Naavi.org

India has been struggling to introduce a Data Protection Law for a long time. It was initially at the instance of the IT industry that the earlier Government framed a draft law in 2006. Subsequently Privacy activists created a furore when Aadhaar was sought to be used widely by the Government resulting in the Supreme Court nudge and the Srikrishna committee followed by PDPB 2018, PDPB 2019 and now DPB 2021.

However at each stage there have been so many oppositions that the Bill is still not passed. Even as late as last week,  industry bodies have asked for scrapping of the Bill in its current form and start a new drafting exercise, knowing fully well that this exercise will delay the introduction of data protection by another few years and would be a set back in every sense.

This time it appears that the Social Media Intermediaries who are in the forefront of the move to scuttle the Bill. Even Start Up industry has been made a party to this set of objections.

The media  is a commercial organisation and they will convey only the views of any vested interest, amplifying the objections.

Some of the modifications that have been projected in the media are

1. 1. The Government should have no powers to seek exemption from any provisions of the Act even if permitted under the Indian Constitution.
   2. Law Enforcement should not have any power of surveillance even if Crimes in Data Space are a threat to our very existence as a society.
   3. Social Media intermediaries should not be challenged on fake news distribution
   4. Industry should have exemptions for ever to comply with the basic principles of compliance
   5. The fines and penalties should be waived.
   6. Cost of Compliance should be reduced
   7. Financial Information should not be considered as “Sensitive”
   8. Data should be freely transferable abroad even though other countries like EU are opting for more and more restrictions.
   9. Indian Government should give up its sovereignty on Data generated in India and allow the tech  giants to monetize Indian data resources

It is unfortunate that as in other fields the industry institutions which are expected to protect the interests of the country are abdicating their national responsibilities and have been only interested in projecting the commercial interests of companies most of whom are today international companies.

Even home grown companies are dependent on the patronage of International companies and hence take a stand “Business First, Nation Next”.

There is nothing like a “Perfect Law” and seeking a perfect law particularly in the domain of Privacy which has inherent conflicts with other Rights, is only an excuse not to pass the law. I hope people in high places accept this reality and not think that the public are gullible enough to believe such excuses.

Every corporate law in the country has a cost burden and this cannot prevent the law to be passed. Income Tax Law or Company Law have imposed enormous cost on the industry. Does it mean that the industry should oppose them because of “Cost of Compliance”? If not, why this opposition only for “Data Protection law”?

Can the nation exist if we ignore the need of law enforcement and Governance in enforcing the Privacy law? Can speculation on what all can go wrong prevent action of the Government. Every law has a potential to be misused if we have dishonest administrators and dishonest administrators will continue to exist as long as there is greed in the society.

We only have to keep strengthening the law as well as the checks and balances to ensure that law is not mis-applied. The Courts are there to ensure justice if the administrators fail.

We therefore urge all those who have opposed the current draft of DPA 2021 to set aside their differences for some time and let the law come into existence. Let us give it at least one year of existence after which we can pass any amendments that may be necessary.

I therefore appeal to industry bodies such as  NASSCOM, ASSOCHAM, FICCI, CII,  etc to stop complaining about the new draft of DPA 2021 and start co operating with the Government in getting the law passed.

Alternatively the industry can be honest to say that the industry does not want the Data protection law to be passed in India and they can file a petition in the Supreme Court to stop the Government from passing such law.

If the business entities who gladly adopt a EU law such as GDPR but have objections only for the Indian law because they want freedom to plunder the Indian resources, it is natural for the Government also to feel why it should tie its own hands with the law which also imposes restrictions on the Government. Government therefore will not be keen to pass the law unless the industry is ready.

The genuine Privacy Activists also should appreciate that many of the NGOs are funded by the same vested interests who donot want the law to be passed and hence will be happy to raise objections for every version of the Bill. They also should realize that if there is a law in place, it is easy to make amendments. If we push the law further by another 2 years then the current state of “No Data Protection Law” will continue. If this is their intention, they also should be honest to admit that they survive on the prolonging of this uncertainty.

