Depending on who you speak to, the Personal Data Protection Bill, 2019, draws out extreme responses. Justice B.N. Srikrishna, a former judge of the Supreme Court of India, dubbed the latest version of the Bill, cleared by the Cabinet, "dangerous" and one that could turn the country into an "Orwellian state". In the Bill, the central government gets powers to access personal data in the interest of integrity, sovereignty, security, and public order among others.
At the other end is Omkar Rai, Director General of Software Technology Parks of India (STPI). He tweeted: "The clearance of #PDPB by the Union Cabinet is a historic step towards striking a balance between the sprinting digital revolution and exigency of personal #dataprotection while strengthening India's position on citizens' #datasecurity".
There are many stakeholders in data protection - citizens, who are the data providers to private and public companies as well as the government; data processors, or organisations that use the data for business or other purposes; and the government, which is interested in law enforcement and possibly a bargaining chip in dealing with large multinationals, particularly the social media companies who are difficult to tame.
The legislation, therefore, is complicated, and evolving. The Bill has now been referred to a Joint Committee of the Houses (JPC), which could recommend tweaks, and more clarity. The Bill's principles, however, wouldn't change.
Indians didn't care much about data privacy - it has largely been a Western construct. This is now changing. Data localisation is a reality both multinationals and Indian companies have to brace for even though what data needs to be processed and stored in India can be fine-tuned. The government and the private sector, particularly business-to-consumer companies, have to start investing in people, processes and technology that protect privacy and monitor compliance while identifying defaulters. Compliance has a cost. Storage and processing, setting up processes, capacity building needs money and time but also opens up business opportunity.
The Bill, in short, has good parts, some red flags, and a promise that it could generate business and jobs. Overall, this is also a notice, to get ready.
The Good
Member of Parliament Rajeev Chandrasekhar, a techie and a tech investor in his previous avatars, knows the importance and the far reaching implications technology policies can have. "In telecom, we had legislations and policies that were only pro-business. It had no protection or rights for consumers," he says. Users suffered for two decades because of poor quality of service and call drops. The Personal Data Protection Bill, he holds, must therefore work for every stakeholder. "Since the Supreme Court has already ruled that privacy is a fundamental right, consumers are coming into this conversation with that right. They would like a legislation that respects privacy and gives the reasonable restrictions the government wants." Chandrasekhar is part of the JPC that will hold consultations with every stakeholder over the next three-four months.
The Bill could be the defining legislation for the future of Digital India, he says. "The Digital economy by 2024 is going to be more than $1 trillion in size; it is going to be a big part of the $5 trillion roadmap. Therefore, anything that we do must only enable, expand and enhance investments as well as innovation," he adds.
The biggest thing going for consumers in this Bill is that consent is necessary for processing of personal data. Mukul Shrivastava, Partner, Forensic and Integrity Services at EY India, says that the days of companies getting users to click on 'I Agree' after pages of terms and conditions may well be over. "A subset of this is that if someone doesn't agree, you cannot deny her or him the service. This will have a major impact on all organisations," he says.
Tele sales may be affected. As most companies outsource this function, there could be more monitoring of how they get one's personally identifiable information, Shrivastava says. Yet another scenario, he underlines, is call centres recording calls for quality monitoring and training purposes. "Often, during the call, you need to give out e-mail addresses, telephone numbers and addresses, which are being recorded. That is a huge risk. It is personal information. The concept of specific approvals will have far reaching implications," he adds.
The current Bill also guides how data of minors must be processed. The Bill states that the "data fiduciary (organisations that process data) shall, before processing of any personal data of a child, verify his age and obtain the consent of his parent or guardian, in such manner as may be specified by regulations".
"Many global Acts have been silent around the data of minors but this Bill addresses how it should be handled. It has to go through the same yardstick of scrutiny and privacy. This encompasses a fairly large set of organisations, from schools and creches to even companies giving out scholarships," Shrivastava adds.
Red Flags
Most critics have trained their guns on clause 35, which deals with the power of the central government to exempt any of its agencies from application of the Act.
Kazim Rizvi, Founding Director of think-tank The Dialogue, says under the Bill, the government has excessive powers to access data. "In the absence of a surveillance law, it provides the government with unfettered access to any personal data. In the absence of checks and balances, judicial safeguards and parliamentary oversight, this is tantamount to blatant violation of the right to privacy as guaranteed by the Constitution," he says.
Rizvi also points out that exceptions to consent are loose and vague. "Additionally, Clause 13 and 14 allow for the processing of personal data without consent for functions of state, or for compliance with any law. The government can easily ask for personal data in lieu of 'functions' of the state and there is no recourse for citizens in case their data is accessed and processed wrongfully," he adds.
