The Economic Times carried an article today that “Global IT bodies express concern over data protection Bill”

The Indian Express went ahead to say “US bodies push back on data protection bill, seek new working group”

These media reports are not reflective of the general views prevailing in the industry and many of the industry experts who spoke in a webinar on Data Protection organized by ASSOCHAM yesterday expressed their eagerness to see the law being passed.

Does the Industry want to over ride the Parliament?

It is  interesting to note that in the ASSOCHAM webinar, representatives from Google, Meta, Amazon etc were all present and none expressed very strong disapproval that the Bill has to be rejected. However, the Indian Express report is very clear that

A senior executive working with a big tech company said…. that “The JPC report has to be rejected and a new working group with trade and industry bodies have to be formed to discuss the issues”

Should Government be forced to commit Contempt of Court?

It is clear that some sections of the media are amplifying minor concerns to force the Government to withdraw the Bill and postpone the law by a few more years. This appears to be an attempt to scuttle the bill and force the Government into committing Contempt of Court.

During the proceedings on the Aadhaar and Privacy in the Supreme Court, in 2017, the Government of India has committed itself and has  been directed by the Supreme Court that a robust privacy protection law should be passed at the earliest.  If there is further delay then the Court can turn around that a delay of more than 6 years tantamount to “Contempt of Court”.

Even if the Court remains silent, there will be activists who will file such a petition and also ensure that the Parliament in the next session is disrupted on the issue that Government is not serious and has to resign.

Why the Big Tech Company objections are not sustainable?

Most of the big tech companies have already been in the process of consultation and many of them deposed at the JPC. Some voluntarily stayed away from deposition even when they were invited.

Hence their claim now to a new consultation is completely unacceptable..

Demand of the US Bodies is driven by a rejection of Indian democracy

It looks very odd that the commercial companies lead by the Social Media companies known for  their fake news propagation are demanding the scrapping of the Joint Parliamentary Committee report and wants an industry body to dictate what the Parliament has to pass as a law or not.

This is an attack on the sovereignty of our Parliament and must be  rejected.

What are the Concerns?

According to Indian Express, one of the main problem is “insistence on local storage of data and restrictions on cross border flow of data”. Lack of large data centres is cited as an issue.

It appears that the industry body which has made such statements is not in sync with the developments  of PDPB 2019/DPA 2021 in India and is commenting on the draft of PDPB 2018.

While we still support the PDPB 2018 version of “Cross Border transfer of data” which required copy of all data transferred had to be kept in India, it is to be noted that the present version wants only copies of the “Sensitive Personal Information” has to be kept in India.

Even the RBI which has a sectoral regulation on transfer of banking data out of India has now allowed processing of financial data outside India though the processed data has to be brought back to India.

It was interesting to observe that one of the experts in the ASSOCHAM seminar was suggesting that “Since Storage is also considered as processing, storage outside India can also be considered as continued processing and hence data may never be brought back to India”. I presume that this was just a mischievous joke and not to be taken as a suggestion to bypass the RBI directive.

The claim of the group as reported in Indian Express may therefore be considered  a “Fake Report”.

Non Personal Data included in the Bill

The JPC-2 fell into a trap set by the opponents which were the same industry bodies who are today opposing the inclusion of non personal data in this Bill. The earlier version of the Bill had the provision of Section 91(now re numbered as Section 92) which empowered the Government to direct a data fiduciary to transfer anonymised non personal data to the Government in certain circumstances where it is required for better Governance.

Some of the same Big Tech companies which are in news today were unhappy since they felt that the Government will take over their data and raised a hue and cry that the provision was ultra-vires the “Personal Data Protection Act”.

The JPC fell into the trap and tried to widen the scope of the Act by calling it as “Data Protection Act” and adding that it applies to non personal data also. Now the same big tech companies are objecting to this widening of the scope.

The industry is again misrepresenting the situation that apart from the Section 25 where reporting of non personal data is “Empowered”, no change has been proposed on any other aspects of Non Personal Data Governance. This provision can remain in the act without being taken further.

The reason why the JPC fell to this trap was that some bureaucrats thought that if there is a single DPAI for both personal and non personal data it would be good. They forgot that the Non Personal Data Governance is much more than “Reporting of Data Breach” and involved “Monetization”. Security of Non personal Data was not a concern of this legislation since ITA 2000 already addresses this requirement.

Having bitten the bullet of Non Personal Data now, it is necessary for the Government to stand up and say that “Data Breach reporting provisions” are only an “Empowerment” and the DPAI may consider it is required or the current system where such reports go to CERT IN are sufficient.

The Section 92 provision is required for National Security (like the Ukraine situation) and can be justified.

Is Innovation discouraged or disincentivised?

