The Economic Times carried an article today that “Global IT bodies express concern over data protection Bill”
The Indian Express went ahead to say “US bodies push back on data protection bill, seek new working group”
These media reports are not reflective of the general views prevailing in the industry and many of the industry experts who spoke in a webinar on Data Protection organized by ASSOCHAM yesterday expressed their eagerness to see the law being passed.
Does the Industry want to over ride the Parliament?
It is interesting to note that in the ASSOCHAM webinar, representatives from Google, Meta, Amazon etc were all present and none expressed very strong disapproval that the Bill has to be rejected. However, the Indian Express report is very clear that
A senior executive working with a big tech company said…. that “The JPC report has to be rejected and a new working group with trade and industry bodies have to be formed to discuss the issues”
Should Government be forced to commit Contempt of Court?
It is clear that some sections of the media are amplifying minor concerns to force the Government to withdraw the Bill and postpone the law by a few more years. This appears to be an attempt to scuttle the bill and force the Government into committing Contempt of Court.
During the proceedings on the Aadhaar and Privacy in the Supreme Court, in 2017, the Government of India has committed itself and has been directed by the Supreme Court that a robust privacy protection law should be passed at the earliest. If there is further delay then the Court can turn around that a delay of more than 6 years tantamount to “Contempt of Court”.
Even if the Court remains silent, there will be activists who will file such a petition and also ensure that the Parliament in the next session is disrupted on the issue that Government is not serious and has to resign.
Why the Big Tech Company objections are not sustainable?
Most of the big tech companies have already been in the process of consultation and many of them deposed at the JPC. Some voluntarily stayed away from deposition even when they were invited.
Hence their claim now to a new consultation is completely unacceptable..
Demand of the US Bodies is driven by a rejection of Indian democracy
It looks very odd that the commercial companies lead by the Social Media companies known for their fake news propagation are demanding the scrapping of the Joint Parliamentary Committee report and wants an industry body to dictate what the Parliament has to pass as a law or not.
This is an attack on the sovereignty of our Parliament and must be rejected.
What are the Concerns?
According to Indian Express, one of the main problem is “insistence on local storage of data and restrictions on cross border flow of data”. Lack of large data centres is cited as an issue.
It appears that the industry body which has made such statements is not in sync with the developments of PDPB 2019/DPA 2021 in India and is commenting on the draft of PDPB 2018.
While we still support the PDPB 2018 version of “Cross Border transfer of data” which required copy of all data transferred had to be kept in India, it is to be noted that the present version wants only copies of the “Sensitive Personal Information” has to be kept in India.
Even the RBI which has a sectoral regulation on transfer of banking data out of India has now allowed processing of financial data outside India though the processed data has to be brought back to India.
It was interesting to observe that one of the experts in the ASSOCHAM seminar was suggesting that “Since Storage is also considered as processing, storage outside India can also be considered as continued processing and hence data may never be brought back to India”. I presume that this was just a mischievous joke and not to be taken as a suggestion to bypass the RBI directive.
The claim of the group as reported in Indian Express may therefore be considered a “Fake Report”.
Non Personal Data included in the Bill
The JPC-2 fell into a trap set by the opponents which were the same industry bodies who are today opposing the inclusion of non personal data in this Bill. The earlier version of the Bill had the provision of Section 91(now re numbered as Section 92) which empowered the Government to direct a data fiduciary to transfer anonymised non personal data to the Government in certain circumstances where it is required for better Governance.
Some of the same Big Tech companies which are in news today were unhappy since they felt that the Government will take over their data and raised a hue and cry that the provision was ultra-vires the “Personal Data Protection Act”.
The JPC fell into the trap and tried to widen the scope of the Act by calling it as “Data Protection Act” and adding that it applies to non personal data also. Now the same big tech companies are objecting to this widening of the scope.
The industry is again misrepresenting the situation that apart from the Section 25 where reporting of non personal data is “Empowered”, no change has been proposed on any other aspects of Non Personal Data Governance. This provision can remain in the act without being taken further.
The reason why the JPC fell to this trap was that some bureaucrats thought that if there is a single DPAI for both personal and non personal data it would be good. They forgot that the Non Personal Data Governance is much more than “Reporting of Data Breach” and involved “Monetization”. Security of Non personal Data was not a concern of this legislation since ITA 2000 already addresses this requirement.
Having bitten the bullet of Non Personal Data now, it is necessary for the Government to stand up and say that “Data Breach reporting provisions” are only an “Empowerment” and the DPAI may consider it is required or the current system where such reports go to CERT IN are sufficient.
The Section 92 provision is required for National Security (like the Ukraine situation) and can be justified.
Is Innovation discouraged or disincentivised?
One of the other concerns raised in the ET reports is that
- “Recommendations run counter to global standards…Many of our joint member companies in India and from across the globe will be significantly impacted by the report.”
- It also states “recommendation to establish a domestic alternative to the international SWIFT banking system is unprecedented”.
- They continued to hold a wailed threat… “When these and other recommendations in this report are considered as a whole, their result, if enacted, would lead to a significant deterioration in India’s business environment, degrading the Ease of Doing business in and with India, and negatively impacting India’s domestic start-up ecosystem and global competitiveness. The ability of companies to participate in the Indian market would be dramatically impacted, thereby reducing foreign direct investment in India”
It is unfortunate while these companies accept the EU GDPR regime with insane penalties being levied on them, they think that they are able to dictate terms to the Indian Parliament.
As regards any provisions of the proposed Act that the tech companies need to follow there is perhaps another 2 year window to attain compliance. Hence whether it is providing the “Verified” badge or adopting a proper consent or obtaining security certification or Algorithmic transparency the two year time is more than sufficient.
It is therefore our considered view that the objections raised lack conviction. We can wait for the regulations to be announced by the DPA in the next 6 months or more and then consider if the concerns expressed are real or imaginary. If there are real difficulties, the Government may consider appropriate amendments.
Naavi
