In our opinion, a fundamental underpinning of Data Protection is that the Indian State should be the supreme authority, protector, accountable party and custodian of the data of Indians. While the disciplined work of the Committee is undeniable, such a principled stand does not come through in the text of the Bill.
Principal Observations about the Committee’s White Paper
(Ref: White Paper of the Committee of Experts on a Data Protection Framework for India. https://meity.gov.in/white-paper-data-protection-framework-india-public-comments-invited)
There is a lot of attention given to the potential monetary loss to India’s industry (consulting services, BPO, etc) and startups (loss of investments) if cross border data flows are not freely allowed. However, the monetary value of each Indian’s data and the losses incurred by allowing foreign entities to monetize this data freely are never mentioned.
Per Jacques Séguéla, (Ref: March 2019 @WION TV interview. https://www.youtube.com/watch?v=-Fe-0E0EcQE), VP at Havas Creative, the annual monetary value of an individual’s digital data is 2,000 Euros (Rs 1,56,000, $ 2,180). The national security value of the personal data of 40 Crore (400 million) Indian digital users is immeasurable. But, the annual monetary value in itself is Rs 3.12 Lakh Crores (40 Crores * Rs 7,800) or $43 Billion (40 Crores * $100) even if you consider the annual monetary value for an Indian digital user to be only 5% of the 2,000 Euro number mentioned above.
Two Primary Issues in the draft version of the Bill
(Ref: ThePersonal Data Protection Bill 2019. https://prsindia.org/sites/default/files/bill_files/Personal%20Data%20Protection%20Bill%2C%202019.pdf)
1. The bill categorizes all entities that gather and manage user data as Data Fiduciaries. Diverse entities such as government authorities & agencies, consumer/retail companies, social media & messaging intermediaries, health care companies and employers are all given the same baseline treatment with sub-clauses stated where needed. This creates a lot of opportunities for numerous interpretations and hence misuse by various parties. For eg: Why should social media and messaging intermediaries have the same cross-border data flow privileges as, let’s say, an overseas retailer who requires the personal data (address and payment info) of a customer in order to ship a package?
The architecture of the roles has to be changed in future versions. Aside from the roles mentioned earlier, there should be distinct treatment for the Indian State, domestic businesses, foreign businesses and foreign States. This change, however, could mean significant changes to the text of the bill.
2. One of the principal issues with data protection is that today’s internet model does not allow any notion of privacy or data protection. Ads are what allow free services and content on the internet. So, providers gather user data and monetize it by sharing with ad networks. The entity whom the user trusts to keep their data private, ends up sharing their data with a lot of other parties from Day 1. When data from diverse sources such as social media (Facebook, LinkedIn, Instagram), messaging (Whatsapp), search (Google), retail (Amazon, Flipkart), finance (Mastercard, Visa), smartphone apps (location/GPS, Google Maps, Amazon Alexa), media (Dish TV, Netflix, Amazon Prime) is correlated, it becomes easy to create a digital twin for any individual.
Modern AI systems can mimic all aspects of an individual to a high degree when such data collation is allowed. This creates unending sales targetting and monetization opportunities for foreign companies. Needless to say, the sovereignty of Indian Citizens is severely compromised when the same sources are allowed to create a feedback loop i.e., gathering data, correlating the data and then disseminating data. How can foreign companies and foreign States be allowed to know and influence Indian Citizens more than the Indian State? Conceptually, the Data Protection Bill should not allow any service or content provider to share data with any other provider. That will be the first step towards real data protection. But, this will imply the end of the ad network model and the industry will put up strong resistance to such a change in the short term.
Suggested Changes to the Personal Data Protection Bill
Due to the above reasons, our feedback is limited to a few points which might be implementable for this version of the bill.
1. Suggested Rules for Social Media Intermediaries
- C-level executives, particularly CEO and Chairman, must appear before parliamentary committees, Data Protection Authority of India and other regulatory bodies when they are summoned.
- For a user that registers in India, the User’s data should be located primarily in India.
- User data cannot be moved outside of India unless the User has connections/contacts/friends that don’t reside in India.
- For any User that doesn’t live in India but has at least 1 connections/contact/friend in India, the User’s data must be duplicated in India.
- Overall, the amount of data stored in India must be proportional to the % of Indian Users, at a minimum.
- If a backdoor and/or API (impersonation, decryption mechanism, data access, etc) is provided to any non-company entity whatsoever, the same must be provided to the Data Protection Authority of India.
- If any User’s data (from b, c, d above) is shared with any non-company entity whatsoever, then the same data must also be shared with the Data Protection Authority of India.
2. Chapter III – Grounds for Processing of Personal Data Without Consent
Clause 13 and Clause 14 provide exceptions for recruitment, public interest and for processing of publicly available data.
Recruitment: If the hiring company intends to review social media data on their own or through a 3rd party, then they should take explicit consent of the job applicant.
Public Interest: Public interest can mean a lot of things to various parties. The Data Protection Authority of India’s approval should be mandatory in this case.
Processing of Publicly Available Data: Most users accept default usage policies of providers and unwittingly allow the public release of their data. Hackers also make such data public. Providing an exemption for any entity to process this data is not in the users’ interest because the user may not approve a) such processing or b) the possibility of publishing of processed data.
3. Chapter VIII – Exemptions
Clause 35(i), Clause 35 (ii) and Clause 37 create serious opportunities for abuse both by political parties in power as well as employees of government agencies.
- National Security is treated on par with Friendly Relations with Foreign States and Public Order. As National Security is of paramount importance to the State, it cannot be mentioned in the same vein as Friendly Relations with Foreign States and Public Order which can be subjective and vulnerable to misuse.
- A judicial order as well as the Data Protection Authority of India’s approval must be a pre-requisite for the grant of the exemptions. This will provide a reasonable level of checks and balances because of the distribution of decision-making broadly across the legislature and the judiciary.