Ikigai LawIkigai LawIkigai LawIkigai Law
  • About Us
    • About
    • Our Team
    • FinTales
    • Tech Ticker
  • Practice Areas
  • Blog
  • News & Events
    • Ikigai Law in the news
    • Ikigai Law at events
    • Ikigailaw on the social media
  • Careers

Our Notes From the Dialogue Roundtable on Enabling a Progressive Privacy Regime in India

    Home Data Governance Our Notes From the Dialogue Roundtable on Enabling a Progressive Privacy Regime in India
    NextPrevious

    Our Notes From the Dialogue Roundtable on Enabling a Progressive Privacy Regime in India

    By Ikigai Law | Data Governance | 0 comment | 9 August, 2019 | 4

    The Dialogue organized a roundtable in New Delhi on 5th August, 2019, to discuss the way forward for a progressive data protection law that is rights-based and implements the Supreme Court’s principles on privacy. This note summarizes the discussions from this roundtable, which was conducted under the Chatham House Rule.

     

    Session 1: Gaps in the Personal Data Protection Bill, 2019 (“PDP Bill”)

     

    Key issues discussed:

     

    • Privacy in the age of emerging technologies.
    • Privacy issues under the PDP bill, in the context of collection and processing of data.
    • Conditions ensuring due process of law is followed when government accesses data.
    • Checks and balances under a data protection regime, and principles of adequacy and reciprocity.

     

    Moderator: This discussion will be translated into a report and submitted to MeiTY.

     

    Opening Remarks:

     

    • It is important to focus on the ‘first principles’ of privacy when articulating a data protection regime.
    • Data protection regimes require proper checks and balances to protect against actions of the government and data fiduciaries.
    • Any action on articulating a data protection regime should be based on a consultative approach. The PDP bill draft has been prepared by the Srikrishna Committee. The government of India has not yet shared its draft to the public for public consultation.

     

    Address by Director, Center for Economics of the Internet:

     

    • When understanding the privacy concerns related to deployment of 5G, it is necessary to understand the difference between ownership and control of personal data.
    • There are three elements of control: a) determining how data can be used; b) whether data can be transferred to third parties; and c) determining who benefits from transfer of data to third parties.
    • For eg., the EU GDPR provides very little rights to data principals to control the the transfer of personal data to third parties, while the California law on privacy does.
    • Deployment of 5G technology will enable the collection of vast amounts of data, and the question will necessarily shift from control of data to ownership of data.
    • India should think about the question of ownership.

     

    Responses:

     

