Having debated the need to “Restrict” the operation of the word “Indirectly identify” in the definition of “Personal Data”, we can now look at Section 40 once again.
We know that PDPA 2018 is a law that has been framed under the Indian Constitution (Just like the GDPR which is a law under EU Constitution) and its basic jurisdiction is for the citizens and activities that fall under its geographical boundaries. If “Privacy Protection” is the basic objective of the law then the mandate for the Government is to protect the privacy of Indian citizens. India cannot assume the responsibility to protect the Privacy of global citizens just as EU cannot assume responsibility for protecting the privacy of an Indian citizen.
However, law makers arrogate to themselves the right to frame laws with universal jurisdiction as if they are protectors of the whole world. GDPR did it and PDPA 2018 had no option but to follow suit.
Hence PDPA 2018 has stated that the law will have extra territorial jurisdiction in some respect though it is more humble than GDPR.
Basically PDPA 2018 applies under Section 2, to the following:
(a) processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India; and
(b) processing of personal data by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law.
Under Section 2(1)(b), processing of data by an Indian company even of a foreign national is subject to this Act.
I consider this a needless responsibility that the law could have avoided.
Under Section 2(2)
(2) Notwithstanding anything contained in sub-section (1), the Act shall apply to the processing of personal data by data fiduciaries or data processors not present within the territory of India, only if such processing is —
(a) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
(b) in connection with any activity which involves profiling of data principals within the territory of India.
This is better worded than similar regulation under GDPR and brings the foreign companies within the ambit of the Act which is only reasonable if they are doing business in India or profiling activities in India.
Obviously some of the industry giants appear to be miffed at the courage shown by the legislators in bringing them under Indian law. While US meekly surrenders to the EU GDPR and EU GDPR tries to lord over the global IT systems, there seems to be objection only when India tries to assert its rights equal to other countries. It is in this context that the need to defend the sovereignty of India arises even in defining the provision of the data protection law.
Unfortunately our industry is dominated by vested interests and we find that this provision is being opposed as part of opposition to “Data Localization”.
The arguments presented in this opposition is
- Restricting cross border data flow is against the basic philosophy of Internet
- Imposes Additional cost
- A balanced view is required between Safety and Security of India and flow of global data into and from India
- Approach is against the fundamental tenets of our liberal economy
- Localization may become a trade barrier and unlikely to benefit local industry
Additionally, recognizing that the key to escaping data localization lies in the definition of data, there is an industry view point presented as a dissenting note that wants “Financial Data” and “Password” to be not classified as “Sensitive Data”.
It is not possible to give any credence to any of the objections raised above. It is like the usual arguments we see from the Pseudo liberals in our country who plot the assassination of the Prime Minister on the one hand but wants to be protected under free speech on the other hand.
The Pseudo Data Protectionists want the law to be tuned to the advantage of other countries rather than India. They are having a skewed interest in data protection from the point of view of what helps their commercial interests rather than what helps the country and its citizens. This attitude needs to be countered for a healthy development of “Privacy in harmony with Security”.
I am sure that as in many other instances, Naavi.org will be a contrarian thought leader and the industry professionals may have discomfort in accepting the “Nation First” view point even ahead of “Privacy”.
After all I consider that “Cyber Security is a fundamental Right” and Privacy right has to be balanced with the Security of the State without any excuse.
However, there will be many debates on this concept and this is only the beginning of a long drawn data colonisation war which India has to fight with the world data business leaders.
Let’s watch the developments as they unfold.