Experts have termed the part of the Personal Data Protection Bill that calls for some form of user verification from social media companies, though ‘voluntary’, a “disastrous” move. This is in addition to the concerns around surveillance, government’s access to non-personal data with companies and lack clarity over data localisation requirements. The long overdue Bill is expected to bring in new protections for user privacy.
Udbhav Tiwari, Public Policy Advisor for Mozilla, said the social media verification measures could be “disastrous for anonymity of users online,” and might end up compromising their privacy further. “Privacy of users will be impacted massively. Companies now, especially the large players, will have all govt identification about users. From what we know of social media companies, it is never going to be, ‘okay we will just keep a copy of this document and never touch it.’ They will use that information to carry out the activities that they usually perform. That’s going to be very very dangerous,” Tiwari said.
Cautioning that in case of privacy breaches, which are inevitable, such measures could mean the consequences of the breach are significantly higher, Tiwari said: “Now everyone knows that these companies will have a treasure trove of data that is irrevocable. You can’t change some of this data.”
Non Personal Data
Another area of concern for companies will be the Bill empowering Central government to call for non-personal data (NPD) from data processors or companies.
“Forced data transfers are a form of nationalisation of data.There are some interpretations which say that databases are a form of IP or trade secrets, because you create value with them for a lot of companies. Now if the govt were to go in and start asking for this information, it would hurt not just social media companies or multi-national companies, it would be equally harmful for domestic companies and startups,” Tiwari said.
“There will be an industry pushback on non-personal data,” Punam Shejale, Head Process Excellence & IRM at CitiusTech, a healthcare IT solutions company, told indianexpress.com over the telephone. “This data, is being used to build business models. This is a trade secret for these companies, they use it for competitive advantage.”
There is still some concern around the data localisation measures, though the Bill has dropped some of the harsher requirements of mirroring all personal data in India. The Bill says sensitive personal data, defined as financial data, health data, official identifier, sex life, sexual orientation, etc, can be transferred outside, but it must continue to be stored in India. Critical personal data shall only be processed in India, though the Bill does not define this and has left it to the discretion of the Central government.
“In an ideal world such data restrictions should not exist, there are better ways to control data flows. But if this has to happen, critical personal data seems to be the most acceptable way in which data localisation can be defined,” Tiwari said. However, he was clear that critical personal data should be defined by the Bill and not a central executive.
For companies, though, data localisation will bring new challenges.
“This will definitely pose challenges. Especially with digitisation, adoption of cloud technologies and distributed systems, the data could be anywhere. This could definitely hamper operations for companies, especially those with centralised systems and multinational border, cross-border operations. Costs are definitely going to go up for companies, as they try to comply with the demands,” Shejale said.
There would be implementation and compliance challenges due to ambiguity in interpretation as to what constitutes a “fair and reasonable” processing of data, she added. “This may result in varying standards being followed for processing similar data by different entities, thus not meeting the base intent of this Bill of personal data protection,” she said.
But the new data localisation rules could also mean a boost for India’s industry. “This holds potential for new industry in India from an IT perspective. It could give impetus to new businesses, though for some companies it may give difficulty and the challenges will be there,” explained Burgess Cooper, Partner, Cyber Security, EY India.
Privacy by Design
While some provisions of the bill have raised concerns, there is a general consensus that the Bill brings important regulations and calls for privacy by design, which were much needed. “A good strong data law provides clarity on what’s allowed, what’s not allowed. This is a fairly strong law. It has strong principles, strong regulators. All of that is present when it comes to private entities,” Tiwari noted.
“The Bill is a positive move by the government and it is a big start. This will ensure that actions are taken by the organisations to protect an individual’s personal data. Currently it is all up to the ethos of the organisation. It brings some much needed structure,” Shejale concurred.
According to Cooper, privacy by design can no longer be an afterthought. “The earlier days of explicit consent no longer hold valid. The data processor now has a responsibility to protect the data of the user. Further, well implemented data privacy controls could actually mean more business for companies,” he noted.
Govt gets a free run
While the new Bill is seen as strict for private entities, as The Indian Express reported, it offers considerable leeway to the government and its agencies. The Bill will let the Central government decide if it wants to exempt any of its agencies from the Act being applied to them.
“When it comes to the government, it is a huge regression. In comparison to 2018 draft, which contained provisions around how the government was going to use data without consent, it needed to follow something called the necessary and proportionate standard. That has been completely removed from this draft,” Tiwari said.
“Many provisions of the bill don’t apply automatically to some government agencies. For surveillance, for intelligence agencies, they don’t need to be notified to be exempt under Section 36(a). User privacy is strong on private entity side, but very, very weak on the govt side. That should be addressed,” he said given the “government is the biggest processor of data”.
Mishi Choudhary, Technology lawyer and managing partner at the Software Freedom Law Centre India (SFLC), said while the Bill is a good first step, “giving the State complete veto power to access any data for vague reasons and provisions dealing with non- personal data would be a major problem.” The SFLC noted that the Bill does not have “requisite procedural safeguards or judicial oversight,” when it came to the government and how it would handle personal data.