Data Protection Law – Are We On The Right Track?

In the year 2014, I received an internal email from my employer Telenor that a Chief Global Privacy officer had been appointed at the headquarters at Oslo. I was little amused at that time to think that privacy in the Indian context was being taken so seriously. A general impression was that privacy was a western concept!

However in the last couple of years, privacy has attracted high attention from consumers as well as the government. This has a serious relationship with the widespread proliferation of internet and smart phones as well as some high-level hacking cases like leakage of data from a big social media company. Everybody is realizing that safeguarding of privacy is important for the internet-based development of India.

What are the three most important things, we complain with respect to privacy today?

State as well private entities have scant regard for citizen’s data. Here are examples of both types with my own experience:
Recently I wanted to pay my property tax online. At the municipal corporation of Gurgaon website, one can type either the first name or the last name or the property ID and can get a whole list of names of people with their residential addresses and mobile number! I am not sure if MCG cares about the privacy of people it serves;
Recently my wife wanted to send an international parcel to the United States of America through registered post. The man at the counter insisted pasting a copy of her Aadhaar card printout on the outer side of the envelope stating that this is a part of the process set by higher authorities. Now everybody who will handle the packet can read the Aadhaar number along with other details on the parcel; and
Last year, when I subscribed to an equity broking firm, after a week I started getting phone calls from all broking houses in Indore, Mumbai, and other cities asking how trading is going on and I should subscribe to their broking service at a lower commission! Also each one of us gets at least five to ten unsolicited calls on different products daily.
While we focus a lot on large internet giants for collecting our data, every other app (Indian or foreign) when I try to download, asks for full access of my phone contacts, calls, location, and other details. So everybody is a culprit here and we should not single out a select few.
While every private or government entity is trying to collect the data of consumers, nobody is sure how the data is being handled and whether any citizen’s right and security is being compromised anywhere. There has been no effective law in the country against the misuse of data of citizens (SPD rules under section 43A of the IT Act have not proven effective). There has been no deterrent to entities who have been invading our privacy with constant interruptions, trying to over-sell everything available on their platforms.

Also, there are bigger issues involving citizen consent (data principal) for data to be collected and processed by commercial, social, or government entities (data fiduciaries) and how data is being processed and how cross-flow of data occurs across borders.

In view of the above, the report released by Justice BN Srikrishna on protecting privacy, empowering Indians in the form of a draft of the Personal Data Protection Law (DPL) has been a welcome relief. While there is still time to implement DPL, many governmental steps need to be taken for it to become a law sometime in the year 2019. There are many aspects of the report I liked:

The first chapter lays emphasis on privacy, autonomy, and empowerment that would deliver a personal DPL that protects individual privacy, ensures autonomy, allows data flows for a growing data eco system, and creates a growing free and fair digital economy;

This report, like the consultation paper (I attended the open forum in Delhi which was very well-conducted by Justice BN Srikrishna himself) covers almost all aspects of data protection with detailed comments on a white paper and required analysis; and

The report also recognizes the fact that there will be lots of coordination required between authorities of various countries in order to ensure that DPLs of India and other countries. EU-GMDRs are effective across borders and do not prevent the development and innovation of internet-based economies across the world.

However, there are a few points where I believe the report fails to take some bold decisions keeping the future in mind rather than looking at current laws and past precedences:

The minimum age for consent has been recommended as up to 18 years as per Indian laws. I think we can bring it down to 16 years as envisaged in EU-GMDR. This will be right in line with putting our trust on young Indians with their growing influence on the digital economy and recognizing their maturity to take right decisions instead of requiring parental consent;

The committee has rightly recommended that anonymized and pseudonymized data be out of the preview of DPL. However, while defining data processing roles and responsibilities of data fiduciaries, this aspect has not been completely defined. Given that there are commercial penalties defined in the draft DPL for commercial entities, the roles and responsibilities of data fiduciaries need to be clearly defined. Do data fiduciaries need data principal consent to produce anonymized data?

Cross-border data flow. In this point again, the committee has chosen a conservative path. Maintaining a copy of data in the country does not add anything to the data security. Data Protection Authority (DPA) as mentioned by the committee can do the adequacy test and as long as the other country passes this test as may be the case for EU with GMDR notified in May this year, we should allow data flows. We need to appreciate that India is a developing country and we should not do anything to increase the costs which will eventually hurt our own citizens and local Indian internet companies. With existing recommendations, we are handing over incumbency advantage to large established internet companies;

While I agree with most exemptions provided to companies under article 12, I think the state also should be responsible for privacy of citizens. If any government organization is intentionally or by faulty design, leaking the data, it needs to be hauled up by DPA and appropriate penalties need to be levied. The commercial penalties envisaged in this report may not be applicable for government entities and therefore a new method needs to be evolved. MCG Gurgaon is one such example as given above. Also we need to take out the criminal element from penalties at this learning stage and let the law evolve with experience in the coming years; and

While the committee has defined roles and responsibilities of the DPA, the government needs to be careful that it does not become a heavy regulatory structure putting hindrance in the growth of an internet-based economy instead of acting as a catalyst.

Overall, the committee under Justice BN Srikrishna has done a commendable job and it will be great to see the personal DPL being rolled out for India in the year 2019. We are indeed on the right track!