The Joint Parliamentary Committee (JPC) on Personal Data Protection Bill 2019 appears to have felt insulted by the refusal of Amazon to attend the JPC and there are suggestions in the media that the JPC should issue a privilege notice and force their presence before the JPC.
It is understandable that JPC has delayed the completion of its proceedings because they wanted to give time to organizations like Face Book, Google, Twitter or Amazon to appear before the committee. This was a matter of courtesy.
But these organizations are interested more in delaying the passage of the bill and if they feel that the JPC would not finalize the Bill before they hear these big guys, it would be an incentive for them to find more excuses to delay their appearance.
The approach of the JPC to summon an unwilling organization through a “Privilege” excuse is self defeating.
It is also not understandable that the Business Standard report suggests that questions were asked by the committee members to Face Book on how much tax they paid etc. These are again not the issues on which JPC should be concerned and diverting the JPC to issues other than the suggestions on PDPB 2019 appears irrelevant and diversionary.
We must understand that this JPC is not like the IT Standing committee. The objective of this JPC is to ensure that as much of opinion is gathered as possible so that the bill when passed would be well drafted. To this end they can try to collect as many opinions as possible. Most of the views of experts are already with the committee in the form of written submissions. The JPC invitation is only to get more clarity on the subject by interacting with domain experts.
Probably the JPC is being mislead to get into areas which are outside the scope of PDPB 2019 forcing further delay in its passage and this should be corrected. Such an approach will provide grounds to challenge the recommendations of the JPC later in the Courts.
Business organizations like Amazon as well as Google of Face Book have vested interests and their views are expected to be skewed against the interests of the larger public good. If a company like Amazon does not want to attend the JPC, it means that they donot have any views to submit and will accept whatever law comes into force. Unlike Google of Face Book, Amazon does not have a history of challenging the Government regulations and it appears that they would be happy to work as the law of the land dictates.
If Amazon attends the JPC, it can only say that they donot want data localization or that the financial information should not be considered as “Sensitive”. These will only support the detractors of the Bill and those who oppose data sovereignty. It will not help in the drafting of a better law.
I therefore urge the JPC to ignore the non attendance of Amazon and conclude the proceedings at the earliest.
Whatever efforts the JPC takes in good faith in collecting the views of the large MNCs, the opposition to the bill will continue to exist and there will be some litigation that will follow on the principles of data sovereignty, data localization etc., unless the JPC is interested in making the law as per the dictates of the large corporations.
Further, if the JPC gives a perception that Amazon’s views are essential to pass an Indian law, they would be undermining the status of the JPC and the Indian Parliament itself.
A question will also arise why a similar summons were not sent to the Indian e-Commerce companies or IT Companies having a huge stake in Data Protection. There may be a perceived discrimination against Indian players such as Jio or TCS or Infosys who also may be invited through summons and obtain their views.
It is therefore strongly felt that JPC should refrain from making the non attendance of Amazon an issue to give them a second hearing as if their views are critical to the passage of the Bill. If Amazon is important, why not Flipkart, BigBasket, Jio Mart, PayTM, all of whom will have their own views as important as that of Amazon.
We respect Amazon for its E Commerce but we donot think that they should be given a privilege to dictate the framing of Indian law or even left feeling that they are big enough for the Joint Parliamentary Committee of the sovereign Indian Parliament to hold the passage of the legislation begging for their views to be provided.
We have already lost lot of time and the recent data breaches in Breach Candy, Dr Lal Pathlabs and Dr Reddy laboratories indicate that international hackers are making a merry of the lawlessness on data protection and will continue to do so until the organizations implement better security measures in the fear of the PDPA (India).
We believe that all the recent data breaches are genuine breaches and occurred because the organizations were naïve enough not to have a passwords to their cloud data storage.
I however donot rule out the possibilities of other organizations taking a cue from these organizations and start faking the data breaches to sell their data to hackers. Such frauds are common in the Insurance area where organizations often fake fire accidents to claim insurance claims. (Many politicians might have also used such fake “Fire Accidents” to get incriminating documents destroyed.).
Given the value of medical and financial data in the dark web close to us$100 per data set, if a company has a few million such records, faked hacking can be a way of selling the data if the company or any of its executives want to make a million dollar bonanza stashed away in the form of Bitcoins, which again, our Government and the Supreme Court through their magnanimity have allowed to remain in our economy as a currency of criminals and a currency of digital black wealth. (Message for Mr Modi for his Mann Ki Bath)
Passage of PDPB 2019 without further delay is therefore essential and the JPC should conclude the proceedings at the earliest and submit its recommendations. It will take further time for the DPA to be established and regulations to be compiled. But the companies will atleast be put on notice on the 4% of global turnover as possible administrative penalty if they ignore PDPA provisions.
If necessary, we can always make an amendments after passage. We know that California Consumer Privacy Act (CCPA) got amended about 7 times after its initial passage before it was due to become operative. There is no issue therefore of amending the Act say after about an year of its passage incorporating some of the experiences during that period.