I appeal to the Genuine Privacy Activists to join hands with Naavi.org/FDPPI so that we can try to get a workable Data Protection law in place first and worry about refinements later.

Let us therefore start a “Welcome Data Protection Law in India” campaign under a “Data Protection Law Forum” which will be co-ordinated by FDPPI, the Foundation of Data Protection Professionals in India and Naavi.org.

(Comments are welcome)

Naavi

After the JPC submitted its recommendations on the PDPB 2019, the earlier print version book on the basis of PDPB 2019 required corrections. Hence the print version had been withdrawn.

Now a new version of the Data Protection Act of India on the basis of DPA 2021 has been published as a Kindle version.

Since it is not certain if the Bill will be passed in the current session or not, we have released this book now in E Book format. In case the Bill is passed finally either in this session of the Parliament or later, we will publish the print version.

Until that time this book should be the guidance for all students of Data Protection Law in India.

It is possible that the Book may need further updating and even corrections. I assure that I will endeavour to make corrections as and when required.

As is the custom in Software scenario, release comes first and bug fixing comes later !.

Naavi

REGISTER HERE

REGISTER HERE

Registrants who attend the webinar will receive further benefits of value from FDPPI

While the Data Protection professional circles have been discussing the forthcoming DPA 2021, whether it will be taken up for further discussion in the Parliament or scrapped, the MeitY has sprung a surprise by releasing two documents yesterday the February 21.

They are

1. 1. Background Note for India Data Accessibility and Use Policy
   2. India Data Accessibility and Use Policy

It appears that the Government was waiting for the release of these documents before taking up the DPA 2021 for further discussion to protect the operational interests of the Government entities which will also be required to be compliant with  the new DPA 2021. We are aware that while private companies need to move up in their compliance ladder from the present levels to whatever DPA 2021 expects, Government agencies need to start from the zero level. Hence the challenge before Government institutions and Departments were more than the private sector.

In the light of the above, MeitY has tried to formulate a policy for the Central Government and suggested policy for State Governments in the form of a Framework that can be adopted for Privacy Management. These are likely to be adopted as “Codes of Practice” for Government establishments when the DPA 2021 becomes effective.

This will now have to be incorporated as part of the DPSI or the “Data Protection Standard of India which FDPPI is using for Compliance audits.

The Objectives of the Policy as declared are as follows:

1.Maximising access to and use  of quality public sector data

2. Improving policy making, evaluation and monitoring

3.Enhancing the efficiency of service delivery

4. Facilitating the creation of public digital platforms

5. Protecting the privacy and security of Citizens

6. Streamlining inter-government data sharing

7. Promoting transparency, accountability and ownership in data sharing and release

8. Building digital & data capacity, knowledge & competency of Government officials

9. Promoting data interoperability & Integration to enhance data quality and usability

10. Ensuring greater citizen awareness, participation, and engagement with open data

11. Enabling secure pathways to share detailed data sets for research and development

12. Increasing the availability of high value data sets of national importance

13. Improving overall compliance to data sharing policies and standards.

Though the policy makes reference mainly to “Data Sharing”, it would also be the policy for protecting the Privacy of the Citizens.

One of the immediate requirements for the Government agencies is to develop an inventory of “Data Assets” which may have to include both Personal and Non Personal Data of Citizens and Employees. It has to be a federated government wide searchable data base so that duplication is avoided.

An interesting concept is that there will be a new entity called India Data Office (IDO)  and every Ministry/Department shall have Data Management Units headed by Chief Data Officers (CDO) which will work closely with the IDO.

Given the responsibilities of the CDO which go beyond the Privacy and Personal Data Protection, it may be necessary for each department to separately identify a Data Protection Officer satisfying the requirements of Section 30 of DPA 2021.

