support from Facebook, Google, and STAR India in Delhi, and with support from Facebook and Google in Bangalore. The discussions were held under Chatham House Rule, so quotes have not been attributed. Quotes are not verbatim and have been edited for clarity and brevity.
There are potentially two safeguards against broad surveillance and unwarranted government access to data as given under Section 36, according to a speaker:
Section 4 [Prohibition of processing of personal data except for “specific, clear and lawful purpose”]: Section 36 does not exempt the operation Section 4. The requirement for clarity and specificity might obviate some of the broadness that comes with this kind of surveillance.
Section 92 [Bar on processing certain forms of biometric data]: This section prohibits the processing of biometric information except when permitted by law. There are very few statutes that explicitly authorise the processing of biometric information — Aadhaar Act and Identification of Prisoners Act, 1920 that permits people to be fingerprinted when a person is arrested.
However, if the exemption is granted under Section 35, that’s a “wholesale exemption” which is a more difficult situation, they clarified.
DPA is crucial to curtailing government access to data: According to the Bill, government agencies are also data fiduciaries and have responsibilities that a data fiduciary would have. But they can be relieved of most, if not all, of their duties through exemptions under Section 35 and Section 36. However, a speaker pointed out that this would be governed by the efficacy of the Data Protection Authority (DPA). “With this Bill, we have vested all our faith in the DPA to keep us safe from any privacy violation. But if the DPA itself is ineffective or compromised, nothing will work,” a speaker said.
DPA’s functioning would be determined by how independent it is, but under the latest draft, it is executive committee. Unlike the 2018 Bill, there are no judicial members. As a result, the DPA will effectively be controlled by the government, and thus its effectiveness remains a fundamental question, the speaker said. But, as a speaker pointed out, “the whole point is that the central government is the first violator”.
“We saw this happen with the Cyber Appellate Tribunal under the IT Act. When one of the chairpersons retired, the government did not appoint any one new and just kept the post vacant. And thus the Tribunal became essentially nonfunctioning.” — a speaker
Make the objective and preamble of the Bill unequivocally about data protection: “The Preamble of the Bill needs to unequivocally state that it is for the enforcement of administration of the right to privacy of all individuals. The digital economy equivocation has to go. How would we feel if the Domestic Violence Act said that it is meant ‘to prevent violence against women and to preserve family values’,” a panelist railed.
State should be the model data controller: The Statement of Objectives of the Bill should say that the State will be the model data controller. Also, a speaker said that the term ‘data fiduciary’ has to go as it deprives users of their agency. “Data controller is a much better functional term,” they offered.
Judicial review of access to personal data by government agencies: Just as the Srikrishna Committee had recommended in its report, there should be prior judicial review of State access of personal data. “This can de done through a designated court or judicial members in an independent authority such as the DPA,” proposed a speaker. This includes an appeal mechanism against the decisions of this judicial body, and ex-ante and ex-post reporting mechanisms.
Oversight mechanisms to make State agencies accountable: “Oversight bodies should be identified which monitor the working of State agencies,” a speaker said. Such bodies should release periodic reports with details about the functioning of these agencies, data fiduciaries which constantly get requests for personal data, and the number of requests they receive.
Amend the Bill to curtail exemptions under Section 35: When it comes to inclusion of four more grounds to blanket exemption for agencies under Section 35, speakers generally opposed the move and said that the Bill needs to be amended to define terms such as ‘national security’, ‘public order’ narrowly.
Notify users: Deferred notice should be sent to data subjects, a panelist said. “This should be followed by right to redress,” they said. There should also be a means to notify the user if there is any kind of unlawful surveillance, another speaker proposed, both by the private companies and by the State.
Evidence from surveillance that was not a proportionate response be inadmissible: Taking a leaf out of the Bombay High Court judgement on evidence collected from disproportionate surveillance, a speaker suggested that information that is obtained from surveillance which does not conform to the proportionality standard of the Supreme Court should be decreed unconstitutional and not be admitted in court.
Appoint Data Protection Officer for State agencies: “Law enforcement agencies and agencies accessing this kind of personal data should have a data protection officer which goes through interception warrants and data requests, and make sure that they adhere to the law, and have least restrictive measures,” a panellist suggested.
Need for whistle-blower protection: Although whistle-blower protection was not discussed by the Justice Srikrishna Committee, it is required in light of revelations about the NSO Group-Pegasus scandal where it is a clear that a government agency purchased it, but its identity remains unknown, a panellist said. “We have a Whistle-blower Protection Act, but it has not been brough into force, and even that does not do enough,” they argued.
Have a separate law to implement surveillance reform: “We need a separate law that gives intelligence agencies a statutory basis for their existence itself,” a speaker said.
Data protection often revolves around the transfer of data. In this regard, the proposed Bill has attracted a lot of attention from Indian firms and technology tycoons across the world. The PDP Bill lays down provisions for combating the misuse of personal data in the country. It mandates data processing activities like data protection, storage and management. However, on the other side, if the bill is passed, it could bring major implications for national security, foreign investment and international trade. The blanket powers that the bill provides the government with, to access customer’s data is termed ‘dangerous.’ Some believe that the bill would represent new, significant threats to Indians’ privacy. India’s smartphone market has risen to over 500 million active internet users. It has also seen a surge in internet based start-ups. “There is an increasing need to have proper guidelines in place to secure confidential data… we hope the Bill will have a proper balance of data privacy and protection, which will lead to increased transparency,” Bhavin Turakhia, founder of Flock, a team collaboration software said. The bill has not specifically cited the government’s desires to contain false information for this proposal. Instead, the bill insists that this would bring more “transparency and accountability.”
www.grandmasters.in | 8 Years & Counting
www.rcls.in | 8 Years & Counting
www.itlegalsummit.com | 8 Years & Counting
www.bfls.in | 8 Years & Counting
www.maels.in | 8 Years & Counting
www.plcs.co.in | 8 Years & Counting
Copyright © 2020 Lex Witness - India's 1st Magazine on Legal & Corporate Affairs Rights of Admission Reserved
