The perspective and approach for a law or policy informs its contents. The much-awaited draft
Personal Data Protection Bill, 2018 (PDP Bill), released by the ‘Committee of Experts under the Chairmanship of Justice BN Srikrishna’, appears to have approached the entire issue with good intentions, but coupled with a sense of suspicion of service providers, fear, and overwhelming deference to state power. As a result, the outcome document is fraught with infirmities.
The PDP Bill is accompanied by a more comprehensive report, which outlines the various contours of the ‘data’ debate, titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians” (COE Report).
The COE Report presents a rich framework of discussions and lays down varying viewpoints, debates the pros and cons of approaches, and the tensions that this presents for protection of data while unlocking the digital economy for economic growth. It discusses the laissez-faire approach of the US legal framework, the EU’s focus on individual privacy, and then explains the need for a sui generis Indian approach, which it believes lies at the cusp of the role of the State to sub-serve the common good, and check the power of the state through a clear enforceable framework for individual right to privacy.
The richness of the discussion, unfortunately, gets obfuscated by the set of recommendations and the PDP Bill, whose approach can be summarised as follows:
(i) Individual consent is required for data processing, but such consent is not required in a variety of circumstances, including when such processing is “necessary” for “functions of the State”, or “public interest”. The fact that the recommendations draw a distinction between the functions of the State and public interest is itself an interesting reflection on the conflicting debate. The broad set of exclusions clearly dilutes the focus and purpose of consent of the individual of the purpose for which such data is required.
(ii) “Explicit” individual consent is required only when the data falls in the category of “sensitive personal data”, such as passwords, financial data, health data, sex life, etc. But in this case too, consent is not required when it is “strictly necessary” for the State (but not necessarily public interest) to access such sensitive personal data.
Leaving aside the various undefined terms such as “necessary”, “strictly necessary”, “consent”, “explicit consent”, the draft PDP Bill is worrisome for the overarching and unfettered powers and discretion it confers on the State to access individual data, which, arguably, goes against the spirit of landmark ‘right to privacy’ ruling of the Supreme Court of India last August. In the process, it appears to be only paying lip service to the Bill’s own preambular paragraphs which refer to the right to privacy as a fundamental right, and growth of the digital economy through the use of data. The present draft PDP Bill, therefore, needs to be reviewed with great care and caution.
Digital Economy: Implications of the PDP Bill
Leaving aside serious constitutional law concerns, the draft Bill appears to undermine the economic basis for India’s IT sector. India’s IT skills are widely acknowledged to be a significant asset and driver for growth of the digital economy. Underlying the growth model for this sector is the “global services delivery model” that works on the principle of seamless workflow between offshoring services to Indian IT companies, and support provided by Indian IT professionals both offsite (i.e., remote support), and onsite services, as required. This is what enabled the ability to leverage and realise the comparative advantage of highly skilled Indian IT resources for developing significant market shares in the US and EU. The US backlash through legislative curtailing of temporary visas for service professionals for onsite support, is well documented; and so are the challenges emerging from EU’s data protection regime.
In such a scenario, the PDP Bill, if passed in its current form, presents a newer set of unique challenges. To name a few:
(i) The copy of all personal data processed in India should be stored in a server or data centre located in India. A bizarre exception to this “rule” is that personal data that is of “strategic interests of the State” may not be required to be stored in India (section 40(3));
(ii) The government can notify categories of “critical personal data” that shall only be processed in a server or data centre located in India, however there are no criteria on the basis of which such data will be notified and leaves unfettered discretion on the government to determine this.
The dissenting note of the representative of the Committee from the Data Security Council of India (DSCI), as Nasscom initiative, summarises her grave concerns for the “$167 billion IT-BPM industry” in India, which she explains, processes financial, healthcare and other data of citizens and companies of the US,EU and other parts of the world.
In fact the rather open and lose wording of the PDP Bill does not confine its applicability to data of Indian citizens alone. It applies to all situations of “processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India”. In other words, this would apply to all personal data provided by a foreign company to an Indian IT company for processing, even when such entities may be located in an IT-SEZ and dedicated to processing of only non-Indian data.
The PDP Bill has to be reviewed in light of the potential adverse impact on an industry that contributes almost 42 percent of service exports of India and is one of the main employment sectors in India. The impact of this draft PDP Bill cannot therefore be underestimated. If the intention of the government is to achieve economic growth, this draft PDP Bill is certainly not a step which is capable of supporting that.
The bigger you are, the more you are suspect
The PDP Bill has several useful elements, including its chapter seeking to achieve transparency and accountability of data fiduciaries through record keeping, reporting and audits. However, the new Data Protection Authority (DPA) that the Bill seeks to create, can by itself notify certain data fiduciaries as “significant data fiduciaries” and obligate such record and audit obligations only for such entities.
The DPA is required to notify “significant data fiduciaries” based on criteria including: (a) volume of personal data processed; (b) “sensitivity” of such data as the determined by the authority; (c) turnover of the data fiduciary; (d) use of new technologies; and (e) any other factor it considers relevant in causing harm to personal data.
The objective appears to be to exempt smaller players from putting in place expensive mechanisms for audit and record keeping. This could perhaps be achieved in a simpler manner, rather than a carte blanche exemption of small versus large. The EU’s General Data Protection Regulation (GDPR), for instance, achieves this through minimised documentation requirements for smaller business entities, and the ability for several organizations to appoint a single Data Protection Officer, rather than have a full time person in its rolls.
It would perhaps have been advisable for the Committee to have restricted itself to the discussions in its report, and open that up for wider consultations, instead of hastily drafting a law. At this stage, a sensible approach would be to set aside the bill entirely, and focus stakeholder consultations on the elements of the COE Report, and draft a law based on more detailed discussions. The focus clearly also needs to be on building a robust security infrastructure that can ensure that the right to privacy can actually be enforced.
Rules are essential for identifying critical sectors of the government (ranging from power to telecommunications to public transport), where cyber-security norms need to be strengthened and be strictly enforced, and where data localisation is perhaps an issue of essential security to ensure “strategic interests of the state”.
And when it comes to cross-border transfer of data for purpose of business or trade, the rules need to be infused with a greater degree of pragmatism, logic and transparency. Cross border-data flows are not a creature to be feared nor is it something that is necessarily prone to misuse. Regulatory norms, coupled with clear enforceable obligations, can achieve the purpose, without having to put in place cumbersome measures that may serve no real purpose.
RV Anuradha is a Partner at Clarus Law Associates, and leads the firm’s practice on international trade and investment laws.