3. A lot of discussion centered around the issue of “Consent” and “Informed Consent”. The issues were about the need for and effect of consents as an instrument of Privacy protection. There were also suggestions that consents should be applicable by processors also, consents should be standardized and simplified etc. The fact that India consists of illiterate users with multiple language use also was highlighted. The difficulties of handling “Employee Records” when the companies want to change the processors was also raised.
It is true that “Consent” has been the main instrument with which Privacy protection is being handled worldwide. The focus has been that there has to be a proper Privacy Notice, there has to be an “Informed Consent”, the opt-out should be the default option etc.
At the same time the issue of “Consent fatigue” where by users are required to go through multiple consent forms several times during the day which makes them click on consents as a routine manner is unavoidable. If we continue to deal with “Consents” then we need to find a way to address the “Consent fatigue” issue.
Though the “Click Wrap Consents” donot have a strict legal validity in India, they still constitute a means of finalizing “Contracts” online which would be considered as “Implied Contracts”. Implied contracts have the short coming of being “Voidable” in respect of onerous fine print clauses and would not help either the consumer or the service provider at times of crisis.
In India, at present Section 43A of ITA 2008 provides “Contractual Consent” as the prime method of defining “Reasonable Security”. Hence when an employer obtains a valid contract with the employee at the time of employment which includes the right to process personal information, it can be considered as a “Consent” that can enable the employer to over ride the privacy obligations. Companies with multi national employees also are subject to the same law through many corporate seem to fear international regulations and consider their local rights as non existing.
The system of “Consent” cannot be changed. It will continue. However efforts to make it better in terms of making the user understand the nuances before he clicks the acceptance button and highlighting the onerous clauses to make them effective even in a deemed, standard form , implied contract should continue.
One of the suggestions made was to have a few standard form of consents which are colour coded so that the user knows exactly whether he is giving consent to a “Green Clause” with less amount of personal information being made available to “Red clause” with more information disclosure and risk were suggested.
These suggestions are also dependent on classification of data which includes special form of data which are derived from the data supplied by the data subject and converted into a more value added form. There are data such as “Psychometric data” or “Genetic data” which could be derived with effort from the Data collector. Assigning rights on them and restricting data aggregation and use of value created out of aggregation is a challenge.
Some suggested that we need to even recognize “Community Data” and protect them.
Ease of Doing Business
It is essential for us to understand that in designing the new law, we cannot go overboard with all minute concerns real and imaginary. We need to look at creating a law that is possible to be understood and implemented. “Compliance” should be facilitated so that industry does not look at this as a “Hurdle” and the “Ease of Doing business in India” does not deteriorate.
Value Addition to Data
Also the possibility of the Data collector doing an analysis and creating additional processed data which is more valuable cannot be completely taken out of the rights of the processor. Even if the basic data belongs to the data subject, the derived data has an element of value addition by the Data collector which needs to be rewarded.
Some examples of such derived data pointed out by the participants included “Energy Consumption Data” and “Psychometric data” which may be extreme cases of artificial intelligence usage which are more for fiction writers of the future rather than the law makers of today. If “Data Analytics” is a key area of business in future, then it is possible that data can be used in multitude ways by technologists and law can only be set in generic terms to cover the “Identifiability” of data as a parameter of regulation.
The classification of “Identified” and “Identifiable with available data” and “Identifiable with further data that may be derived or available through instances such as mergers and acquisitions etc” need to be addressed. However, the level to which Artificial Intelaigence can go in future is not known to us today and hence some loss of privacy has to be factored into the legislation today. This can be introduced in the form of differential penalties when data is breached depending on the level of security that the Data controller demonstrates as having been used before the data was lost.
Data Trust as an intermediary
Considering these difficulties, there were multiple suggestions which came back to the central point of what we have suggested earlier as a “Data Trust”. These intermediaries can be instruments of effective collection and use of consents. They can also monitor the Data controllers and impose discipline in the industry. The concept has already been discussed earlier and hence it is not repeated here. But if it is accepted, there would be an instrument of managing “Data” as a “Property of the data subject” which is licensed to the Data Controller through the Data Trust. The Data Controller who makes revenue out of the data has to bear the cost of this infrastructure by sharing some of his spoils with the Data Trusts so that the consumer does not end up incurring higher direct costs. But the Consumer may be able to get better data security in respect of his Privacy information.
Many participants discussed the concept of “Co-regulation” where the Data controllers would participate in the last mile control of data security. The law may also end up not being too prescriptive and leave it for the Data Controllers and Processors to “Secure” and in case of failure, “Pay a penalty”.
