Our Notes From the Dialogue Roundtable on Enabling a Progressive Privacy Regime in India

The Dialogue organized a roundtable in New Delhi on 5^th August, 2019, to discuss the way forward for a progressive data protection law that is rights-based and implements the Supreme Court’s principles on privacy. This note summarizes the discussions from this roundtable, which was conducted under the Chatham House Rule.

Session 1: Gaps in the Personal Data Protection Bill, 2019 (“PDP Bill”)

Key issues discussed:

• Privacy in the age of emerging technologies.
• Privacy issues under the PDP bill, in the context of collection and processing of data.
• Conditions ensuring due process of law is followed when government accesses data.
• Checks and balances under a data protection regime, and principles of adequacy and reciprocity.

Moderator: This discussion will be translated into a report and submitted to MeiTY.

Opening Remarks:

• It is important to focus on the ‘first principles’ of privacy when articulating a data protection regime.
• Data protection regimes require proper checks and balances to protect against actions of the government and data fiduciaries.
• Any action on articulating a data protection regime should be based on a consultative approach. The PDP bill draft has been prepared by the Srikrishna Committee. The government of India has not yet shared its draft to the public for public consultation.

Address by Director, Center for Economics of the Internet:

• When understanding the privacy concerns related to deployment of 5G, it is necessary to understand the difference between ownership and control of personal data.
• There are three elements of control: a) determining how data can be used; b) whether data can be transferred to third parties; and c) determining who benefits from transfer of data to third parties.
• For eg., the EU GDPR provides very little rights to data principals to control the the transfer of personal data to third parties, while the California law on privacy does.
• Deployment of 5G technology will enable the collection of vast amounts of data, and the question will necessarily shift from control of data to ownership of data.
• India should think about the question of ownership.

Responses:

• Government view is that the industry is always identifying problems under the data privacy regime. The industry should also tell the government how it can be held accountable. Government is worried about digital colonization, as almost all big tech companies are western.
• It is hard to identify who controls data, many stakeholders will believe they have right to control data. Control framework posited by government is simplistic. Some classes of information should be the property of one individual whereas others should belong to more than one – depending on if they are in the public sphere etc.
• Important to identify the due process framework basis which government will gain access to personal data for purposes of law enforcement. Current processes under the PDP bill do not meet the rigor of other laws in India, and also of other jurisdictions. This concern is underscored by Aadhaar judgment where the Supreme Court struck down Section 57 of the Aadhaar Act.
• In terms of adequacy, MLAT is not working. Need to focus on bilateral arrangements. India must enhance internal data privacy regime to have a better reciprocity regime with other countries.
• Due process for access of personal data by law enforcement agencies should flow from principles stipulated in Puttaswamy, as opposed to leaving it to the regulator (Data Protection Authority).
• Adequacy concerns should be addressed with focus on ensuring benefits of free cross border flow of data. Countries have adopted efficient accountability frameworks such as APEC Privacy Framework that can ensure this. Further, can look at third party auditors that ensure accountability of stakeholders and at the same time provide framework for free flow of cross border data.
• The first principle of the PDP bill, that all data processing has to be lawful, must apply to all organizations, from the government to companies. There should be no exemption to the fundamental right to privacy. The focus of the privacy regime should be the fundamental right to privacy of individuals, not state benefit or commercial benefit.
• Should not use property regime- i.e. ownership- in articulating data rights. Rights of personal data are inalienable from the individual, and ownership assumes that they can be alienated.
• Some exemptions under the PDP bill are necessary, such as the research exemption, especially for purpose of public health. However, these exemptions should be measured under principles, such as the Supreme Court striking down striking down Section 57.
• Important to read exemptions to right to privacy narrowly. However, understanding where the line is drawn will be a consultative exercise between industry and regulator.
• Accountability under PDP bill should be ensured by industry self-regulation, or co-regulation. Third party certification, or even self-certification mechanisms will help create an enabling regulatory framework. A lot of the provisions under the PDP bill are onerous, and can be replaced by self-regulation. Further, the DPA when formulating codes of practice, should consult with industry and help create a forward looking and enabling regime.
• Even in terms of data localization, industry and government should collaborate and chart the path ahead.
• The idea of proper bilateral treaties with countries like the USA must be explored. Guidelines should be formulated where governments, regulators and fiduciaries work together on adequacy processes.
• Self-certification regime does not work, as fiduciaries are profit oriented. Mandatory requirement regime is necessary.
• India should adopt a light touch regime, as these are uncharted territories. Adopt a light touch regulatory framework, and learn from its mistakes. Necessary to have more stakeholder engagement and build consensus, however, industry should not be asked to come up with solutions. The PDP bill should be implemented as the Companies Act.
• Disagree that PDP bill should be implemented as the Companies Act. Given the environment we are in, with the threat to privacy from fiduciaries and companies, privacy framework should first and foremost enable the privacy and freedom of individuals. There has been a global market failure to protect privacy rights. Look at Facebook, Google and Truecaller, who have not respected privacy of individuals.
• We are heading towards a situation where mass data generation and data gathering will take place. The government wants to enable localization, weaken encryption, enable sharing of personal data across government departments. A privacy law needs to protect individuals from such state action. This does not happen in the PDP bill, and the only way it can happen is through litigation.
• We need to move beyond light touch/heavy touch dichotomy. We require a principles based regulatory regime for privacy that is in touch with the ground reality, and applies to everyone equally.
• Why did the government go ahead with data localization? Was there a cost benefit analysis done?
• Yes, NIPFP published a report undertaking a cost-benefit analysis of data localization. It said that it does not work.
• When speaking about mirroring data, who will ensure the integrity of the mirror?
• The PDP bill should clearly enumerate scenarios wherein data can be misused and unambiguously outlaw them.
• A concerning provision of the PDP bill is that in the event of breach, user can only be informed of the breach after attaining approval from the DPA. This is concerning.

