The Press release by the consortium of foreign companies including the Amazon, Google, Apple, Microsoft, Facebook etc opposing several provisions of the proposed PDPA 2019, have thrown a googly at Mr Kris Gopalakrishna, the chairperson of the committee on Data Governance.
The consortium which consists of those companies which are worldwide considered notorious for using personal data under one pretext or the other are concerned that the advent of PDPA would hamper their progress. They are therefore raising objections on PDPA though they have adopted to similar provisions of GDPR without a whimper of protest.
“We are concerned that some provisions in the PDP Bill would hamper the country’s economic growth, constrain the ability of companies operating in the market to innovate, and in some cases potentially undermine the protection of Indian citizens’ privacy,”
says the letter reportedly sent by them to the JPC.
We are happy that they are concerned. But the objections raised by them donot reflect that they are expressing a genuine concern for the Indian citizens though they are expressing concern for themselves which we can concede as their right provided they are not hypocritical about it.
The letter continues to state
“The ambiguity in the definitions, and the restrictions on where data must be stored based on those definitions, presents a serious constraint for many companies when planning their future investments in India,”
It is agreed that every law will have some ambiguities and it will be cleared over time. Even PDPA may need clarifications and it will be clarified mostly when the DPA comes into existence. Some minor clarifications can be made in the Bill and we can hope they would be addressed. Some of these objections of the industry have already been codified by NASSCOM-DSCI whose detailed representation is now available in the public.
What the industry stalwarts are concerned is about Section 33 on Transfer of data outside India and Section 91(2) which states
(2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.
Explanation.—For the purposes of this sub-section, the expression “non-personal data” means the data other than personal data.
(3) The Central Government shall disclose annually the directions, made by it under sub-section (2), in such form as may be prescribed
What these companies are objecting is for the empowerment of the Government provided in the Act to use the “Non Personal Data” available with these companies which are generated in India to be made usable for the “Better targeting of delivery of service” and “formulation of evidence based policies” by the Government.
It is after the Government conceding the request of these Governments that they should be allowed to transfer the data outside India.
This objection requires to be assessed on the basis of the principle of data sovereignty. If Data is like Oil, the Government of India needs to have some right on the use of personal data extracted from Indian Citizens in India. The section 91 is an empowerment of this provision to be exercised under the post facto supervision of the Parliament.
The tech giants collect the information free from the Indian citizens and make enormous money out of it. But when the Government wants to retain the right to use the anonymized data for the benefit of the Citizens of India, the companies have an objection.
Is this a concern for the Indian Citizens which they are trying to announce through this press release?
These companies need to appreciate that the PDPA is more than generous to recognize their needs of “Processing the data of foreign nationals without the application of PDPA” by a total exemption from the Act under Section 37 which states as under
37. Power of Central Government to exempt certain data processors.
The Central Government may, by notification, exempt from the application of this Act, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor or any class of data processors incorporated under Indian law.
Have these agencies seen such provision in GDPR?
Similarly in order to support “Innovation”, the Act also provides for a “Sandbox” arrangement under which companies can seek an exemption from the law for a total period of 3 years.
Have these agencies seen such provisions in GDPR?
It is obvious that these agencies are only interested in extracting more and more concessions and if possible delay the passage of the law indefinitely.
By making a statement that they want the passage of PDPA2019 to be deferred until the Kris Gopalakrishna Committee submits its reports, they are expressing faith in Mr Kris Gopalakrishna to provide some relief to them in his recommendations. This has unnecessarily placed him under a radar so that whatever he recommends, it will be seen under the lens of whether it has been influenced by these agencies with whom he had very intimate business relationship while he was working in Infosys.
While we expect Mr Kris Gopalakrishna to be mature enough not to be influenced by the commercial interests of these agencies, it is avoidable that he is put under a pressure by such statements.
Now it will be necessary for him to issue a statement that his recommendations would not be affected by these friendly statements from the agencies who are opposed to the Data Sovereignty principle.
I hope he comes forward with a statement distancing himself from these statements.
In the meantime the JPC may take note that there is no truthful representation in the submissions of these companies and it should not hesitate to revert the Section 33 provisions to the earlier provision where one copy of all personal data generated in India should be stored in India. This provision was consistent with the GDPR provisions and there is no need to dilute it as long as there are provisions like Standard contractual clauses and Adequacy clauses, Emergency provision and Explicit consent based transfers available to meet specific needs.
The dilution of the personal data local copy clause will hamper the Indian Law enforcement and also the potential to develop indigenous data storage related business.
The threat of these companies that their investments could be hampered, should be also taken note of by the Government and we need to promote more of indigenous competitors to FaceBook, WhatsApp, Twitter and even Google. This would enable reduction of the power these agencies are now using against the interests of the country.
This is the time to once and all determine whether these agencies respect the democratic system of India where they are allowed to flourish without confronting the genuine interests of Indian citizens and the Indian Government or prefer to be marginalized like they have been done in China.
Simultaneously, the Government should recognize that NASSCOM-DSCI has become a close advocate of the views of these foreign agencies and hence any suggestions from this lobby has to be taken with a pinch of salt.
(P.S: These are personal views of Naavi and kindly excuse if it hurts any other professional in India).