By Sangeeta Patnaik
India is making rapid strides towards ushering in a new data protection regime. The Draft Personal Data Protection Bill that is under review and is being deliberated by the Joint Parliamentary Committee is expected to sweep through the economy with major revamps to the statutory and regulatory landscape. The current Draft Bill has proposed the establishment of a data regulator — the “Data Protection Authority of India (DPA)” — which will be entrusted with the “duty to protect the interests of the data principals, prevent any misuse of personal data, ensure compliance with the provisions of the Act and promote awareness about data protection”.
At this point, a phrase from the FSLRC (Financial Sector Legislative Reforms Commission) Report from 2013, which holds relevance in any regulatory context, comes to mind: “In a system governed by rule of law, no action should be judged against unknown standards. Therefore before the regulator can carry out any supervision or adjudication functions it has the responsibility to lay down in clear and unambiguous terms the behaviour it expects from regulated entities.”
The tasks set out for the new regulator, the DPA, is therefore colossal. It has to chart out the principles for data protection that bring in clarity and uniformity across sectors (organised and unorganised) while taking into account the significance of data categories in the Indian context. All of this while being ‘not-out-of-tune’ with the international data protection laws, and keeping pace with an economy that is infused with technological developments.
Laying foundational principles: Not a clean slate
The data regime in the country is in its incipient stages with non-contiguous standards which are either codified in laws and regulations, or guided by formal and informal understanding between the data subject(s), sender(s) and recipient(s).
To start with, the DPA will not have the benefit of building upon an integrated set of data protection principles. The set of foundational principles will have to hold sway over the various sectors and industries in terms of transparency and consistency. The regulatory body, in addition to monitoring and enforcing the provisions, will also have administrative responsibilities like specifying codes of practice, promoting awareness, addressing customer grievances, etc. Unless there are alternatives to implement, the regulatory resources could get highly stretched in the discharge of the functions.
Understanding contextual norms
The term ‘data breach’ evokes pictures of violation and consequential penalties. However, data protection, as many researchers agree, is not an accurate science. As Helen Nissenbaum stated in ‘Privacy in context: Technology, Policy and the Integrity of Social Life’, privacy is provided by the appropriate flow of information within a specific context. Privacy norms that evolve over time are determined by the following independent parameters: (i) Data subject (ii) Information Sender & Recipient (iii) Type of information (iv) Transmission principles.
The principles of confidentiality are largely determined by the preferences of the sender, recipient, nature of data, and the context in which the data is exchanged — not just the type of data, but an individual’s confidentiality preferences determine data sensitivity. What a person shares with a healthcare professional will be different on a scale of sensitivity than what is shared with a financial services provider.
The task of surveying the landscape for the categories of personal information that are collected, processed, transferred, retained, etc., and pulling together a skeletal framework accounting for such preferences comes with a set of challenges.
Harmonising sectoral provisions
Confidentiality requirements, wherever they exist, are codified in a diverse manner in sector specific provisions. The Telecom Regulatory Authority of India (TRAI) in 2010 issued a direction to the telecom providers to implement the privacy and confidentiality clauses in the licenses that permit them to conduct business. These, for example, are mentioned in the service providers’ licenses such as the National Long Distance License, Unified Access Service License, Internet Services License Agreement, etc.
In the Indian healthcare sector, although what qualifies as breach of trust, misdemeanour, and professional misconduct can be determined to an extent, there are no specific legislations to govern the collection, processing and retention of data. The hospitality and retail sectors similarly do not have regulations for handling data though a consent mechanism exists in some cases. Companies in the financial sector (insurance, banking, etc.) are subject to confidentiality and security provisions stipulated by the sectoral regulators depending on the products or services provided. In addition to the sectoral provisions, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information [SPDI]) Rules 2011 (IT RSPP Rules) lay down clauses for handling personal Information and SPDI.
A dogged approach is required to incorporate the data protection principles in existing provisions; more important is to maintain a uniform application of these principles across sectors. A sovereign data protection framework, the objective of which is to protect the rights of data subjects, will have to bring in some consistency in application while considering the type of data handled in the sector. Government agencies that are in scope will also have to be considered. Tightening the regime in certain sectors and leaving it unaddressed in others will leave the objectives unfulfilled.
For example, the healthcare data collected by an insurance provider is governed by confidentiality requirements but the availability of the same data or its subsets with a healthcare professional or a pharmacy in a relatively less protected manner will not address the objectives of data protection.