Closing remarks:

• Chief Guest: If you give too much freedom to the regulator, they can evolve into a Frankenstein. The law should provide calculated balance, and one should hope for a good regulator.

Session 2: Payments, Privacy and Innovation

Key issues to be discussed:

• Privacy by Default and Privacy by Design.
• User Privacy and Cross-Border Data Flows – How it impacts fraud detection.
• Law Enforcement and intersection with Privacy –The need for judicial safeguards and parliamentary oversight for surveillance in light of the RBI notification.
• Innovation, Privacy and Security – Finding the right balance.

Opening Remarks:

• Privacy by design requires incorporating privacy principles in product/service.
• Privacy by design enables you to achieve goals of privacy, protection and innovation together.
• It mandates protection in substance, and protection through compliance.
• You can balance consideration of privacy and protection alongside innovation through building an accountability regime, as opposed to a risk based one. Need to consider making working guidelines, that mandate incorporation of elements determining use of data in product/service.
• Japan has a cultural history of privacy. However, they realized the commercial benefits of using data, and amended their law to allow use of anonymized data. India should look at something similar with de-identified data.

Responses:

• Cross-border data flow is necessary to identify patterns of payments related fraud, and vulnerabilities in systems.
• Cyber-security threats are transnational, therefore, protection should be transnational as well.
• Watal report helps in outlining an objective with which security and innovation can be maintained. It was also a consultative process.
• There was no consultation with stakeholders before decision was taken on data localization. Data localization will impact anti-fraud systems negatively. Indian industries will be negatively impacted.
• South east Asian countries such as Indonesia are inspired by India’s protectionist approach, and are adopting data localization. Indian countries hoping to expand business there will be hurt.
• Bilateral treaties are very important, perhaps we can consider having arrangements between regulators of two countries.
• Data localization is important, because MLAT is not sufficient. We need to protect national interests.
• Free flow of data, privacy and innovation are synonymous with each other.
• Localization does not help privacy, and does not help you sue a company because it has servers in the country where crime is committed.
• Self-certification regime allows nationals of other countries to sue companies based in different countries.
• It is important to imagine a world where companies in India will need to process data of foreigners, and then look at a hard localization, soft localization or no localization.

(This post has been authored by Vijayant Singh, Associate, with inputs from Tuhina Joshi, Associate at Ikigai Law)