“As far as the big MNCs are concerned, the [compliance] burden is only a delta on top of what GDPR’s is because fortunately we had to get ready for the GDPR,” S. Chandrasekhar, group director of policy and government affairs at Microsoft India, said, continuing, “We are only concerned now more about the provisions that are going much further than the GDPR such as non-personal data and other things because we need to calibrate our engineering effort to make agreements and stuff like that. The additional burden is significant but cannot be computed adequately because of lack of clarity.”

On the other hand, Tarun Dua, CEO of E2E Network Limited, a company that provides cloud services to MSMEs in India, pointed out that, “Per capita income in the European Union which has GDPR, and in India are very, very different. Thus, the kind of technical skills that [MSME] businesses would be able to afford in the US or Europe would be very, very different from the kind of technical talent that is accessible to Indian businesses.”

The Bill expects companies to rearchitect their databases so that they can classify data and then potentially erase or forget data of small Indian customers, but “do we really want that the 62 million MSMEs in India have access to that kind of programming talent or database management today?” Dua asked. “Onerous requirements which are like a moving target would be detrimental to MSMEs in India” and they would be completely dependent on large multinational companies to classify data for this, he warned.

Chandrasekhar and Dua were speaking at MediaNama’s June 26 discussion on the impact of the Personal Data Protection Bill, 2019, on cloud and telecom services, that was supported by Microsoft and Google. Comments have been edited for clarity and brevity.

Reasonable standards for data retention are tough for service providers to establish

Technically, it is possible to implement everything that is mentioned in the Bill including data deletion, forgetting data, classifying data, but the problem is establishing what is “reasonable” and harmonising the Bill with other laws, Dua said. For instance, he said, under the GDPR, “reasonable” amount of data can be kept even after a right to be forgotten request is implemented. This reasonable data which, for a cloud service provider, could include which machines a customer launches from a control panel, how a customer made their payments, etc. “There is a lot of data that could be critical for the sanctity of a CSP’s database in terms of audit locks, back track what a customer did, how they interacted with the systems, etc. that the customer may want deleted,” Dua said.

“Let’s take the example of a terrorist. If someone searches on a search engine for how to make a bomb, what is a search engine supposed to do in this case? Under right to be forgotten, such a search needs to be deleted but from a law enforcement perspective, this might be something that the particular search engine may need to store forever.” — Tarun Dua

“Since most cloud service providers give fairly centralised data management dashboards where you can store multiple copies of data across servers, you could ascribe a lifetime to this data so that it is automatically deleted when certain programmatic actions take place. For instance, if someone deletes an account, all data associated with that account gets deleted without manually needing to do so,” Udbhav Tiwari, public policy advisor at Mozilla, suggested. In case data localisation becomes more common, cloud service providers could provide features to their clients wherein they deduce that if data sets are coming from India, they should be stored for, say, 90 days, while if they come from the US, they should be stored, say, for 180 days, he said. “It’s a combination of some manual intervention and some automated solutions,” Tiwari said.

Bill fails adequacy standards laid down under the GDPR

“I don’t think that we’re doing going to do very well in terms of meeting the adequacy eligibility, under the GDPR at least,” Jyotsna Jayaram, counsel at Trilegal, said. This is because of the following reasons, she explained:

  1. Exemptions for the government: Sections 35 and 36 empower the government to exempt itself from provisions of the Bill, thereby leaving certain processing of data completely unchecked
  2. Data localisation: Sections 33 and 34 require data localisation
  3. Storage limitation: Although under the Bill, data can be stored only for as long as it is required for the specified purpose, but it allows fiduciaries and processors to store it longer if they have explicit consent.
  4. Lack of independence of the Data Protection Authority: With changes in the manner in which the DPA is appointed and the constitution of its selection committee, the Bill may not meet GPDR’s adequacy requirements.

GDPR defines the adequacy requirements for transfer of data to a third country or an international organisation under Article 45 and the requirements include independent supervisory authority that overlooks data protection, and evaluating the scope of applicable legal standards and legislation. Jayaram said that the PDP Bill couples cross-border flow of data with consent which muddles the framework from an adequacy perspective. She suggested that it is better to improve the Bill that makes India “globally recognised as a jurisdiction to which data can be transferred without any hindrances in that sense”.

Shweta Rajpal Kohli, Salesforce’s country director for government affairs and public policy (India and South Asia), pointed out that in the Cloud Readiness Index maintained by the Asia Cloud Computing Association, India ranked tenth out of fourteen nations. “That is a cause of worry,” she said. “One of the main reasons is that if you bring in restrictions that’s stymie cross border data flows, that’s symptomatic of lack of interest in efficiencies that cross-border data flows or the cloud ecosystem bring in,” she said.

Exemption for data processors also fails the adequacy test: Tiwari also highlighted problems with Section 37 of the Bill which gives the government the power to exempt certain data processors who process the data of foreign individuals. “From an adequacy point of view, it’s a very dangerous provision because what it says is that we have a data protection law and we will get adequacy for processing foreign data but we can also not apply any part of this act to any data that is of a foreign entity and is therefore not of an Indian,” he explained. While this may benefit the BPO and outsourcing industry, its harms may far outweigh its benefits, he said. “I fail to see if that is a part of the main law how somebody like the European Commission or any other country that may want to grant us adequacy status or certify us in any other way would ever be okay with that,” he said. This exemption needs to be significantly narrowed down. To do that, the DPA may have to issue a separate guidance for the rules that these exempted entities may need to follow, he advised.

Section 37: Power of Central Government to exempt certain data processors

The Central Government may, by notification, exempt from the application of this Act, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor or any class of data processors incorporated under Indian law.

Venkatesh Krishnamoorthy, the country manager for India for BSA (The Software Alliance), however, pointed out that adequacy also has its limits, something that EU’s June 24 report evaluating the implementation of GDPR also pointed out.

Recommendations

1. Need for harmonisation of laws across the globe

“When it comes to complying with privacy regimes for companies as large as ours [Salesforce], inter-operability becomes very important. The closer we are to accepted global regimes, the better it is for companies to adapt,” Kohli said.

2. Need for sector-specific, but global standards

“Different jurisdictions also have different requirements for storage periods, so we would propose harmonisation and alignment [of laws],” Krishnamoorthy said. While there can be local nuances to the law, it will be good to have sectoral consistency on retention laws according to global standards, he said. The finance sector, for instance, could have different norms from the health sector, but as per global standards, he clarified.

3. Definitions need to be narrowed down and made clearer

Kohli said that a number of definitions are ambiguous. The broad definition of sensitive personal data makes it hard to understand how data localisation would work. Under Section 33, while sensitive personal data may be transferred outside India with explicit consent of the user, it “shall continue to be stored in India”. She said it’s not clear what “storing in India” means. Does it mean that a copy needs to be stored here or does it mean that data has to be mirrored here? If it’s the latter case, how often does data stored in India need to be updated?

Read our complete coverage of the discussion here.