DATA PRI­VACY DEFANGED

The Srikr­ishna Com­mit­tee re­port has too many loose strings that need to be fixed be­fore it be­comes law.

Business Today - - POLICY CURRENCY - By Ra­jeev Dubey

YOU DON’T own your data, your data can re­side in a for­eign land – and, you could be li­able for with­draw­ing con­sent. Those are just some of the shock­ing clauses in the much de­layed “The Per­sonal Data Pro­tec­tion Bill 2018” ar­chi­tected by the Jus­tice Srikr­ishna Com­mit­tee. De­spite sub­mit­ting a draft re­port way back in Novem­ber 2017, this is far from a com­plete Bill. “The Bill could have been pre­scrip­tive. But it’s still very open-ended,” says Vidur Gupta, Part­ner, Cyber Se­cu­rity, Gov­ern­ment, Ernst & Young In­dia. In fact, a few from the 10-mem­ber panel say the com­mit­tee did not even con­sider the Tele­com Reg­u­la­tory Au­thor­ity of In­dia (Trai) rec­om­men­da­tion that own­er­ship rests with the in­di­vid­ual (data prin­ci­pal in this Bill), ev­ery­body else is a mere cus­to­dian. In­stead, who owns the data of in­di­vid­u­als is a ques­tion not even an­swered by the Srikr­ishna Com­mit­tee. “It’s bet­ter to sep­a­rate it from own­er­ship and look at rights,” says Rahul Matthan, Part­ner, Tri­legl. That’s at the core of the glar­ing short­com­ings in the Bill. Here are a few more.

No right to erase data: For the first time in In­dia, the Bill has in­tro­duced the right to be for­got­ten. If you cease to be a bank or a tele­com cus­tomer, the ser­vice provider should have no right to use your data. But glob­ally, the right to be for­got­ten is now widely ac­cepted as the right to erase data. The Srikr­ishna panel, how­ever, has in­vented a dif­fer­ent def­i­ni­tion: “…data prin­ci­pal shall have the right to re­strict or pre­vent con­tin­u­ing dis­clo­sure of per­sonal data by a data fidu­ciary re­lated to the data prin­ci­pal where such dis­clo­sure was made on the ba­sis of con­sent… and such con­sent has since been with­drawn…” This im­plies that the data col­lec­tor or pro­ces­sor will only be re­quired to re­strict or stop shar­ing data rather than erase it. “Right to for­get is any­how a dif­fi­cult law to im­ple­ment. It came from Europe’s Gener- al Data Pro­tec­tion Reg­u­la­tion (GDPR) that if a lo­cal law re­quires an or­gan­i­sa­tion to hold data for a pe­riod of time, they can,” says Atul Gupta, Part­ner, IT Ad­vi­sory, KPMG In­dia.

Sec­ond right to data breach: Glob­ally, in­clud­ing in GDPR, the sub­ject of data breach is re­quired to be in­formed im­me­di­ately once a hack is dis­cov­ered. In its wis­dom, the Srikr­ishna Com­mit­tee rec­om­mends that such a breach must first be re­ported to the data pro­tec­tion au­thor­ity to be set up un­der the Bill. It is the au­thor­ity that will de­cide whether the per­son whose data has been breached needs to be in­formed or not: “Upon re­ceipt of no­ti­fi­ca­tion, the au­thor­ity shall de­ter­mine whether such breach should be re­ported by the data fidu­ciary to the data prin­ci­pal,

tak­ing into ac­count the sever­ity of the harm that may be caused to such data prin­ci­pal,” says the re­port.

This is an out­ra­geous sug­ges­tion. “The in­tent is to make sure the pro­ces­sor of data is aware they have the re­spon­si­bil­ity to in­form the au­thor­ity. It does not say you can’t in­form the sub­ject,” says KPMG’s Gupta. Com­pa­nies, how­ever, are un­likely to in­form of their own vo­li­tion for fear of dis­re­pute. In the Cam­bridge Analytica case, even Face­book did not in­form the users. “It has a lot of in­ter­pre­ta­tion. It has given power back to the Cen­tre or data pro­tec­tion au­thor­ity. Time­line has been left open-ended,” says EY’s Gupta.

In­di­vid­ual li­able: “Where the data prin­ci­pal with­draws con­sent for the pro­cess­ing of any per­sonal data nec­es­sary for the per­for­mance of a con­tract to which the data prin­ci­pal is a party, all le­gal con­se­quences for the ef­fects of such with­drawal shall be borne by the data prin­ci­pal.” That in­di­vid­u­als will be li­able when they with­draw their con­sent is a bizarre clause. By im­pli­ca­tion it means the in­di­vid­ual has no right over his own data. This clause could be mis­used widely by in­sert­ing it in the fineprint in the heap of con­di­tions and then invoking it when con­sent is with­drawn. Such a clause has lit­tle lo­cus standi and must be struck off. “If the sub­ject re­voked con­sent the sub­ject must have the abil­ity to pre­vent use of in­for­ma­tion. Some of these ar­eas will be sharp­ened out when the draft is put out,” says KPMG’s Gupta.