Recognizing the importance of monitoring the activity of the Data controllers, some suggested that there should be public accountability and auditability of data controllers etc. Most of these are impractical and from the security point of view are not recommended also. The processing infrastructure in most cases cannot be publicised and hence the only recourse is to get proper warranties and punish negligence adequately to ensure that Data Controllers maintain the security of data.
In such a regime, it is preferable that instead of regulating hundreds of Data Controllers, if we have fewer “Data Trusts” it would be better from the point of view of management and regulation. Thus, the concept of Data Trusts present multiple advantages that need to be recognized by the law makers… is our suggestion.
Privacy Vs Law Enforcement Requirements
Naavi also pointed out that in many instances, Privacy Protection is used as a protection against law enforcement detection. Hence there is a pressure on law makers to include stringent prescriptions and not yield to any exemptions to be given to law enforcement. This is not ideal according to us. Privacy Protection is as much for honest citizens who consider law enforcement as their protectors and hence law should take this into consideration.
In suggesting protection for data when it moves from one data controller to a data processor and subsequently to many sub contractors, a discussion ensued on whether it is possible for data to be tagged in such a manner that it can be traced wherever it moves so that it can be erased when necessary and updated when required. Many participants felt that this is technologically feasible and must be implemented through law. However, the undersigned is of the opinion that “Personal Data” collected by a Data collector does not always remain as a single document that can be tagged when it is moved further. The collected data contains many data elements and sub data elements which may be split, distributed and re assembled elsewhere in a different context. Hence putting a traceable and auditable tag on personal information is not technically feasible and hence cannot be mandated. Instead mandating the legal responsibility to protect through sub contractor’s contracts is the only feasible option which can be put into the law either in the main law or through sectoral laws or regulations. This is already being done as a standard industry practice.
Cyber Security obligations
Repeated requests were made to mandate “Cyber Security” as part of the data protection laws. It would be introduced as an obligation of the Data Collector (or the Data Trust) and certainly there is no case for a prescriptive information security policy being part of the main legislation. This is part of HIPAA legislated in 1996 and is relevant for sectoral laws and not for the umbrella law.
Foreign Data Subject
Discussions were had on “Data of Non Nationals” whether it should be covered or not. This is an important issue which should be part of the scope definition. When the personal data of any body including a non national comes into the hands of an Indian Data Controller or Data Collector there will be a contractual agreement between the data subject and the data collector. This should define the data protection obligations and should provide primacy to the Indian law by default. In our opinion any demand that such individuals directly dealing with Indian data collectors refusing to abide by Indian law is forcing the Indian data collectors to follow an alien law instead of the local law. This is not recommended for acceptance.
In the event of a foreign data subject coming through a foreign data collector/Controller who entrusts the data for processing to an Indian data processor, the obligations need to be set into a Business Associate/Sub Contractor contract and other things should be subordinate to the contractual obligation. This is the law in India under Section 4#A of ITA 2000 and must be respected.
One aspect that did not come up for full discussion was whether there would be any certification bodies that would certify the Data Protection in different agencies like the standards certifying bodies.
It is known that most data breaches have occurred in bodies that have been certified under PCI DSS or ISO 27001 etc. The presence of such certificates make the management complacent and reduce their vigilance. Instead the responsibility should remain with the management and they may be permitted to use any standards to achieve the objectives of securing the privacy data. It should be the choice of individual organizations to chose any standards external or internal, resort to certification or otherwise. The Data Protection Authority may however have their own standards for auditing and they may use any auditing firm including PWC as they so desire as long as the assessment is on the basis of the law as defined and not on other considerations.
Privacy After Death
A point was raised by the undersigned on whether Privacy Right should persist after death. Though not discussed in the general forum, it was pointed out by the undersigned that “Privacy” as a “Right to Life and Liberty” has no meaning after the death and Privacy of an X individual cannot be enforced as a right of Y. If a person has a deemed Privacy issue, it should be handled as a “Defamation” or “Attempted Defamation” issue rather than the Privacy issue. Hence the protection obligations should cease after the death of the individual.
Naavi’s Detailed Comments
A copy of the written response to the questionnaire from Naavi was submitted to the Committee. It has incorporate the points mentioned here. The final version which may be submitted before 31st January 2018 will also be posted on naavi.org whether they are considered by the committee or not.
We close the recollection of the Public consultation exercise at Bangalore on 13th January 2018 in Bangalore here. We might not have recollected all aspects of the discussion. Omission f any is not intentional. I invite other participants to add their comments if any.
We shall continue to submit our own thoughts on the subject here in the coming days as well.
Links to all the three parts of this report of the consultation are available here