Let’s Be Very Clear About Data
The Personal Data Protection Bill (PDPB) 2019 is a comprehensive framework covering all aspects relating to data protection. In concept, it is in line with EU’s General Data Protection Regulation (GDPR), but is a bit more complex.
PDPB retains most of the recommendations of the Justice B N Srikrishna committee, with certain significant changes. The explicit consent of the data principal and processing of data only for, and with a particular purpose, is the bedrock of the Bill. It does not explicitly deal with ‘data ownership’ or the ‘sovereignty of data’, but firmly lays down the rights of the data principal, accountabilities and liabilities of data fiduciary, data processors and collectors.
So, in a way, PDPB provides supremacy to data principals, who have the right to control the information collected about them, with the burden on organisations to protect their information.
At the same time, it provides that data principals understand their rights and responsibilities. Organisations will be required to overhaul their privacy policies, as there is no history of privacy compliance in India. This involves much effort, cost and time.
PDPB categorises personal data into three broad categories: personal, sensitive and critical. It also introduces the concept of non-personal, de-identified and anonymised data.
The provisions relating to cross-border flow of information are diluted, but intended to facilitate industry, trade and commerce. The contours and guidelines as to what should be construed as ‘critical data’ are missing.
Similarly, the Bill states that sensitive personal data shall continue to be stored in India. However, there is confusion as to whether a only a mirror copy of the data, which is transferred outside India for processing, is to be stored, or whether the data being processed outside the country needs to be brought back and stored only in the country. Similar RBI regulations are yet to be implemented.
The concept of consent manager and data trust score also have implications. The lack of clarity will result in uncertainties, and impact planning and investments. Providing exemption to certain kinds of organisations may be well-intended, but many governmental organisations find themselves under this exempted list.
All provisions relating to exemption, together with that of sharing non-personal and anonymised data, create an obligation on the individual and entities to part their data with the State.
PDPB, however, has to address the privacy interest, not the public or economic interest of companies and government. The processing of personal and non-personal data by such exempted entities must have checks and balances, with accountability.
GoI has set up committees on nonpersonal data under Infosys co-founder Kris Gopalakrishnan. It would be better if a comprehensive framework on non-personal data is enacted in consultation with stakeholders, rather than through the regulatory mechanism of PDPB.
Guidelines should also be clear as to what is construed by ‘sandbox’. Steps should also be in place for entities to take if their permits are not renewed beyond 36 months. The obligation and accountability of such organisations need to be non-ambiguous.
The Data Protection Authority of India (DPAI) is projected to be a ‘superregulator’ to prescribe not only the rules and regulations of data privacy, but also cybersecurity aspects of data. The latter will get technologically more complex with the evolution of technologies like artificial intelligence (AI), machine learning (ML), cloud and big data.
It would be appropriate to let the concerned authorities regulate such issues in consultation with DPAI, since the latter can’t create capabilities in every technological and specialised domain.
Similarly, care is needed regarding exemption for the processing of personal data by R&D organisations. The Bill is an important step. However, the legal challenges of India’s digital economy need to be considered beyond classical data protection laws.
(The writer is former national cyber security coordinator, GoI)
DISCLAIMER : Views expressed above are the author’s own.