There have been a flash of Press release from a consortium of MNCs namely Amazon, Apple, Google, Microsoft, Facebook and IBM expressing “Concern” over the “Privacy Protection of Indian Citizens” and how the Indian Government is trying to create an Orwellian State.
It was ironic that just a few days back there was a CNBC report, according to which Google had been fined $9.5 billion since 2017 by anti trust regulators, FaceBook, Amazon and Apple are facing investigations across Europe. The probes have been both from competition and Data Protection authorities.
Google has been accused of “cheating” the public with favouring its own comparison shopping service over Competitor’s by manipulating the search results.
FaceBook has been facing several inquiries by the Data Protection Commissioner of Ireland and other countries.
Amazon is under investigation from the anti trust watchdog of Germany.
Apple is being accused of manipulating the App Store fees to put competitors at a disadvantage.
From the above, it is clear that these companies are commercial companies who have no concern for the public except to make money out of them. While this is not too objectionable if they are honest, when they pose as if they are beacons of virtue and start advising the Indian Government why the PDPA is harmful to the interests of Indian societies, we have to point out the credibility of these companies.
New Generation East India Companies
We in India are aware of the invaders from Europe and the Central Asia who plundered the Indian wealth and finally colonized India. All the European invaders came to India for trade and slowly occupied the country. Now the Tech giants are coming back with a similar motive, to now set up colonies in the “Data Rich” India by collecting personal data of Indians and using them for their commercial benefit.
The PDPA therefore has a responsibility to ensure that this “Data Plundering” does not happen.
A glaring example of this is the way TransUnion took over CIBIL and today controls the critical financial information of millions of Indians. All the Indian Banks who sold their holding in CIBIL quietly to Trans Union without properly informing their share holders of the value of personal data that was going with the sale of equity. The RBI and the Ministry of Finance remained quiet when this plundering was happening.
Now the “Global Data Companies” are concerned that certain aspects of PDPA try to inassert the Data Sovereignty of India.
Compared to the PDPA 2018 version, the data localization aspect was very much diluted in the next version and still these companies are not satisfied.
The PDPA 2018 stated in Section 40 as follows:
40. Restrictions on Cross-Border Transfer of Personal Data. —
(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.
(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.
(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under sub- section (1) on the grounds of necessity or strategic interests of the State.
(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.
Under PDPA 2019, this was diluted to the following version:
33.Prohibition on processing of sensitive personal data and critical personal data outside India
(1) Subject to the conditions in sub-section (1) of section 34, the sensitive personal data may be transferred outside India, but such sensitive personal data shall continue to be stored in India.
(2) The critical personal data shall only be processed in India.
Explanation.—For the purposes of sub-section (2), the expression “critical personal data” means such personal data as may be notified by the Central Government to be the critical personal data.
In the new version the non sensitive personal data can be transferred out of India without any restriction and sensitive personal data can be transferred subject to certain conditions but a copy has to be maintained in India.
On the other hand, GDPR under article 44 says:
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.
These Tech Companies have not so far challenged the GDPR but are only challenging the Indian law with the assistance of NASSCOM and DSCI which have been endorsing only the commercial interests of these companies ignoring the interests of the country.
This tech coalition argues that the data localization in whatever truncated manner it remains now has adverse effect on the growth of the country’s economy. This is a false and motivated view. If there is complete data localization as per the PDPA 2018 version, then there would be a significant development of the data storage and data processing industries in India and the entire eco system around Data Centers and Data Security would grow. It is difficult to quantify the benefit without a detailed research but qualitatively, there can be substantial benefit.
It is agreed that this will cause some disruption to the operations of the Tech Consortium and also increase their costs of operation. So did the GDPR. If these giants quietly accepted GDPR and moved on, they should accept the Indian law also and move on.
The one concession that can be granted to them is that the date of implementation of the data localization can be fixed at least 6 months from the date of implementation of other aspects of the Act.
But we strongly recommend rolling back the data localization requirement to the PDPA 2018 version.
The other concern that the Consortium has expressed is about Section 91 which states as under:
91. Act to promote framing of policies for digital economy, etc
(1) Nothing in this Act shall prevent the Central Government from framing of any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse, insofar as such policy do not govern personal data.
(2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.
Explanation.—For the purposes of this sub-section, the expression “non-personal data” means the data other than personal data.
(3) The Central Government shall disclose annually the directions, made by it under sub-section (2), in such form as may be prescribed.
This is only an enabling provision and there is no need for these Tech firms to take offence. Once the data is anonymized, it becomes open data and if it can be used for better Governance, these companies should voluntarily come forward to share the data rather than raise objection.
Further this section only says that the Government retains the power to pass another legislation or issue policy guidelines as required to regulate the non personal data. These companies have no jurisdiction to object to this power which is inherent with the Government.
In view of the above, the concerns raised by the Tech Consortium deserves to be rejected.