Keeping pace with innovation
Technological developments have brought in ‘never-seen-before’ convenience, interconnectedness and personalisation. Companies make efforts to out-do each other and their own products. This has shortened the time taken from technological innovation to commercial production. All of this has led to the proliferation of digital footprints and their improvisations at an unimaginable rate. Lurking behind these are the techno-socio risks such as identity thefts, data breach, misuse of facial recognition technology, cybercrimes, deep fakes, etc., that thrive on the availability of data in the virtual world. Technological developments have outpaced legal developments and will continue to do so. Regulatory mechanisms that ‘learn and evolve quickly’ will be put to test.
Researchers agree that privacy is a non-renewable privilege. Virtual footprints are difficult to delete and so is data that is available in the public domain due to a breach. Data in the digital domain stays there forever. Enforcing individuals’ ‘Right to be Forgotten’ and ‘Right to Erasure’ could be difficult to implement.
What the regulator should get started with
“Knowledge of law serves the people with the tool of power and self realization. Unless the people are aware of rights, they cannot live in consonance with the true dictates of democracy and rule of law” — Excerpt from ‘Legal Literacy: Cornerstone for A True Democracy’ by Anoop Kumar
The 2011 census indicated a 2001-2011 decadal literacy growth rate of 9.2%, which is slower than that seen in the previous decade. Literacy plays a major role in the success of any awareness campaign. Furthermore, strengthening the faith of the consumer will require encouraging filing of complaints and timely resolution through the non-judicial Grievances Redressal mechanism.
Certain measures that can be adopted are:
- Phase-wise implementation: The Data Protection Bill will expand upon the categories of Personal Data that are in scope of the IT RSPP rules. Definitions will assume deeper expression under the terms ‘Sensitive’ and ‘Critical’ data. Efforts to identify and assign relative ratings to industries and/or sectors that are data-intensive can be a starting point for implementation. A numerical system that assigns values to the subjective and objective harms that can be caused with a potential breach of data in these sectors can indicate where to start.
- Benefitting from existing regulatory mechanisms: A vast knowledge base and tremendous expertise lies with the sectoral regulators who are well versed with the industry and technological developments in the products and services that they regulate. The DPA is expected to lay down the Codes of Practice and enforce the Act along with the regulator(s) with concurrent jurisdiction. Harnessing the existing regulatory mechanisms to achieve the DPA’s objectives can be additionally considered. A model with a pivotal role for the DPA and delegated authority can enable operational efficiency especially in the areas of promoting awareness, data audits, ranking data fiduciaries, and grievance redressal.
- Risk-based approach: The OECD’s Risk Management and Corporate Governance report states: “It should be fully understood by regulators and other standard setters that effective risk management is not about eliminating risk taking, which is a fundamental driving force in business and entrepreneurship. The aim is to ensure that risks are understood, managed and, when appropriate, communicated.”
Enabling organisations to conduct self-assessments within a structured and pre-set methodology can help take a leap towards operationalisation of a data protection regime. Periodic and iterative assessments alongside declarations of self-compliance within a monitoring and feedback mechanism can supplement these efforts. Needless to say, this might not result in elimination of risks but could set the framework for identifying the key drivers for data protection.
- Advisory guidelines: Effective implementation is dependent on a collaborative approach that considers sector specific nuances. A model where the centralised role is taken up by the DPA for providing clarifications on the Act and issuing advisory guidelines to specific sectors can be considered. To cite an example, the principal data protection legislation of Singapore, The Personal Data Protection Act 2012 (PDPA), establishes a general data protection law that applies to all private sector organisations. It sets out the ‘Data Protection Provisions’ for collection, use, disclosure, access, correction, transfer and retention of personal data. In addition, the country’s Personal Data Protection Commission (PDPC) has issued a number of advisory guidelines which provide greater clarity on the interpretation of the PDPA.
- Set up to improve: The challenges for a legislative structure only commence with the commencement of the regime. The framework will require periodic and timely ‘ever-greening’ in order to be relevant in the backdrop of case laws, products, services, privacy preferences, etc., that are dynamic in nature. A consultative framework with periodic inputs from authorities, industry associations, self-regulatory organisations and review of the complaints database can mitigate certain challenges. Jurisdictions with well-established regimes base their frameworks on channels that provide the data protection regulators with information on developments that aid supervisory judgement. The data protection landscape in India will metamorphose with the challenges that unfold. Any such listing can therefore by no means be exhaustive. What matters the most is that the regime aims to start constructing a framework of trust and accountability.
As the legendary Arthur Ashe said “Start where you are. Do what you can. Use what you have.”
*Sangeeta Patnaik is a Certified Information Privacy Professional (Asia). The author has worked in the financial services industry and is currently working with a major multinational bank. Views expressed here are personal.