The India Data Officer and the Chief Data Officers will together function as India Data Council (IDC) for coordination. In case the State Governments also join this IDC, it will be like the GST Council and cover all data interests of the nation. However since there are some rogue states which donot believe in being part of the  national body, the IDC may remain a Central Government entity.  The State Governments can however replicate the system with a State level IDC and State CDO s .

One of the objectives set by this policy is to promote the “Open Data” concept and by default all data of every Government Ministry/Department/Organization will be considered as open.

The exceptions however may be defined and a negative list of data which shall remain restricted would be separately announced.

By focussing on “Data Sharing”, the policy has also considered the possibility of monetization of data available to the Government and a mechanism for Data Pricing and Data Licensing may be developed.

The Policy promotes “Data Anonymisation” and may assist the departments  with necessary support including tool kits for  data sharing.

In anticipation of the objections from the activists, the policy states that “Any Data sharing shall happen within the legal framework in India, its national policies and legislation as well as the recognized international guidelines” and “All data being shared must ensure compliance to guidelines for legal, security, IPR, Copyrights and Privacy Requirements”.

The policy states that Data shall remain the property of the agency/department/ministry etc and access shall not be in violation of any acts and rules of the Government in force.

The legal framework of this policy will also be aligned with various acts and rules covering data.

We hope the publication of this policy will now clear the path for DPA 2021 being passed.

We welcome the approach of this policy to get ready before the DPA 2021 becomes a law. The policy will require a whole “Data Governance System” to be set up with the IDC,  IDO, CDOs and DPOs at the Central Government level and also paving the way for State Governments to adopt a similar module. Interesting developments to watch.

Naavi

If this system works, we will be able to control a good part of cyber crimes. This will put brakes on crimes involving transfer of proceeds in INR.

Next we need to ban Cryptocurrency to tackle the crimes at the next level.

Naavi

Yesterday Economic Times carried a report quoting anonymous sources within the Government of India that the Government may shelve the current version of the Bill and go for a fresh legislation.

Today some of the other  publications such as the Quint and The Print have picked up the story and re-published the same.

As a result of these reports there is a sudden feeling in the Industry that the Government of India may withdraw the Bill just like they withdrew the Farm Bills. In many professional circles, it is considered that the Government has no commitment to pass the law.

It is difficult for us to vouch for the Government since the Government is always a combination of good intentioned persons with commitment and others who for their own reasons support some “Special Interests”.

It is our considered opinion that the Economic Times article under the by-line of Surabhi Agarwal is a fake planted story .

We may however discuss some of the objections to the Bill that were  prevailing earlier when the JPC presented its report and whether the objections cited in the ET article were present at that time.

When the JPC presented its final recommendations there were a few opposition members of the JPC who submitted dissent notes. Some of the comments made by them are briefly given below.

1.Manish Tiwari:

The Bill suffers from a design flaw in that it creates two parallel universes, one for the private sector where it would apply with full rigor and one for the Government where it is riddled with exemptions. I reject the bill in the current form in its entirety.

2.Derek Obrien and Mahua Moitra

We oppose the inclusion of the non personal data within the legislation. The Bill provides overbroad exemptions to the Government of India without proper safeguards. We propose amendments …

3. Gaurav Gogoi

I am in broad agreement with most of the conclusions …However I hold certain reservations …on lack of attention paid to harms arising out of surveillance, Exemption to the Central Government, regulation of non personal data, setting up of state level DPAs etc.

4.Ritesh Pandey

I am in complete agreement with the recommendations, barring three sections..Section 3(8) (Definition of Child), Section 35 and Section 42(2) (Composition of the DPA selection Committee).

5.Jairam Ramesh

I am in unqualified agreement with all but two recommendations…. Section 35 and Section 12 (a)(i) …suggested removal of “Public Order” under Section 35 and addition of the word “Proportionate” in the clause that exempts consent for Government functions.

