This is the fifth post in our series covering our events in Delhi and Bangalore on India’s Data Protection Law. Click here to read the rest.
“The most depressing part about the bill is the wide exceptions that they carved out for the state (based processing of data). If I’m a user and the state is processing my data, they don’t even need my consent.” said Vidushi Marda, Policy Advisor at ARTICLE19 at the #NAMAprivacy discussion on the data protection bill in Bangalore last month.
The following are some of the key points made in both, Delhi and Bengaluru. Please note that these points are not necessarily listed in the order they were made and are not verbatim excerpts of the speakers’ remarks. We’ve edited them for brevity.
User rights: Portability, and the right to be forgotten
“Its a modern provision and I love data portability. But what we have put down in our data portability provision is three times more than what GDPR has put in,” said Rahul Matthan, Partner, Trilegal.
- Data Portability: Portability blew my mind. The only reason I’m taking all this data with so many layers of consent and accountability is to build IP. And now I’m suddenly required to give all that data to a different fiduciary because you said so? Where’s the quid pro quo? When you go on YouTube, their recommendations are based on what you’ve been watching. That’s their IP. To deny that is to say that you don’t understand the basics of how technology and data work together. (Sameer Nigam, Founder & CEO, PhonePe)
- Portability is brought up in the context of unlocking competition. One of the barriers to switching services is that pre-existing data is locked into the service you have been using. It fits into a data protection law because it is an expression of your control over your data. Even if you believe my data is your IP, a lot of this data is both generated by me, pertains to me, and therefore this law permits me to take a copy of it. (Amba Kak, Public Policy Advisor at Mozilla)
- Data portability is a very weak tool to unlock competition if that’s the goal. Because where are service B and C to whom I can port data to from service A? This is more suited to a broader conversation about decentralisation and interoperability where this kind of competition can exist. (Kak)
- Right to be forgotten: There are problems with data erasure in some sectors. The RBI pointed out how much fraud is detected on mobile wallets, and insurance companies can face fraud when health records are vaporised. (Nigam)
- The bill has a right to be forgotten, that you apply for. There is also the obligation on a data fiduciary to delete data after the purpose for which it was taken is satisfied. For instance, if a credit card company wants my financials to decide my creditworthiness, then they should delete that information after they have approved my application. (Kak)
- On a hypothetical, let’s say I love eating beef, and pay for it with my credit card frequently in Calcutta. One day, someone beats me up in Delhi. And the police ask for my DNA to verify that my blood is on someone’s hands. And then the case goes to court — how much of this can I have forgotten? (Devangshu Datta, journalist)
- I see tremendous merit in keeping financial transaction data for a long period, because we see frauds emerge six or twelve months later. On all other aspects, I wouldn’t keep data around longer than I need to. Financial instruments and transaction history, I will keep. (Nigam)
- Not having a right to erasure actually stems from the rejection of the idea of you owning your data. I think it was a very thoughtful decision but necessarily a good one. The fact that you have the right to understand how long your data can be held but you don’t have a right to erasure, for me signals the same sort of tension as with ownership. (Vidushi Marda, Digital Programme Officer at ARTICLE 19)
- It is definitely a big gap (Not having a right to erasure) in the law and I hope it can be clubbed and amended in the future, when thinking about ownership. (Marda)
- De-identification vs rights: The focus is on de-identification and all the attention is going to rights. You [users] don’t have absolute rights, I [businesses] don’t have absolute rights. As long as the conditions under which you give your data are honoured, the contract stays in place. Facebook violated my rights by giving my data to Cambridge Analytica, a third party. That’s a breach of trust. (Nigam)
Impact on businesses:
- In the music industry, it was the industry crying foul saying that consumers are violating their rights (by pirating). You’re accountable for your own actions — this discussion should have been happening ten years ago. The word then was ‘freemium’. The ‘emium’ never happened. We want services free on a societal level. (Nigam)
