Mr Vinit Goenka, of the Center of Knowledge sovereignty has floated a petition on Data Sovereignty at change.org.
The link to sign the petition can be found here:
For immediate reference some of the salient features of the petition are reproduced here along with my comments.
The petition is in the context of the PDPA Bill which is to be introduced in the next session of the parliament.
Petition and comments:
“Government of India cannot be a mere silent spectator here when data of millions of people in India (common man) is been compromised by tech gaints and foreign entities. The common man gets lured by Free Apps and doesn’t understand the terms and conditions drafted by these tech companies and social media giants.
The social media platforms carrying such Apps/advertisements on their channels as well as new apps making entry into Indian cyberspace have to clearly be monitored.
This is not censorship but the right over our data, maintain our privacy, respect our individuality and to ensure we are not made DIGITAL SLAVES. Its high time, the Government of India takes some strong steps as each day’s delay is a ticking timebomb and we are losing the Digital race.
1) It is the need of the hour to bring in strong laws to monitor and check the social media channels and also revisit the laws every year in the ever-changing cyberspace.
Comment: PDPA read along with ITA 2000 would be reasonably strong to address the requirement if it is passed quickly by the Parliament.
2)It must be made mandatory for these companies to store data inside India and take the permission of the Government of India to take the data overseas.
Comment: Already available under PDPA
3) It must also be mandatory for the parent company of the apps or social media company to have an office in India, registered business address in India and occupier in India. This responsible officer must cooperate with law enforcement agencies.
Comment:. Social Media companies spreading fake news require a different treatment. Some cases may come under right to free speech. Hence this aspect must be handled with finesse. ITA 2000 and the intermediary guidelines are good enough to handle this if the provisions are enforced properly. The data localization is a means of such enforcement.
4)It should also be made compulsory for the social media companies to highlight in the agreements any clauses that infringe the data privacy of the users .
Comments: Already incorporated under PDPA.
5) The agreement should also be in drafted in at least 5 more Indian languages so that the people of India can understand the terms and conditions before using the application and platform.
Comments: The question of taking consent is not an efficient way of privacy protection. There are other means which are out of scope for discussion here. Anyway the suggestion is a step in the right direction. But the problem is why five? which five? etc…
6)The laws must define clearly the provisions for violation of privacy and the said officer and organisation must cooperate with the law enforcement agencies.
Comment: PDPA with ITA 2000 ensures this
7)The minimum age limit of the user of the applications must be defined clearly . Minors should not be allowed to use / register on platforms without parental vigilance.
Comment: PDPA with ITA 2000 ensures this.
8)The Social Media App must be linked to some Government Id or Any verifiable identity to make traceability, stop children from accessing Social media before the stipulated age and curb fake news.
Comment: PDPA with ITA 2000 can be applied to ensure this. Already discussions have taken place with WhatsApp. There was also a discussion in Madras High Court in which the IIT professor Dr Kamakoti also provided some technical solutions.
9) The laws must provide the user with the right to delete his/ her data from common view or access if they later find it inappropriately posted on such platform or application. This data must be wiped out from the servers for common commercial or other use except for law enforcement reasons.
Comment: This has some issues… ITA 2000, Sec 79 has some provisions. PDPA also will have some provisions. Removal from public view is necessary in case of objectionable fake news. But truth cannot be suppressed except in emergencies for which specific provisions in ITA 2000 are available.
10) Social media companies must not use any data without the explicit consent each time while sharing, using, reproducing our content, images, data .
Comment: We need to work with PDPA with ITA 2000 to ensures this
11) These social media companies must pay legitimate taxes in India as per the provisions of law.
Comment: This is outside the purview of the Privacy discussion.
We are aware that the industry lobby is strongly opposing the provisions of the PDPA bill under clause 40 which states as under:
(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.
(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.
(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under sub- section (1) on the grounds of necessity or strategic interests of the State.
(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.
The above restriction applies to only non sensitive and non critical personal data. Besides only one serving copy is required to be kept and transfer is available on various conditions including adequacy, standard contractual clause, explicit consent, medical emergency etc. These are not different from GDPR which says that Cross border transfer is permissible under similar conditions which indirectly means that it is not transferable otherwise.
The social media companies are making an unnecessary issue out of this provision and their objections are not justified.
We also know how these companies like Twitter are helping anti India activities and spreading fake news. When called upon to correct as per the provisions of ITA 2000, they donot respond. These companies who are subservient to FBI and allow backdoors only have problems with Indian requests. Hence their arguments are not to be considered genuine.
Apart from this, some of the points mentioned by Mr Vinit Goenka may require further discussion. One such point is point no 10 on deletion of the data. This has to be subjected to provisions of Section 79 of ITA 2000 and the data erasure provisions under PDPA. There is a proposal to amend a rule notified under Section 79 which also has been placed in the background due to the opposition raised by the vested interests in the industry who donot want fake news in social media to be strongly regulated. MeitY should go ahead with the notification without further delay.
I have proposed other mitigation efforts under PDPA which may be discussed on a different occasion. Subject to these, PDPA is a strong enough law and when implemented along with ITA 2000, can force the intermediaries to cooperate with the law enforcement authorities.
From the petition it appears that there is a lobby in the Government which is interested in yielding to the pressure from the industry which Mr Vinit Goenka is trying to counter. We know that this lobby includes the NASSCOM which is working through DSCI. DSCI submitted a dissent note to the Srikrishna Committee but the Committee went ahead with its proposal for data localization. It is this lobby which has delayed the presentation of the bill so far and may still be fighting for dilution of the PDPA Bill.
I strongly object to the MeitY if it wants to succumb to the pressures of vested interests and hope the Government will be firm in implementing the PDPA provision on data localization.
I therefore support the petition and I feel that Data Localization will give a big boost to the local data industry and must be implemented.