Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998


We have many times through these columns urged the Justice Srikrishna Committee which is drafting the new Data Protection law for India to ensure that an “Umbrella Protection” is provided to Indian Companies from being unfairly targeted under EU GDPR by EU Companies and EU data protection regime.

As we approach the D-Day, 25th May 2018 when GDPR will become operational, many companies in India are getting into a panic mode on the impact of GDPR on their business.  The indications are that the companies think GDPR applies to all their activities and this is leading them to believe that they need to take many actions which they are not bound to do. Partly this panic is being induced by US companies who engage Indian Data Processors for part of their processing activities. In the process many of the Indian companies are revising their business contracts to meet the GDPR requirements as they perceive endangering their own and the country’s business interests.

These contracts typically contain indemnity obligations  which includes compensation payable for any loss caused to the vendor. Since this is likely to include the administrative fines under GDPR, Indian companies may be forced to underwrite the GDPR obligations of international companies though their revenue share is only a part of the entire industry revenues.

There is a national interest involved in ensuring that unfair and unconscionable liabilities are not introduced into the data processing contracts that Indian Companies are forced to enter into.

These contracts are “Dotted Line Contracts” and need to be fairly constructed. However, in practice, it is difficult to expect Indian companies to resist the signing of such contracts because of the business relationship considerations.

It is therefore necessary that Indian legislation provides a protection to such companies in the national interest.

One option available to us is that we are about to draft our own Data Protection laws and this will provide an opportunity to define a grievance redressal mechanism by which it should be made mandatory for international contracts for data protection to be pre-approved by the Indian Data Protection Authority without which no liability may be imposed on Indian entities.

GDPR itself recognizes that some of the member states may not permit imposition of administrative fines and has suggested that suitable alternate measures may be provided in the member state laws. [Refer Article 83(9)]. 

Indian Data Protection Act should also incorporate equivalent protection so that any payment of fines under GDPR data processing contracts shall be considered void unless it is approved by the Indian law.

Though the GDPR should be interpreted as a law applicable for “Activities in EU”, there is an attempt to interpret it as a “Global Law” and let EU determine the law for other sovereign countries. I am not sure if EU is really that arrogant to assume that in the 21st century, other countries will tolerate the EU legislate the activities that take place outside the EU even if the intention is laudable. But many in India are more loyal than the king and when required to bend are happy to crawl. This tendency should be resisted.

Though Article 2(2) clearly admits that

“this regulation does not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law”

many analysts are interpreting as if under Article 3(2), Controllers and Processors not established in EU are also subject to the regulations without any restrictions.

Some non EU companies are falling into the trap of Article 24(3) and thinking that they need to appoint representatives in the EU without recognizing that the act of appointing a representative itself brings them under the EU jurisdiction even if otherwise they are not.

Indian Companies need to avoid voluntarily jumping into the jurisdiction of EU and dragging liabilities which EU law making body has no authority to make.

(Refer article here where the GDPR scope is discussed in detail by one analyst…. very informative and indicative of the perceptions of the global community)

Welcoming the Vasco Da Gama

Unfortunately, it appears that there is no adequate attempt made by NASSCOM or DSCI in advising the Indian Companies properly to ensure that their interests are protected.

On 25th May 2018, there is a high profile event organized in New Delhi as if Indian wants to celebrate the GDPR. EU commission representatives are expected to participate in this along with DSCI, NASSCOM and Government officials.

Even Justice Srikrishna is likely to attend this event and speak.

As a result of the participation of NASSCOM, DSCI, and Justice Srikrishna, it would appear as if India is endorsing GDPR.

To me this appears to be similar to Indians who welcomed Vasco Da Gama to India without realizing that it was the beginning of the colonial rule which extended for centuries there after with all kinds of economic pirates entering India including the French and the British.

Now, a similar danger seems to be in front of us in the form of GDPR. Indian companies need to be protected against unfair incidence of GDPR and prevent this being used for building an economic colony in India by EU companies.

Even if at present GDPR appears to be only a Privacy protection legislation and a good “Standard” which can be adopted as an industry practice, we must realize that adoption of GDPR will be followed by GDPR Codes and Certifications approved by the Supervisory authorities of EU countries.

These GDPR Certification process will replace ISO standards and create a huge business potential for GDPR related security services and products.

I must disclose that I could be one of the beneficiaries of such a development since I may  be providing consultancy and educational programs in the area and also is working on a patent pending software which should help Indian companies in compliance. However, in the interest of the community, it is necessary to raise a red flag against GDPR turning out to be an instrument of exploitation of Indian Business interests.

I request that EU should refrain from projecting itself as the Privacy saviour of the world community and avoid going overboard with the “Extra Territorial Jurisdiction” of its laws. If they desire to use GDPR for expanding their business network, then they need to enter into a Business treaty with Indian Government ensuring that there is a fair exchange of mutual benefits.