- WhatsApp is not an NGO. I went in knowing that the free services were a fleeting relationship. Either they’ll have to exploit me one day, or they’ll have to shut down. That’s life. (Nigam)
- My horror starts when multiple regulators start putting out vague statements on what I can or cannot do, and there is a threat of criminal charges against my organisation. (Nigam)
- As long as the law is clear and prescriptive, it is not vague. As long as it is vague, businesses will exploit it. What you call exaggerated use in a grey area, I call opportunistic value creation. It depends on which school you went to. (Nigam)
- If you add everything up, there is an 18 month transition period. Different things come into force at different times. If you have collected any data before that period of time, you don’t necessarily have to comply with all the obligations mentioned in the bill. But if you are processing data, once the act comes in, your storage needs to comply with the act as well as the DPA’s code of practice. (Matthan)
- When an organisation collects data, it should be split between two parts, data what is essential for a service or product. That should not be based on consent in my view, it should be based on a legitimate business interest. The option data should be based on consent. (Srinivas)
- Having more and more data is definitely a good thing for any organisation. But it is important for them to spell it out and classify it amongst the two classes, mandatory and optional. The user will make that decision. (Srinivas)
- The cost of compliance with this law is going to be huge. Even companies that are used to the GDPR will take time to get used to it because there are nuisances that are very different. (Matthan)
- We definitely want to protect privacy because that is really essential for a democracy. But we also have the potential to become a hub for AI, that could offer us a competitive advantage and we don’t want to hobble that. (Kaushik Das, Executive Vice President of Big Data and Data Science, Star India)
- The restrictions placed around collecting data of children seems to be like one of those blankets bans that are not well thought out. (Das)
- There seems to be some clauses in the bill that are more sentimental than logical. (Das)
- The problem with the bill is that things are not well defined enough. Not well defined enough for me to even understand how I as a business could violate certain norms. (Das)
- The draft as it exists is going to be tremendously onerous on data fiduciaries and data principals. (Matthan)
- With the bill in place, a data fiduciary has to demonstrate that the consent that a data principal gave them was clear, informed and free and can be withdrawn with the same ease as it was given. In the case of sensitive personal data, it requires explicit consent. (Marda)
- There is a lack of clarity on various norms and definitions mentioned in the bill that could potentially be a concern for businesses. (Matthan)
- In the Indian context, names could often indicate your caste, which is sensitive personal data. So, if we get to a point where names are not just personal data but sensitive personal data, we (my clients) will be in some considerable trouble. (Matthan)
- The ‘reasonable purpose ground’ for processing data is another cause of worry because it will be as specified or notified by the Data Protection Authority (DPA). We don’t know until they come up with a list, if it will be exhaustive enough to be able to work in the way it works elsewhere in the world. (Matthan)
- I, in a sense like the construct, where there are a list of principles and the details will be spelt out by an authority. But I have serious concerns whether the state has the capacity to deliver, what is being asked to deliver. (Matthan)
Ownership of data
- Rights above ownership: If this law took ownership of data as its basis rather than rights, we’d be worse off. Ownership over something means you can trade it off. Rights come with a much more solid foundation. (Kak)
- Ownership is just one form of control. There was a time when people tried to tackle rural gender inequality by giving women titles to the land. After years of practice, it turned out that ownership didn’t translate into control. Ownership isn’t the be-all and end-all. There just needs to be more control. (Anja Kovacs, Director, Internet Democracy Project)
- The world over, it is data subject and data controller. If you think about it, the picture that it gives you is almost like data slave and data master. If you transform that to say data principal because this is the person who is ‘principally’ the focus of the act; with a data fiduciary, you create a construct, where a fiduciary owes a duty of care to the principal. That’s very elegantly done but unfortunately I don’t see a reflection of that concept in the act. (Matthan)
Update: An earlier version of this report incorrectly identified Devangshu Datta. Our apologies.