One of the other concerns raised in the ET reports is that

1. “Recommendations run counter to global standards…Many  of our joint member companies in India and from across the globe will be significantly impacted by the report.”
2.  It also states “recommendation to establish a domestic alternative to the international SWIFT banking system is unprecedented”.
3. They continued to hold a wailed threat…  “When these and other recommendations in this report are considered as a whole, their result, if enacted, would lead to a significant deterioration in India’s business environment, degrading the Ease of Doing business in and with India, and negatively impacting India’s domestic start-up ecosystem and global competitiveness. The ability of companies to participate in the Indian market would be dramatically impacted, thereby reducing foreign direct investment in India”

It is unfortunate while these companies accept the EU GDPR regime with insane penalties being levied on them, they think that they are able to dictate terms to the Indian Parliament.

As regards any provisions of the proposed Act that the tech companies need to follow there is perhaps another 2 year window to attain compliance. Hence whether it is providing the “Verified” badge or adopting a proper consent or obtaining security certification or Algorithmic transparency the two year time is more than sufficient.

It is therefore our considered view that the objections raised lack conviction. We can wait for the regulations to be announced by the DPA in the next 6 months or more and then consider if the concerns expressed are real or imaginary. If there are real difficulties, the Government may consider appropriate amendments.

Naavi

A FDPPI-IACC  hybrid event on March 4, 2022

Implications of the Upcoming Data Protection Bill 2021…..The Compliance Perspective

You can register either at IACC or FDPPI.

IACC registration for physical event

FDPPI registration for webinar: 

The Minister of IT Mr Ashwini Vaishnav recently commented  that there is no plan to scrap the current draft data protection regulation (as has been falsely projected by some journalists) and he hopes that the bill will be passed soon if not in the current session at least in the Monsoon session.

He said that there have been comprehensive consultations and we should be able to resolve differences if any and get the bill passed.

Simultaneously the media campaign has started again to highlight that the Social media Companies are unhappy, the Start Up companies are unhappy etc. Organizations like NASSCOM who have to support the initiative of getting an early law in place are only reflecting the objections of the industry and making it difficult for the Government to go through with the passage of the Bill.

The objections raised are largely excuses and even if they are relevant, it is possible to be corrected either through notifications or in the next amendment. We need to be keep them aside for the time being and see how the law gets assimilated by the industry after which we will have more information on what changes are required.

The tech companies are already in compliance with the GDPR regime and they are aware of how to wade through the data protection law. Indian law cannot be too hard compared to GDPR. Start ups have been given 3 years time under the Sand Box time and hence should not have any complaint.

The Social Media intermediaries are only required to allow the choice to their customers to verify themselves and after such verification insist that their identity be disclosed with their messages. This will not disable the Social Media intermediaries to continue having fake accounts and spread fake messages if they so desire. The viewers will start discounting the posts of un verified accounts and the media need not be bothered.

At the same time, the media has the option to be an “Intermediary” and not be considered as a “Publisher” if they can give up the control on the content. There is a new attempt to pitch the Ministry of I&B against the Ministry of IT saying that there will be overlapping of the domains. We know that the ministers of the two ministries held a joint  press conference to announce the February 25, 2021 Intermediary rules and it is unlikely that they will start objecting to each other now.

IAMAI has also criticised the bill as if it poses a risk to the digital eco system by having an impact on free speech. We donot know how there is a conflict since the Constitution itself has provided for reasonable exceptions to any fundamental right and it would apply even to the right to privacy.

IAMAI has also criticised the expansion of the scope to Non Personal Data is an enabling provision forced on JPC by the earlier objections and can be clarified through the notifications.

The restrictions on data transfer outside India has already been softened to bring it very much below the GDPR standards and compared to the Indian law, GDPR with the recent EDPB guidelines is a more strict data localization law than the DPA 2021.

The DPA 2021 when implemented will have to manage conflicts with several sectoral regulators including the CERT In, RBI, IRDAI and TRAI. It is therefore not a burden for them to handle the Cyber Law division of I & B ministry also as another sectoral regulator.

We can expect that the DPA as a body of 7 senior persons will device a method of consultation with the sectoral regulators as envisaged under Section 56 of the Bill.

There is no doubt that industry will be happy without any regulations and hence are opposing the regulations. Cost of Compliance is associated with every law and cannot be a reason for non regulation. It is strange that the companies  donot complain with cost when GDPR is imposed on them but have only objections when there is an Indian law of similar nature.

The attitude of the industry and the associations that represent them are not sustainable on close scrutiny. The objections are only saying that we donot want any regulation and want to be not accountable for data breaches or for compliance and has to be ignored.

I hope the MeitY will not yield to the pressure tactics and go ahead with the law for early passage. If they yield then they will be liable for Contempt of Court since the bill has been already delayed beyond any reasonable time.

Naavi

India has been struggling to introduce a Data Protection Law for a long time. It was initially at the instance of the IT industry that the earlier Government framed a draft law in 2006. Subsequently Privacy activists created a furore when Aadhaar was sought to be used widely by the Government resulting in the Supreme Court nudge and the Srikrishna committee followed by PDPB 2018, PDPB 2019 and now DPB 2021.