Since it appears that our IT Ministry might not have realized what Indian data processing industry is walking into in the guise of GDPR, I urge Justice Srikrishna to step in and introduce suitable provisions in the proposed Data Protection Act so that our national interests are not undermined with the application of GDPR directly or indirectly to the IT operations in India.

Naavi

Also ReferData Protection Law should provide a Jurisdictional umbrella

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

The Justice Srikrishna Committee (SKC) has propounded 7 key principles of the Data Protection Act and proceeded to provide several questions in its report seeking public comments.

The Seven key principles under which the proposed Data Protection law would be based are as follows.

1.Technology agnosticism– The law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance.

2.Holistic application– The law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims.

3.Informed consent– Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful. The law must ensure that consent meets the aforementioned criteria.

4.Data minimisation– Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject.

5.Controller  accountability–  The  data  controller  shall  be  held  accountable  for  any processing of data, whether by itself or entities with whom it may have shared the data for processing.

6.Structured enforcement– Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms.

7.Deterrent  penalties–  Penalties  on  wrongful  processing  must  be  adequate  to  ensure deterrence.

The above principles may determine the broad contours under which the SKC may work out a draft of the Data Protection Act of India (DPAI). In the background  the Supreme Court’s views on Aadhaar as an instrument of Governance and a potential tool of breach of Privacy will be weighing in the minds of those who will work on the drafts.

One of the first counters to be raised therefore is “Whether these principles need to be expanded? or Modified?”

It is in this context that we raise the first supplementary principle to be added to the list.

“The proposed Data protection Act should be amenable for compliance by all stakeholders with pleasure and appreciation of the purpose. It should not attempt to enforce the law compliance by pain… except to the inevitable minimum required pain that accompanies all changes.”

The second principle which follows the first is that the proposed law should confine itself to the limitations that is inherent in such a legislation. The law is proposed as “Data Protection Act of India” but is it the right defining of the proposed law? or should it be considered differently? is a question to ponder.

When the honourable 9 member bench of the Supreme Court (Puttaswamy Judgement) declared in a hurry that “Privacy is a Fundamental Right under the Constitution of India”, there was no time to deliberate and come to a conclusion on “What is Privacy”. The order did not specify the definition but said Privacy is a fundamental right. So the task before the Data Protection Act legislators include defining what they propose to protect.

A question naturally arises therefore that if the 9 eminent jurists could not define the enigmatic concept of “Privacy”, should the Data Protection Act of India attempt to do it?

Data protection legislation may not be the right law to define Privacy. It should be through a different law under the overall domain of  “Democratic Rights of an Indian Citizen under our constitution”.

On the other hand the Data Protection law can effectively define the “Security to be accorded to Data” of a particular type. “A Data Protection Act” should confine itself to protection of “Data” which may be personal data, sensitive personal data, or even corporate data. Calling an Act as “Data Protection Act” and confining it only to being an “Individual Information Privacy Protection Act” is not warranted.

However, India already has a law called “Information Technology Act” which has several provisions that fall in the category of “Data Protection”. It also has provisions that are meant to protect “Information Privacy” because of Sections 72A and 43A. Sections 43 and 66 along with several other sections such as Section 67C, Section 79, etc define responsibilities of individual information privacy protection. Sections like 69, 69A and 69B also provide the “Reasonable Exemptions”.

Now whatever the new Data Protection Act proposes will be in partial modification of ITA 2000/8 and will introduce a conflict with ITA 2000/8 and perhaps also on the UIDAI act.

The new Data Protection law should therefore decide if it steers clear of the existing ITA 2000/8 or trample upon its provisions and replace them with a new set of the same provisions under a different legal provision.

We should not forget that there is a “Health Care Data Privacy Act” which is also on the drawing board and has already been partially rolled out in the form of EHR guidelines (though the industry has largely ignored it).

One of the other principles that the proposed law should declare for itself is therefore the following:

The Proposed Data Protection Act shall work in harmony with the current established laws in the country such as Information Technology Act 2000Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,

The Key principles should therefore be increased from 7 to 9.

The main purpose of the suggestion is that we need a legislation that the stakeholders will absorb as a necessary legislation that is good for our society and hence all of us have a duty to comply with it.

Unlike the GDPR which tries to impose its will through  obnoxious penal provisions, Indian Data Protection Act or Information Privacy Protection Act, or Individual/Personal Information Privacy Protection Act, as it may be called should not bank upon its ability to control the market with its penal provisions. By stating that the penalty can be 4% of global turnover or 20 million Euros, GDPR is showing its muscle. India can counter this by saying that the penalty may be 5% of global turnover and INR 2 billion and make it applicable to any entity in the world. With such a provision we can also make the international community raise eyebrows and recognize our existence.

But is this the way law should be imposed? by threatening to wipe out a company in case of non compliance? and leave it to the mercy of the adjudicator to determine the final penalty and if possible use his discretion as a leverage to ask for favours from the accused?

Penalty should be a deterrent but it should not be so huge that the accused either declares bankruptcy immediately or thinks of bribing his way out. It is in this context that we say law should promote compliance not with pain but with pleasure.