Con­flict­ing sig­nals: More than 80 coun­tries have laws that man­date data on their ci­ti­zens stays in servers within the le­gal and ge­o­graph­i­cal ju­ris­dic­tion of the coun­try. Un­for­tu­nately, In­dia isn’t one of them. Data re­sid­ing on for­eign shores is gov­erned by lo­cal laws and can be legally blocked by a for­eign en­tity or in­di­vid­ual, pre­vent­ing le­git­i­mate ac­cess to In­dian au­thor­i­ties.The Srikr­ishna Com­mit­tee has left it ope­nended, send­ing a con­flict­ing sig­nal. Specif­i­cally, its sug­ges­tions are at odds with RBI’s dik­tat to pay­ment sys­tems com­pa­nies to store data on servers in In­dia.

Be­sides sug­gest­ing that the gov­ern­ment will de­cide which data can­not be stored out­side In­dia, it rec­om­mends: “Every data fidu­ciary shall

We want In­dian data pro­tec­tion laws to be the model glob­ally, blend­ing se­cu­rity, pri­vacy, safety and in­no­va­tion RAVI SHANKAR PRASAD Union Min­is­ter for Law and Jus­tice & IT

Data pro­tec­tion law will be an over­ar­ch­ing law that will be ap­pli­ca­ble to all en­ti­ties JUS­TICE B. N. SRIKR­ISHNA Head/ Jus­tice B. N. Srikr­ishna Com­mit­tee

en­sure the stor­age, on a server or data cen­tre lo­cated in In­dia, of at least one serv­ing copy of per­sonal data to which this Act ap­plies.” This im­plies that while a copy is stored in In­dia, the data may ac­tu­ally re­side in an­other na­tion which gives rise to its own set of com­pli­ca­tions, in­clud­ing ac­cess­ing it when In­dian au­thor­i­ties re­quire it. “How do you man­age such con­flicts? It should be clear in no un­cer­tain terms which reg­u­la­tion ap­plies,” says KPMG’s Gupta.

Why so le­nient?: The Srikr­ishna Com­mit­tee’s pe­nal pro­vi­sions ap­pear to have been in­spired by the Eu­ro­pean GDPR and have iden­ti­cal two-stage process. Lesser vi­o­la­tions are pe­nalised 2 per cent of global turnover of the pre­ced­ing year while graver vi­o­la­tions are fined up to 4 per cent of global turnover.

This has two prob­lems. First, Europe is bet­ter in­te­grated with the US to be able to im­pose such fines. In­dian courts may not be able to en­force a penalty on global turnover. That begs the ques­tion: In­stead of copy­ing GDPR, don’t we re­quire an In­dia-spe­cific pe­nal pro­vi­sion? Be­sides GDPR, the Eu­ro­pean law also pro­vides for a max­i­mum fine of 10 per cent of global turnover. That’s ig­nored by the Bill.

Sec­ond, the Bill has rec­om­mended ` 5 crore or 2 per cent (which­ever is higher) and ` 15 crore or 4 per cent, re­spec­tively, for lesser and graver con­tra­ven­tions. Since the size of com­pa­nies in­volved runs into bil­lions of dol­lars, these penal­ties are puny and not de­ter­rent enough. “If the in­tent was 2 and 4 per cent, then the min­i­mum thresh­old should have been much higher where it starts hav­ing an im­pact on the board and man­age­ment,” says KPMG’s Gupta. Per­haps, ` 250 crore and ` 500 crore, re­spec­tively. For smaller In­dian firms, the thresh­old may still be turnover-based – 2,4 and 10 per cent

And while the Bill rightly rec­om­mends set­ting up the Data Pro­tec­tion Au­thor­ity of In­dia, the Ap­pel­late Tri­bunal as well as data pro­tec­tion of­fi­cers, it ap­pears the re­port has laid far greater em­pha­sis on the ar­chi­tec­ture of data pro­tec­tion frame­work than on data pri­vacy and pro­tec­tion it­self. Af­ter all, more than half of the 62page re­port is ded­i­cated to the gov­er­nance ar­chi­tec­ture.

But that could also be to en­sure that the Bill does not meet the fate of In­dia’s tooth­less In­for­ma­tion Tech­nol­ogy Act whose big­gest fail­ure was en­force­ment.

The re­port ap­pears to be a patch­work of laws col­lated from across the world. De­void of new ideas, it has lax and le­nient clauses and is a missed op­por­tu­nity of cre­at­ing a ground-break­ing law. “We had an op­por­tu­nity to do some­thing dif­fer­ent from GDPR, but we stuck to GDPR,” says Tri­le­gal’s Matthan. In­dia has al­ready wasted a year wait­ing – a very long time in the rapidly chang­ing In­ter­net world. Time is of essence. Set­ting up an­other panel is not an op­tion any more.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.