Live Mint Interview on Data Protection Regulations

Following is the interview of Naavi that appeared in Live Mint recently:

Excerpts as published:

What’s your take on the provisions in the bill?

Privacy legislation is always a complicated legislation. You have to balance the interest of privacy activists who want their rights protected, business people who want total freedom so they can exploit, and the government that wants as much control as possible. The preamble of the bill recognizes these three stakeholders. Whatever you do, someone will be happy and someone won’t be. That’s what is playing out here. But overall, I think they’ve done reasonably well.

How does this bill compare with its counterparts in the West, like the General Data Protection Regulation (GDPR) in the European Union?

GDPR has principles of processing. So do we. GDPR has rights [for citizens]. So do we. Except that, in the ‘right to forget’, we are a little more circumspect than the EU. In EU, it’s more or less automatic. In India, we say it is subject to adjudicator’s decision, which is a quasi judicial authority that can take decision on this. This reduces the burden on the judiciary. If the adjudicator’s decision is not acceptable, one can approach an appellate tribunal. If that’s not acceptable, one can approach the courts.

There are concerns that some of the provisions in the bill allow for significant state surveillance.

The Bill will empower government for certain things. Section 35 and 36 allows certain security agencies to process data for surveillance. They are, however, not allowed to misuse this data.

Article 19 of the Constitution also provides reasonable restrictions, where the government allows itself similar exemptions in cases of ‘decency’, ‘morality’, ‘defamation’. Based on the constitution, the government can use ‘incitement to offence’ and ‘public order’ for surveillance. These terms are generic and can be misused.

As per this Bill, the offence has to be related to matters of ‘national security, sovereignty, integrity of the state’, not things like ‘decency’. So in my view, this reduces the surveillance powers of the government.

One of the reasons for concern is the possible broad interpretation of ‘integrity of state’.

I understand. But some parts in the Indian Penal Code also give draconian power to the police. Even they misuse it many times. This is more reflective of persons in charge of the legislation. We can only have deterrence. Likewise, you can’t omit this law on speculative grounds, saying the government might misuse it. The law can provide a framework. If someone wants to misuse it, punish them separately.

How desirable do you think data localisation is, as mentioned in the Bill?

Right now, there is no data localization in the legislation. ‘Non-sensitive personal information’ can be transferred, so can the ‘sensitive information’, subject to explicit consent. Only ‘critical information’ cannot be transferred but we don’t know what constitutes that. There is no restriction on transfer of data.

When we’re talking of having one data centre in India, it will act as a back-up data centre. There is an economic cost for businesses. But I don’t believe the industry will suffer.

Will having a data copy in India affect the way a law enforcement agency can access a person’s data?

For a law-enforcement agency to access someone’s data, it needs to be for law-enforcement reasons. They have to send a notice, identify investigating officer, identify the reasons for which it is done, and tomorrow if police officer is going beyond their normal duty and collect the information, there’s always a possibility that the written request will be questioned in court of law. But if someone wants to ignore the procedures, that is what the private sector – the data centre owner – has to resist. Agencies can’t come and directly take away data.

Is there a possibility of misuse by state agencies, with data being more accessible than earlier?

I have been working in field of cyber crime for 20 years. When we want information for investigation, Google and others don’t give data. If you get an abusive or obnoxious email, you’d need the IP address to find out who sent it. But they will often not reveal the address. In a way, they’re protecting the abuser. I don’t buy this idea that if data is in India, there will be a problem. I don’t trust Facebook or Google.The possibility of misuse exists but both arguments have to be considered on a case-by-case basis.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

2 Responses to Live Mint Interview on Data Protection Regulations

  1. Dr Sanjay Sinvhal says:

    Have a query on ownership of data.
    Many Digital Mktg company work as Agency with their Client and run online campaigns. THis data consist of clicks on webpages where Ad is running, online forms for lead generation etc.
    NOw is Agency owner of this data or the Client who had paid to run the campaign, owns this data?
    How is this data treated under PDPB 2019?
    Is such data ownership covered under any other Indian Law?
    What if it is a Foreign Client? Will data be still covered under Indian Laws if the Agency is in India?
    Please share your veiws.
    Thanks

    • There are multiple issues here. I will try to provide my views with some presumptions where necessary.
      First of all, “Ownership” of personal data is not the right term to be used in this context. Non Personal Data can be considered as an intangible property and can be sold and can provide ownership rights.
      In case of “Personal Data”, the “Personal” refers to the identity elements about an individual data subject that is inherent in a data set. If it is shared by the data subject himself, he is providing a limited right of use of the personal information. It is a purpose oriented, limited time use and conditional transfer to use the personal data. No ownership rights are created except the rights which you are referring to as “Ownership”.
      When such data is collected by one and transferred to another, it should be done only on the basis of the consent ( or legitimate interest or exempted rights, derogations etc).
      Secondly when we talk of clicks on the website, it could be anonymized data also. If there is a persistent cookie linked to a known person then the data can be considered as “Personal”. Otherwise it is data which is not identifiable to any known individual. If the data is collected by a service provider and later given to another person who has some other data with which it becomes identifiable, then the first person would have dealt with a “De-Identified Data” which is “Re-identified” by the second person. If the first person hands over the data in such form where there is no possibility of re-attaching the same with an identified individual, then he would be dealing with anonymized data only.
      If a client buys an aggregation of un-identified data then it is not in my opinion personal data at all.
      However, many consider even the “Un-Identifiable” data as “personal data” if it contains at least one identity parameter like the IP address of the web visitor. It is on the presumption that the person collecting it may have other means of identifying the data subject.
      If the client enters into a contract strictly for “Data without identity”, he is buying a non personal data and it may not come under the provisions of PDPB.
      If however parties in their ignorance try to collect more information than necessary, they may end up dealing with the personal data.
      The person who first collects such data would be a data fiduciary who has to collect consent. The next person could be the “Data Processor” or a “Joint Data Fiduciary”.
      PDPB is capable of addressing these things though it is an “Interpretation” which the DPA may provide a more detailed clarification and not the law itself.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.