    • Government view is that the industry is always identifying problems under the data privacy regime. The industry should also tell the government how it can be held accountable. Government is worried about digital colonization, as almost all big tech companies are western.
    • It is hard to identify who controls data, many stakeholders will believe they have right to control data. Control framework posited by government is simplistic. Some classes of information should be the property of one individual whereas others should belong to more than one – depending on if they are in the public sphere etc.
    • Important to identify the due process framework basis which government will gain access to personal data for purposes of law enforcement. Current processes under the PDP bill do not meet the rigor of other laws in India, and also of other jurisdictions. This concern is underscored by Aadhaar judgment where the Supreme Court struck down Section 57 of the Aadhaar Act.
    • In terms of adequacy, MLAT is not working. Need to focus on bilateral arrangements. India must enhance internal data privacy regime to have a better reciprocity regime with other countries.
    • Due process for access of personal data by law enforcement agencies should flow from principles stipulated in Puttaswamy, as opposed to leaving it to the regulator (Data Protection Authority).
    • Adequacy concerns should be addressed with focus on ensuring benefits of free cross border flow of data. Countries have adopted efficient accountability frameworks such as APEC Privacy Framework that can ensure this. Further, can look at third party auditors that ensure accountability of stakeholders and at the same time provide framework for free flow of cross border data.
    • The first principle of the PDP bill, that all data processing has to be lawful, must apply to all organizations, from the government to companies. There should be no exemption to the fundamental right to privacy. The focus of the privacy regime should be the fundamental right to privacy of individuals, not state benefit or commercial benefit.
    • Should not use property regime- i.e. ownership- in articulating data rights. Rights of personal data are inalienable from the individual, and ownership assumes that they can be alienated.
    • Some exemptions under the PDP bill are necessary, such as the research exemption, especially for purpose of public health. However, these exemptions should be measured under principles, such as the Supreme Court striking down striking down Section 57.
    • Important to read exemptions to right to privacy narrowly. However, understanding where the line is drawn will be a consultative exercise between industry and regulator.
    • Accountability under PDP bill should be ensured by industry self-regulation, or co-regulation. Third party certification, or even self-certification mechanisms will help create an enabling regulatory framework. A lot of the provisions under the PDP bill are onerous, and can be replaced by self-regulation. Further, the DPA when formulating codes of practice, should consult with industry and help create a forward looking and enabling regime.
    • Even in terms of data localization, industry and government should collaborate and chart the path ahead.
    • The idea of proper bilateral treaties with countries like the USA must be explored. Guidelines should be formulated where governments, regulators and fiduciaries work together on adequacy processes.
    • Self-certification regime does not work, as fiduciaries are profit oriented. Mandatory requirement regime is necessary.
    • India should adopt a light touch regime, as these are uncharted territories. Adopt a light touch regulatory framework, and learn from its mistakes. Necessary to have more stakeholder engagement and build consensus, however, industry should not be asked to come up with solutions. The PDP bill should be implemented as the Companies Act.
    • Disagree that PDP bill should be implemented as the Companies Act. Given the environment we are in, with the threat to privacy from fiduciaries and companies, privacy framework should first and foremost enable the privacy and freedom of individuals. There has been a global market failure to protect privacy rights. Look at Facebook, Google and Truecaller, who have not respected privacy of individuals.
    • We are heading towards a situation where mass data generation and data gathering will take place. The government wants to enable localization, weaken encryption, enable sharing of personal data across government departments. A privacy law needs to protect individuals from such state action. This does not happen in the PDP bill, and the only way it can happen is through litigation.
    • We need to move beyond light touch/heavy touch dichotomy. We require a principles based regulatory regime for privacy that is in touch with the ground reality, and applies to everyone equally.
    • Why did the government go ahead with data localization? Was there a cost benefit analysis done?
    • Yes, NIPFP published a report undertaking a cost-benefit analysis of data localization. It said that it does not work.
    • When speaking about mirroring data, who will ensure the integrity of the mirror?
    • The PDP bill should clearly enumerate scenarios wherein data can be misused and unambiguously outlaw them.
    • A concerning provision of the PDP bill is that in the event of breach, user can only be informed of the breach after attaining approval from the DPA. This is concerning.

     

    Closing remarks:

     

    • Chief Guest: If you give too much freedom to the regulator, they can evolve into a Frankenstein. The law should provide calculated balance, and one should hope for a good regulator.

     

    Session 2: Payments, Privacy and Innovation

     

    Key issues to be discussed:

     

    • Privacy by Default and Privacy by Design.
    • User Privacy and Cross-Border Data Flows – How it impacts fraud detection.
    • Law Enforcement and intersection with Privacy –The need for judicial safeguards and parliamentary oversight for surveillance in light of the RBI notification.
    • Innovation, Privacy and Security – Finding the right balance.

     

    Opening Remarks:

     

    • Privacy by design requires incorporating privacy principles in product/service.
    • Privacy by design enables you to achieve goals of privacy, protection and innovation together.
    • It mandates protection in substance, and protection through compliance.
    • You can balance consideration of privacy and protection alongside innovation through building an accountability regime, as opposed to a risk based one. Need to consider making working guidelines, that mandate incorporation of elements determining use of data in product/service.
    • Japan has a cultural history of privacy. However, they realized the commercial benefits of using data, and amended their law to allow use of anonymized data. India should look at something similar with de-identified data.

