‘Data protection bill will make businesses difficult to operate’
Aadhaar will be subordinate to the data protection framework under this law. The Aadhaar Act may have certain provisions that talk about how you need to protect information under it. But Aadhaar will be used outside this construct as well
NEWDELHI:RAHUL Matthan, a partner-lawyer in the technology and media practice at the law firm Trilegal and author of Privacy 3.0, spoke to
about his understanding of the draft Personal Data Protection Bill, what works and what doesn’t, and the way ahead. The proposed law drafted by a committee headed by former Supreme Court judge BN Srikrishna was submitted to the government on Friday. Edited excerpts:
Nakul Sridhar
says that anything going forward from the day the law takes effect needs to comply with the law. Even that is really complicated, because it’s not like everyone is going to stop processing data, wait for the law to come into effect, and start again. That’s a really difficult question. One of my concerns with the Bill is I think it’s going to become very difficult for businesses, the data fiduciaries, to operate. Companies are not used to this level of collecting or processing personal data. That would be a huge shock to the system. The Bill talks more about direct data collection, such as data collected from a person to open a bank account. It doesn’t say much about the data collected, say for example, by Netflix to target better movies at you. When it comes to this, it is going to be much more challenging for both businesses as well as users. need to come under the larger data protection law. There is a recommendation that says the Aadhaar authentication services must be used only by the government. It is not the place of the committee to look into that as it is a matter currently before the Supreme Court. So it’s unfortunate that recommendations on sub-judice matters have been made. In only one case. The whole penalty regime is meaningless to the government because they don’t have a turnover. Paying a penalty is not an issue for them. This is a serious gap in the way the framework is structured. There is a section for offences which applies to both people as well as the government. But the government has several exceptions. So how are we going to hold them accountable? views on it and it’s a polarizing topic. I don’t think we should have data localization. I think it’s not good for business. The recommendation to have a mirror server in India is also a bit of a problem. Start-ups can easily open an Amazon cloud server and just start without any expenditure. Once you start this data mirroring, it’s going to be very difficult. I have a feeling this is going to have a chilling effect on innovation. Both Facebook and Whatsapp comply with Europe’s General Data Protection Regulations (GDPR), so they will already have similar kinds of provisions in place. So they can modify their privacy slightly, at least for the plain vanilla clauses, to comply with the Indian law. But it does affect them in the case of data localization. They may have to look at how their costs are going to be affected.
Users get the ‘Right to Data Portability.’ It’s there in
GDPR as well. You can ask Facebook to give you a copy of all the data on you, it’ll be given to you. Can you port data such that your likes and profiles on Facebook can be shared with, say, Google? That is special media graph portability, which is something that all the social media giants have been resisting. I don’t know if that is the extent to which data portability will go. A lot of the general obligations are all fine. I like the data portability framework. It is very powerful for users to move data from say one person to another. And you can do it through a consent dashboard. In my mind, I think they have gone overboard with notices, obligations to maintain a record of consent.
I am very keen to remove data localization provisions. As much as we say we must do Artificial Intelligence and big data, this Bill can even harm them due to the purpose and use limitation. Big data works on a lot of data. Only de-identified data that can’t be traced to an individual should have been allowed for data fiduciaries to use for big data. This would have been a forwardthinking way.