- Financial data is already regulated by RBI and should not be classified as sensitive personal data in the Bill
- Non-personal data should be dealt with separately at a later stage
- Algorithmic transparency regulations should be dealt by NITIAayog
- Remove restrictions on data transfer between businesses
- Clarify the need for concurrent audits
These were among the many recommendations made by speakers at MediaNama’s Decoding India’s Data Protection Bill event held last week. The Data Protection Bill 2021 and the Joint Parliamentary Committee (JPC) report were tabled in the parliament on December 16, bringing us one step closer to India’s first data protection law. But there are many aspects of the Bill which need to be revisited.
In the session on Obligations of Data Fiduciaries, Nehaa Chaudhari from Ikigai Law, Ulrika Dellrud, Chief Privacy Officer at PayU, Uthara Ganesh, Head of Public Policy at Snap India, and Udbhav Tewari, Public Policy Advisor at Mozilla suggested the following recommendations. This discussion was organised with support from Google, Flipkart, Meta and Star India, and in partnership with ADIF. To support future MediaNama discussions, please let us know here.
Financial data should not be treated as sensitive personal data by the Bill
Classifying financial data as sensitive personal data is unnecessary and affects customer journey: The Bill classifies financial data as sensitive data and platforms dealing with sensitive data have additional obligations, including restrictions on cross-border data transfer. Dellrud, recommended that financial data should not be classified as personal data for the following reasons:
- The term is very broad: Dellrud explained that the term financial data is very broad and the entire transaction string can be considered financial data according to the definition in the Bill.
- We already have RBI: Furthermore, Dellrud argued that the RBI has already prescribed guardrails to regulate financial data and protect consumer information including data localisation norms, and such sectoral regulators must continue to govern these areas rather than the Data Protection Bill.
- Affects customer journey: By bringing financial data under the ambit of the Bill, the customer journey will be affected because of the explicit need for consent at every point even if there is another legitimate legal basis to process the data.
Recommendation: Not all financial data should be classified as sensitive personal data and data already regulated by sectoral regulators like RBI should not be covered by the Data Protection Bill, Dellrud recommended.
What changes do you want in the Data Protection Bill from a company’s perspective. Do leave a comment.
NITI Aayog should address regulations around algorithmic transparency
Broadly worded clause around algorithms does not help: Under clause 23, which prescribes the steps that companies have to take in maintaining transparency in the processing of personal data, the latest version of the Bill adds that companies have to be transparent about the fairness of algorithm used for processing of personal data. Ganesh criticised the provision for being “super broadly worded” and having no clarity on how it should be interpreted. Dellrud also commented on similar lines and asked if a mere description of the algorithm will even help users.
“Algorithmic accountability and transparency is a good thing absolutely. It is an important conversation, but then this particular provision does a sort of quick fix job.” – Uthara Ganesh
“That provision is sort of like passing a data protection law with one line that says you must protect data. Just saying that your algorithm must be fair doesn’t really do anything for anyone. It’s very hard to determine what a fair algorithm is and the standards around it.” – Udbhav Tewari
Recommendation: The algorithmic transparent requirement should be more clearly defined and require companies to explain how an algorithm works and how it impacts a user, Dellrud suggested.
NITI Aayog has done a better job on this matter: Ganesh explained that the NITI Aayog has come up with a document on the ethical use of AI after having multiple stakeholder discussions and considering various nuances this subject brings, whereas, the Data Protection Bill merely includes a one-line provision, which does not encompass the complexity of the subject.
“I guess our general thoughts on algorithmic transparency is that there needs to be sort of this balance between regulating for AI deployment, and allowing people to enjoy its benefits and sort of trying to regulate for risks. So there is that balance that needs to be struck. […] Just Section 23 as sort of parachuting into the JPC portion of the bill is not doing justice to something as complex as this.” – Uthara Ganesh
Recommendation: Ganesh called for the deletion of the provision in its entirety and letting NITI Aayog come up with recommendations around algorithmic transparency because of the extensive work that the organisation has already done on this front.
India is not ready to regulate non-personal data
We are not ready for dealing with non-personal data: The latest version of the Bill brings non-personal data under the ambit of the Data Protection Act and the Data Protection Authority, Dellrud recommended against this and said that it should be addressed separately at a later stage because:
- Privacy laws in India are in their infancy: While in Europe privacy laws have been there for a while now, in India we do not have any proper privacy law, and incorporating non-personal data now is too early, Dellrud said.
- Unclear what provisions apply to NPD: Furthermore, it is currently unclear what provisions of the Bill apply to non-personal data, there is no clear demarcation, Dellrud explained. It is better to have some kind of sandbox to figure this out, Dellrud added.
“We have the IT Act but there’s not a proper privacy law. And then when going from, I shouldn’t say zero, but maybe 2 to 200, immediately by also putting non-personal data, I think that is a problem.”– Ulrika Dellrud
Recommendation: Non-personal data (NPD) should not be addressed by the Data Protection Bill and should be considered separately at a later stage, Dellrud recommended. But if NPD is incorporated, the Bill has to be more clear about what provisions apply to non-personal data.
Data transfer between businesses should be made easy
Restricting data transfers between businesses is onerous and unnecessarily: One of the provisions under clause 8, which deals with quality of data, states that “a data fiduciary may share, transfer or transmit the personal data to any person as part of any business transaction in such manner as may be prescribed.” Chaudhari argued that this provision is onerous and unnecessary because there are several different scenarios in which a business might want to transfer data to another business as part of a routine transaction.
“I honestly don’t really understand what the point of adding this here is. So basically, in a routine business transaction, if I’m a startup, there are several different scenarios in which I may want to transfer data to a different party so am I now going to have to wait for rules or regulations to come through that tell me what are the situations in which I should be transferring data or not be transferring data. And if you read the accompanying text that the committee report has come out, it seems to be like a fairly sort of suspicious view of business.” – Nehaa Chaudhari
Recommendation: Provision restricting data transfers as part of business transactions should be removed, Chaudhari suggested.
What is a concurrent audit and why is it recommended?
Need for concurrent audit not clearly explained: The Bill includes a provision under clause 29 which states that the DPA will specify the form and procedure for conducting audits for significant data fiduciaries and will encourage the practice of appropriate concurrent audit. Concurrent audits are a practice common in the financial sector and unlike audits that take periodically such as at the end of a financial year, concurrent audits happen all the time, Tewari explained. However, the Bill merely has a one-line explanation and the JPC report does not explain why such audits are needed.
“You would have entities like banks subject to concurrent audits because the intent is to make sure that you’re catching something not working quite according to plan at the earliest possible level. You can’t wait until the end of every quarter or the end of every financial year or half year because the risk is just that high. So I think that that’s the parallel that the committee is thinking of here as well, when it comes to significant data fiduciaries, who occupy a certain kind of special place by virtue of whatever, volume of data, sensitivity of data, the uses that you’re putting this data to, etc. So I imagine, that’s the thinking, but again, we don’t really know because there is a one line explanation in the report.” – Uthara Ganesh
Recommendation: Provide more context on why a concurrent audit is encouraged and in what contexts does it apply, Dellrud suggested.
- A Complete Guide To The Data Protection Bill, 2021
- Data Protection Bill 2021: What Are The Obligations Of Data Fiduciaries?
- Data Protection Bill 2021: Key Takeaways From The JPC Report Tabled In Parliament
- Data Protection Bill 2021: How The JPC Wants To Deal With Non-Personal Data