However at each stage there have been so many oppositions that the Bill is still not passed. Even as late as last week,  industry bodies have asked for scrapping of the Bill in its current form and start a new drafting exercise, knowing fully well that this exercise will delay the introduction of data protection by another few years and would be a set back in every sense.

This time it appears that the Social Media Intermediaries who are in the forefront of the move to scuttle the Bill. Even Start Up industry has been made a party to this set of objections.

The media  is a commercial organisation and they will convey only the views of any vested interest, amplifying the objections.

Some of the modifications that have been projected in the media are

1. 1. The Government should have no powers to seek exemption from any provisions of the Act even if permitted under the Indian Constitution.
   2. Law Enforcement should not have any power of surveillance even if Crimes in Data Space are a threat to our very existence as a society.
   3. Social Media intermediaries should not be challenged on fake news distribution
   4. Industry should have exemptions for ever to comply with the basic principles of compliance
   5. The fines and penalties should be waived.
   6. Cost of Compliance should be reduced
   7. Financial Information should not be considered as “Sensitive”
   8. Data should be freely transferable abroad even though other countries like EU are opting for more and more restrictions.
   9. Indian Government should give up its sovereignty on Data generated in India and allow the tech  giants to monetize Indian data resources

It is unfortunate that as in other fields the industry institutions which are expected to protect the interests of the country are abdicating their national responsibilities and have been only interested in projecting the commercial interests of companies most of whom are today international companies.

Even home grown companies are dependent on the patronage of International companies and hence take a stand “Business First, Nation Next”.

There is nothing like a “Perfect Law” and seeking a perfect law particularly in the domain of Privacy which has inherent conflicts with other Rights, is only an excuse not to pass the law. I hope people in high places accept this reality and not think that the public are gullible enough to believe such excuses.

Every corporate law in the country has a cost burden and this cannot prevent the law to be passed. Income Tax Law or Company Law have imposed enormous cost on the industry. Does it mean that the industry should oppose them because of “Cost of Compliance”? If not, why this opposition only for “Data Protection law”?

Can the nation exist if we ignore the need of law enforcement and Governance in enforcing the Privacy law? Can speculation on what all can go wrong prevent action of the Government. Every law has a potential to be misused if we have dishonest administrators and dishonest administrators will continue to exist as long as there is greed in the society.

We only have to keep strengthening the law as well as the checks and balances to ensure that law is not mis-applied. The Courts are there to ensure justice if the administrators fail.

We therefore urge all those who have opposed the current draft of DPA 2021 to set aside their differences for some time and let the law come into existence. Let us give it at least one year of existence after which we can pass any amendments that may be necessary.

I therefore appeal to industry bodies such as  NASSCOM, ASSOCHAM, FICCI, CII,  etc to stop complaining about the new draft of DPA 2021 and start co operating with the Government in getting the law passed.

Alternatively the industry can be honest to say that the industry does not want the Data protection law to be passed in India and they can file a petition in the Supreme Court to stop the Government from passing such law.

If the business entities who gladly adopt a EU law such as GDPR but have objections only for the Indian law because they want freedom to plunder the Indian resources, it is natural for the Government also to feel why it should tie its own hands with the law which also imposes restrictions on the Government. Government therefore will not be keen to pass the law unless the industry is ready.

The genuine Privacy Activists also should appreciate that many of the NGOs are funded by the same vested interests who donot want the law to be passed and hence will be happy to raise objections for every version of the Bill. They also should realize that if there is a law in place, it is easy to make amendments. If we push the law further by another 2 years then the current state of “No Data Protection Law” will continue. If this is their intention, they also should be honest to admit that they survive on the prolonging of this uncertainty.

I appeal to the Genuine Privacy Activists to join hands with Naavi.org/FDPPI so that we can try to get a workable Data Protection law in place first and worry about refinements later.

Let us therefore start a “Welcome Data Protection Law in India” campaign under a “Data Protection Law Forum” which will be co-ordinated by FDPPI, the Foundation of Data Protection Professionals in India and Naavi.org.

(Comments are welcome)

Naavi

After the JPC submitted its recommendations on the PDPB 2019, the earlier print version book on the basis of PDPB 2019 required corrections. Hence the print version had been withdrawn.

Now a new version of the Data Protection Act of India on the basis of DPA 2021 has been published as a Kindle version.

Since it is not certain if the Bill will be passed in the current session or not, we have released this book now in E Book format. In case the Bill is passed finally either in this session of the Parliament or later, we will publish the print version.

Until that time this book should be the guidance for all students of Data Protection Law in India.

It is possible that the Book may need further updating and even corrections. I assure that I will endeavour to make corrections as and when required.

As is the custom in Software scenario, release comes first and bug fixing comes later !.

Naavi

REGISTER HERE

REGISTER HERE

Registrants who attend the webinar will receive further benefits of value from FDPPI