Data Controller is also a stake holder

In the data protection law, the drafting people should also decide who is the stake holder/ or stake holders?. Is the stake holder solely the individual and others like the Data Controller or Data Processor only targets for imposing a penalty if they donot comply? ..when what they need to comply itself is unclear?

We must accept that a Company registered in India is as much an entity that needs Government protection as the individual who is a citizen of India. Hence the law of privacy cannot go over board and look at punishing the Data Controller severely as the EU law tries to do. Of course we donot trust the Companies as also the Government when it comes to Privacy protection and hence the need for the law. Law some times tries to provide protection to the Government separately (eg UIDAI) but imposes hefty fines on the private sector for the same offence. This may not be fair.

What follows therefore is that whatever law which is now being proposed, it should be equally applicable to a Company or the Government or an individual.

Secondly, if Individual’s data needs protection, corporate’s data also needs protection. If one is called “Privacy”, the other may be called “Data Protection”.

Hence if we call this new law as “Personal Information Privacy Protection Act”, then it can confine itself to protecting individuals against invasion of privacy that may arise because such information is not protected by a corporate or Government.

If we call this a “Data Protection Act”, then it should extend to Corporate data as well. Since ITA 2000/8 is already covering this aspect, there is no need to cover security of corporate data through this Act. On the same logic, if this law has to be a comprehensive law on Personal Data Protection, then Section 43A and 72A needs to be removed from ITA 2000/8.

If Section 43A and 72A are to be retained and the new law has to extend to privacy protection, then the law should clearly explain that the new provision is in addition to the earlier provisions in ITA 2000/8 and not in derogation of the earlier provisions present in ITA 2000/8.

If this precaution is not taken into account, we will end up with the argument which was presented by an advocate in an adjudication proceeding in Karnataka and accepted by the then adjudicator that “Introduction of Section 43A applicable for body corporate in ITA 2008 automatically changes the meaning of Section 43 and confines its jurisdiction to individuals only”. Though the undersigned did not subscribe to this view at that time and does not even now, if law is not clear, it enables such manipulation by clever advocates to the detriment of the society.

I therefore urge the SKC to declare that

what they are proposing is not in derogation of any of the existing laws and in particular the provisions contained in ITA 2000/8 on data protection in general and personal data protection in particular.

Jurisdictional Umbrella

It is more or less imperative that the law will define that it is applicable to the processing of data of an individual citizen of India by any person including a Company incorporated in India or otherwise or by Government in India or otherwise.

However, this will naturally lead to a conflict in implementation when the law is breached by a foreign company or a Government. Similarly a foreign Company or a Government may also try to impose its own law (eg GDPR) on an Indian company and claim penalties which may be significant and also involve foreign exchange outflow.

The Proposed law provides an opportunity to ensure that this conflict between different laws applicable to a single company in India is resolved without the company (registered in India and therefore expecting the Indian Government to protect it’s legitimate interests) having to face several international regulatory organizations at a given time.

Typically an organization handling data processing may have personal data from persons of different nationality. Each   now trying to impose its own laws and also extend extra territorial jurisdiction just like what GDPR has done in respect of information that belongs to its citizens. It has therefore become necessary for companies (Data Controllers or Data Processors) to tag every piece of personal information with the citizenship of the individual and try to apply appropriate laws. In one case it may involve “Right to Forget” and in another case there may be an “Obligation to retain”. In such cases, the Companies will be unable to comply with conviction if they donot have a data classification system that tags the information to the country of citizenship. (Hopefully there will be no dual citizenship problem).

This data protection law should recognize this problem of the business community and try to provide a solution.

The solution we suggest is two fold.

  1. Every consent should incorporate a specific clause which states that “This personal data shall be protected as per provisions of personal data protection applicable to ….. country. 
  2. The adjudication and imposition of penalties if any shall be determined as per the personal data protection regulations applicable to India and the Indian Data Protection Authority shall have the final authority in sanctioning any penalty in respect of any individual who is a citizen of India, any corporate or other organization registered and subject to Indian laws.

The jurisdiction clause is proposed as a mandatory part of the consent which itself should be mandatory.

This provision also means that if any EU entity imposes a penalty on an Indian Company, the Indian Data Protection Authority shall intervene to accept or reject the penalty claims.

In order to make the provisions of the new law fair, the law can offer reciprocal arrangements of similar nature to foreign jurisdictions and state

“Where penalties are imposed under the Personal Data Protection Act of India on a person who is either not a citizen of India or is a company registered outside India, then the Indian Data Protection Authority shall provide an opportunity to the Data Protection authority (if any) of the country to which the said company/individual belongs to implead on behalf of the said entity.”

Since some of these suggestions could interfere with international obligations, these may need to be properly drafted. The suggested intent is that no Indian Company will be directly made liable to any foreign authority whether by a contractual agreement or otherwise without a sanction of the Indian authorities. If this umbrella of protection is not created, GDPR will be an instrument that will create colonies in India and allow European companies control Indian Corporate entities.

Naavi

(Discussions will continue)