Global negotiations today revolve around debates about the transfer of data. India’s first attempt to domestically legislate on the topic, the Personal Data Protection (PDP) Bill, 2019, has been approved by the Cabinet and is slated to be placed in Parliament this winter session. The Bill has three key aspects that were not previously included in a draft version, prepared by a committee headed by retired Justice B N Srikrishna.
Why does data matter?
Data is any collection of information that is stored in a way so computers can easily read them (think 011010101010 format). Data usually refers to information about your messages, social media posts, online transactions, and browser searches.
The individual whose data is being stored and processed is called the data principal in the PDP Bill. This large collection of information about you and your online habits has become an important source of profits, but also a potential avenue for invasion of privacy because it can reveal extremely personal aspects. Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise to you online. It is now clear that much of the future’s economy and law enforcement will be predicated on the regulation of data, introducing issues of national sovereignty.
Who handles my data, and how?
Data is stored in a physical space similar to a file cabinet of documents, and transported across country borders in underwater cables that run as deep as Mount Everest and as long as four times the Indian Ocean. To be considered useful, data has to be processed, which means analysed by computers.
Data is collected and handled by entities called data fiduciaries. While the fiduciary controls how and why data is processed, the processing itself may be by a third party, the data processor. This distinction is important to delineate responsibility as data moves from entity to entity. For example, in the US, Facebook (the data controller) fell into controversy for the actions of the data processor — Cambridge Analytica.
The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows. Data localisation arguments are premised on the idea that data flows determine who has access to the data, who profits off it, who taxes and who “owns” it. However, many contend that the physical location of the data is not relevant in the cyber world.
How does the PDP Bill propose to regulate data transfer?
To legislate on the topic, the Bill trifurcates personal data. The umbrella group is all personal data — data from which an individual can be identified. Some types of personal data are considered sensitive personal data (SPD), which the Bill defines as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more. Another subset is critical personal data. The government at any time can deem something critical, and has given examples as military or national security data.
In the Bill approved by the Cabinet, there are three significant changes from the version drafted by a committee headed by the Justice B N Srikrishna Committee.
* The draft had said all fiduciaries must store a copy of all personal data in India — a provision that was criticised by foreign technology companies that store most of Indians’ data abroad and even some domestic startups that were worried about a foreign backlash. The approved Bill removes this stipulation, only requiring individual consent for data transfer abroad. Similar to the draft, however, the Bill still requires sensitive personal data to be stored only in India. It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA). The final category of critical personal data must be stored and processed in India.
* The Bill mandates fiduciaries to give the government any non-personal data when demanded. Non-personal data refers to anonymised data, such as traffic patterns or demographic data. The previous draft did not apply to this type of data in PDP Bill, which many companies use to fund their business model.
* The Bill also requires social media companies, which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data as well as their turnover, to develop their own user verification mechanism. While the process can be voluntary for users and can be completely designed by the company, it will decrease the anonymity of users and “prevent trolling”, said official sources.
What are its other key features?
The Bill includes exemptions for processing data without an individual’s consent for “reasonable purposes”, including security of the state, detection of any unlawful activity or fraud, whistleblowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data, official sources said.
The Bill calls for the creation of an independent regulator DPA, which will oversee assessments and audits and definition making. Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more. The committee’s draft had required the DPO to be based in India.
The committee’s draft had several other significant keywords that are expected to be in the Bill. “Purpose limitation” and “collection limitation” limit the collection of data to what is needed for “clear, specific, and lawful” purposes or for reasons that the data principal would “reasonably expect”. It also grants individuals the right to data portability, and the ability to access and transfer one’s own data. Finally, it legislates on the the right to be forgotten. With historical roots in European Union law, this right allows an individual to remove consent for data collection and disclosure. After the Cabinet approval of the bill, an official source said this concept is still “evolving” and has not been “concretised” yet.
Government sources said they were open to the “widest debate on this Bill”.
What are the two sides of the debate?
For data localisation
A common argument from government officials has been that data localisation will help law-enforcement access data for investigations and enforcement. As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties” — a process that almost all stakeholders agree is cumbersome. In addition, proponents highlight security against foreign attacks and surveillance, harkening notions of data sovereignty.
The government doubled down on this argument after news broke that 121 Indian citizens’ WhatsApp accounts were hacked by an Israeli software called Pegasus. Even before that, the argument was used prominently against WhatsApp when a spate of lynchings across the country linked to rumours that spread on the platform in the summer of 2018. WhatsApp’s firm stance on encrypted content have frustrated government officials around the world.
Many domestic-born technology companies, which store most of their data exclusively in India, support localisation. PayTM has consistently supported localisation (without mirroring), and Reliance Jio has strongly argued that data regulation for privacy and security will have little teeth without localisation, calling upon models in China and Russia. Many economy stakeholders say localisation will also increase the ability of the Indian government to tax Internet giants.
Against the Bill
Civil society groups have criticised the open-ended exceptions given to the government in the Bill, allowing for surveillance. Moreover, some lawyers contend that security and government access are not achieved by localisation. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
Technology giants like Facebook and Google and their industry bodies, especially those with significant ties to the US, have slung heavy backlash. Many are concerned with a fractured Internet (or a “splinternet”), where the domino effect of protectionist policy will lead to other countries following suit. Much of this sentiment harkens to the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders. Opponents say protectionism may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India, such as Tata Consulting Services and Wipro.
Source: The Indian Express
Relevant for GS Prelims & Mains Paper III; Science & Technology