Personal Data Protection (PDP) legislation in India has been one of the most contentious legislations and it is not surprising that several hurdles are being placed in its passage. The latest hurdle is that some creative persons have planted the idea that Personal Data Protection Act should also be considered as Data Protection Act, the Personal Data Protection Authority should also be considered as the Data Protection Authority and the Data Breach Notification under PDPB 2019 should include non personal data breach also.
In the latest round of JPC discussions, Mr Kris Gopalakrishnan has also been invited to present his views. We are aware that Kris Gopalarishnan had presented a report on Non Personal Data Governance (NPDG) and it contained recommendations for identifying “Data Business”, setting up a market place for “Data Trading”, recognizing Non Personal Data ownership as “Anonymized PD”,” Community NPD” “Private NPD” and “Public NPD” etc.
The objective of PDP and NPDG are different. PDP aims at protecting the Privacy rights of individuals while NPDG aims at providing a structure for NPD monetization by business houses. A Data Breach of PD basically affects the individuals. A Data breach of NPD basically affects the Companies. The PD breach and NPD Breach have different consequences and hence need different approach in resolution.
There are two areas where PDP and NPDG may have some overlapping jurisdiction.
First is that a Data Breach incident may include breach of both PD and NPD in which case harm to individuals and harm to the organizations have to be both considered as part of one data breach incident.
Second is that the NPD includes “Anonymized Personal Data” (APD) and the breach may include “Reidentification of APD” causing privacy related harm. In this case the PDP provisions kick in at the time of reidentification of APD.
The argument which has been placed before the JPC could be that in view of the possibility of APD being reidentified and Data Breach being a combo data breach of PD and NPD, the regulator should be same and hence PDP and NPDG can be regulated by a common law.
There can also be another hidden reason that the Data Protection Authority envisaged under PDPB 2019 is being protected from a competitive regulatory authority emerging in the form of the NPD Governance Authority.
If the JPC takes the bait, it could be falling into a trap and it will find it difficult to get the PDPB 2019 passed or avoiding operational conflicts after it is passed which could delay its the notification of operating rules.
Presently data is divided into PD and NPD. Protection of PD+NPD is being addressed by ITA 2000. CERT In is the data breach regulator. Adjudicator is the regulator for awarding compensation for damages to a data breach victim. “Compliance” is the due diligence responsibility which could make an organization liable for data breaches and for payment of compensation to the victims of data breach (Cyber Crime victims). The adjudicator has the powers of Suo Moto investigation and imposing fines on organizations but it would be too much to expect the IT Secretaries who act as Adjudicators to act Suo Moto in the interest of the society when they are reluctant even to take up cases on specific complaints. But law has provided them with the powers which is envisaged under the PDPB for the DPA.
After the PDPB is passed, Section 43A of ITA 2000 will be deleted and hence part of the responsibilities of PDP presently with the Adjudicator and CERT In under ITA 2000 gets transferred to the DPA. However the responsibility for protection of Non Personal Data remains with the ITA 2000 and it automatically becomes the Non Personal Data Protection Act.
The NPD Governance Act which Kris Gopalakrishnan proposed therefore can focus entirely on the monetization of the NPD. When ITA 2000 was framed, it combined the E Commerce Promotion with Cyber Crimes. It also included the equivalent of Civil Procedural Code related to contraventions under Section Chapter IX.
Many other countries adopted a separate legislations such as E Commerce Act and Cyber Crime Act. Whether what India did in 2000 was correct or not is out of the scope of this discussion.
Now PDPB and NPDG is being contemplated as different laws and the proposed change is trying to combine them into one. It is like converting the normal twins after birth to a Siamese twin. It may be possible but we are not sure if it is desirable. But if JPC has taken a decision on this, we need to accept this and move on as opposing this at this stage means giving in to the desire of those vested interests who donot want any type of PDP law to come in India.
The industry had slowly adopted to the PDPB 2019 as an extension of ITA 2000 and frameworks such as PDPSI (Personal Data Protection Standard of India) had already taken steps to provide guidelines for compliance. In fact PDPSI had addressed the need for “Unification” of compliance requirements under “PDPB, EU GDPR etc”.
Now the industry is required to adopt itself to the conversion of PDPB 2019 into DPB 2019. In practice it means that ITA 2000 compliance is now the Siamese twin of PDPB 2019.
In terms of compliance frameworks, PDPSI and DPSI which were two different frameworks now need to be unified into one.
This can be done and will be done.
The DPSI framework which the undersigned has evolved through the IISF309 framework which is being used since 2009 as an ITA 2000 compliance tool is presented in the following document which consists of 40 implementation specifications.
This DPSI was presently considered as a stand alone framework ahead of PDPSI. If the new PDPB2019 combines certain aspects of NPD protection into PDPB 2019 then there will be a need to unify the above version of DPSI into a DPSI+PDPSI combo framework.
Probably we will discuss some aspects of this during the IDPS 2021
(Comments are welcome)