Rama Vedashree, CEO, Data Security Council of India, a data protection body set up by Nasscom, underlines what she says is inaccurate categorisation of data. The Bill defines what constitutes sensitive personal data and there is a small deletion from the 2018 draft, where sensitive personal data constituted passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation. The 2019 Bill omits passwords in the sensitive category but includes financial data. Vedashree says financial data should not be considered sensitive.
"Look at any data protection regime in the world - there is hardly anyone who categorises financial data as sensitive personal data. Financial data requires a lot of confidentiality and security practices. But it is not like personal mental health record. We don't agree on this categorisation. The moment it is sensitive, there might be an extra burden around localisation. Cross-border data flows are very important," she says.
There is also ambiguity around what would constitutes a second categorisation - critical personal data. The 2019 Bill says that it "means such personal data as may be notified by the Central Government to be critical personal data". "Any data, at any point in time, can be declared as 'critical'. These are provisions that do create uncertainty for businesses. Large Indian enterprises or even global enterprises expect some levels of certainty," Vedashree says. She adds that a lot of investment would be required. Not just data processing companies, even the government will need a huge budget, to create awareness as well as build capacity.
The government has to establish the Data Protection Authority of India to protect the interests of citizens, monitor companies processing data, as well as prevent misuse of personal data. This will be expensive because every company that processes data, has to prepare a 'Privacy by Design' policy and submit it to the Authority for certification within a specified period. The policy is expected to substantiate the organisational, business practices and technical systems a company has designed to anticipate, identify and avoid harm to the person whose data is being processed.
"Every data fiduciary getting their Privacy by Design policy certified is a pain; the Data Protection Authority will get inundated. You may need cells all over India. There may be state level enforcement mechanisms. The Authority would need mammoth staff. So compliance comes with a cost," says Sajai Singh, Partner at J Sagar Associates, Advocates & Solicitors.
The Bill lays out a number of responsibilities the Authority must discharge, including monitoring cross-border transfer of personal data, monitoring tech developments and commercial practices that may affect protection of personal data, and receiving and inquiring into complaints. It would also maintain a database of significant data fiduciaries along with a rating in the form of a data trust score indicating compliance.
The investments spell good news for many businesses.
The Opportunity
In 2007, India's datacentre footprint was 1.7-1.9 million sq. ft. By 2010, the real estate footprint grew to 2.8 million sq. ft and by 2018, to 10.9 million sq. ft. "Now, the market could grow to 30 million square feet by 2025," projects B.S. Rao, Vice President-Marketing, CtrlS Datacenters.
While there are many sides to the debate around data localisation, data centre operators aren't complaining. Large Indian conglomerates have sniffed an opportunity. In October, the Adani Group, for instance, announced a partnership with San Francisco-based Digital Realty, a provider of data centre solutions. The two companies will evaluate developing and operating data centres and data centre parks in India.
"Data centres form the backbone of India's ever expanding digital economy. India's draft Data Localisation Bill potentially mandates storage and compute of Indian data, locally, to be hosted within the country. We anticipate that India's third party co-location data centre capacity will expand from the current 350 MW (mega watt) to over 781 MW of designed IT power load by 2024. This would also open a greenfield investment opportunity of over $4.1 billion in the medium term," says Rachit Mohan, Head of JLL's Data Centre Advisory Practice. Key to operations of a data center is power, so capacity is measured in MW. IT power load is the energy that only the data centre consumes.
According to a JLL report, regulatory incentives for the data centre industry are already being rolled out. "Considering the potential... several states like Maharashtra, Gujarat and Telangana have provided special incentives to attract industry players. Maharashtra has announced an integrated data centre policy. Telangana, which has attracted top global technology companies, has also provided incentives by supporting infrastructure facilities and other benefits," the report states.
The Bill would drive investments into other tech areas as well. According to LoginRadius, a cloud-based customer identity management firm, companies would now need to proactively implement electronic firewall and other measures involving virus scans, security patches, vulnerability testing, recovery planning, security audits, and other steps designed to improve personal and sensitive data protection procedures.
Consulting and forensic investigation companies stand to gain as well. Till such time the government and the private sector build up capacity, much of the audit work and monitoring may be outsourced to them.
So what is the way ahead? One hopes the JPC will recommend clear time lines on implementation of the Bill - one of the Parliamentarians BT spoke to said there would be sufficient time for the stakeholders to prepare. "The Bill will provide enough time for companies to comply with the regulations made. It will not come into effect from tomorrow midnight. This is going to be a reasonable exercise balancing all interests," BJP Parliamentarian from Karnataka Tejasvi Surya, also part of the JPC, says.
Given the high pitched debates around the Bill, that is a reassuring statement.
@Goutam20