     

    Responses:

     

    • Cross-border data flow is necessary to identify patterns of payments related fraud, and vulnerabilities in systems.
    • Cyber-security threats are transnational, therefore, protection should be transnational as well.
    • Watal report helps in outlining an objective with which security and innovation can be maintained. It was also a consultative process.
    • There was no consultation with stakeholders before decision was taken on data localization. Data localization will impact anti-fraud systems negatively. Indian industries will be negatively impacted.
    • South east Asian countries such as Indonesia are inspired by India’s protectionist approach, and are adopting data localization. Indian countries hoping to expand business there will be hurt.
    • Bilateral treaties are very important, perhaps we can consider having arrangements between regulators of two countries.
    • Data localization is important, because MLAT is not sufficient. We need to protect national interests.
    • Free flow of data, privacy and innovation are synonymous with each other.
    • Localization does not help privacy, and does not help you sue a company because it has servers in the country where crime is committed.
    • Self-certification regime allows nationals of other countries to sue companies based in different countries.
    • It is important to imagine a world where companies in India will need to process data of foreigners, and then look at a hard localization, soft localization or no localization.

     

    (This post has been authored by Vijayant Singh, Associate, with inputs from Tuhina Joshi, Associate at Ikigai Law)

    cyber-security, data governance, Data Localization, Data Protection, digital payments, digital transformation, emerging tech, India, MLAT, Privacy

    Ikigai Law

    More posts by Ikigai Law

    Related Post

    • Data Governance in APAC: Findings

      By Ikigai Law | 0 comment

      I. Introduction The APAC region has been at the vanguard of digitisation, digital innovation, and digital governance.[1] However, differences in legal regimes in the region have meant that any regional or global privacy initiatives suchRead more

    • Introduction to Digital Security Laws in Nepal, Sri Lanka, and Bangladesh

      By Ikigai Law | 0 comment

      This post is the first in a series of three posts analysing the information technology (“IT”) ecosystem of Bangladesh, Sri Lanka, and Nepal.   Introduction With over 4 billion people online[1], the internet has reshapedRead more

    • What Do The Results Of The 2019 Indian General Elections Mean For Tech Policy?

      By Ikigai Law | 0 comment

      Overview Prime Minister Narendra Modi’s Bharatiya Janata Party (BJP) will form the next Union government in India. In election results announced on 23 May 2019, the BJP and its allies, which together constitute the NationalRead more

    • Kenya’s Data Protection Act – An Overview

      By Ikigai Law | 0 comment

      Introduction Kenya enacted the Data Protection Act, 2019 (hereinafter, the “Act”) in November 2019.[1] It is a comprehensive statute that governs the collection, processing and storage of personal data by government and private actors. ItRead more

    • Data protection in Indonesia

      By Ikigai Law | 0 comment

      I. Introduction In this post, we examine the data governance framework of Indonesia, from the perspective of: data processing and other obligations imposed on organisations (II);rights guaranteed to individuals (III); rules governing cross-border data flowsRead more

    Leave a Comment

    Cancel reply

    Your email address will not be published. Required fields are marked *

    NextPrevious

    Tags

    #DataProtection #Fintales bitcoin Blockchain Budget Consent Consultation Consultation Paper cryptocurrency data Data Controllers data governance Data localisation Data Protection Data Subjects digital economy Digital India Digital Lending Drones E-Commerce Facebook Fintech Government healthtech Ikigai Law India Indian government Innovation MeITY Notice Payments Personal Data policy Privacy RBI Recommendation Regulation Srikrishna Committee Stakeholders Startups Surveillance Technology Tech Policy TechTicker TRAI

    Connect with Ikigai Law

    Copyright 2018 Ikigai Law | All Rights Reserved             

    Information

    • Practice Areas
    • Blog
    • Careers
    • Contact Us
    • Privacy Policy

    Contact us

    Office
    2nd Floor, 44 Regal Building,
    Outer Circle, Connaught Place, New Delhi, Delhi - 110001

    Email Address

    contact@ikigailaw.com

    • About Us
      • About
      • Our Team
      • FinTales
      • Tech Ticker
    • Practice Areas
    • Blog
    • News & Events
      • Ikigai Law in the news
      • Ikigai Law at events
      • Ikigailaw on the social media
    • Careers
    Ikigai Law