6.Vivek K Tankha

Though I am in broad agreement with the recommendations of the JCP, deeper contemplation puts me in doubt in respect of two recommendations…. Section 12 and Section 35.

7.Dr Amar Patnaik

The Bill does not address the concerns on narrowing down the applicability of the provisions of Section 35 , separate DPA for States, abolishing of Section 87(new) on the power of the Government to issue directions to the DPA

As could be seen from the above, except Mr Manish Tiwari who recommended the scrapping of the Bill all others suggested only a few amendments. Most of the concerns expressed by the members were on the powers of the Government under Section 35. The concerns on the constitution of the DPA and independence of DPA was also related to the dilution of the power of the Government in the administration of the Act.

The views of the political opponents of the Government can be understood since  the Act also covers the Government agencies, if an opposition friendly DPA is formed, the DPA would be a great instrument to question the Government from time to time. It would be  politically imprudent and foolish for any Government to provide such a power to an authority outside the Government. Hence we should also appreciate the right of the Government to reject such an extreme suggestion.

The Government has adopted a conciliatory position regarding expanding the DPA selection committee and adding the concept of “Proportionality” under Section 35. Also it is a common practice across the Globe to provide such exemptions to the Government and the Courts in the respective countries lay down the boundaries of “Proportionality”. The objections on Section 35 therefore can be set aside as the necessary political rhetoric.

Leaving these politically motivated suggestions, there are some good suggestions including the delinking of the “Non Personal Data” some of which can still be accommodated during the clause by clause discussion of the amendments.

The ET report however brings out a new theory that the Act is detrimental to the industry and more particularly the Start Ups.

There is no doubt that any new law requiring compliance of the industry result in some compliance efforts including additional cost. Cyber Security itself is a burden on the companies. However, it is the duty of the Government to enact laws that mandate security and this “Personal Data Protection law” is one such.

As regards the importance of “Right to Privacy”, it is for the Human Rights Activists to determine whether India needs to protect this right or not. If some are suggesting scrapping of the current draft, they are people who donot want the law to be effective for a few more years.

We may remember that JPC has recommended 2 years for introduction, and provided 3 more years for Start Ups using the Sand Box scheme to adopt to the law. If 5 years is not sufficient for a Start Up to adopt, then they donot deserve any sympathy. I am sure that ET is firing this salvo on the shoulders of the Start Ups and no genuine start up would like to admit that 5 years is too short a time to adopt to the new law that too after the world has transformed in 2018 itself when  GDPR became a law.

The objection raised by ET is therefore unsustainable and must be considered as a conspiracy along with the Print and Quint to destabilize the introduction of the law.

I would appreciate if people come out openly that they donot want Privacy because they want to continue the present practice of exploiting the personal data without accountability.

Instead of being honest and directly expressing their wish to be in a “NO PRIVACY PROTECTION REGIME”, raising fake objections on the provisions of the Bill is to be condemned.

I would also like to re-iterate that there is nothing such as “Perfect Bill” and when a Bill tries to address conflicting interests of Privacy, Security and Business promotion, there has to be give and take by each of the stake holders. Law cannot be made one sided even if it is on the side of the individual.

Lest we forget, all fundamental rights exist if the nation exists and hence reasonable exemptions are an integral part of the fundamental rights whether it is article 19 or 21 or even 25.

We therefore should condemn the attempt of motivated journalists to plant false stories not withstanding the support they may get from NASSCOM which is an industry association.

Behind this conspiracy there could be a larger conspiracy that if the Government withdraws the Bill, certain activists will approach the Supreme Court with a “Contempt of Court” petition stating that Government is not honouring the direction of the Supreme Court and has to be dismissed. The Government should be alert to such a possibility.

Naavi

Also read:

Having a strong national data protection bill will safeguard interests of the Indian Companies- US headquartered Ankura Consulting Group