Economics Prelims cum Mains

U.S. tech giants plan to fight India’s data localisation plans

The News

  • U.S. technology giants plan to intensify lobbying efforts against India’s stringent data localisation requirements.

 

Background

  • Amid rising data theft, breaches, and leaks in India, the Supreme Court had directed the Indian government to formulate a Data Protection Bill to ensure and strengthen people’s rights over personal data and the right to privacy.
  • Accordingly, the Justice Sri Bn Krishna Committee was formed in July 2017 to deliberate on a data protection framework for the country.
  • Justice BN Srikrishna Committee report on the draft Personal Data Protection Bill 2018 was finally submitted to the minister of law and justice on July 27, 2018.
  • The Bill will have far-reaching implications on data handling and processing practices employed by both Indian and foreign companies and government departments.
  • The Bill has evoked mixed reactions, with most veering towards dissent, including from some expert committee members.

 

Provisions of the draft Personal Data Protection Bill 2018:

  • The Bill strengthens the UIDAI’s powers when it comes to Aadhaar-related legal action by maintaining that only the UIDAI can approach courts in case of any Aadhaar disputes.
  • The Draft Data Protection Bill also proposes the removal of Section 8(1)(j), which accounts for the right to privacy of the RTI Act.
  • The jurisdiction of the Bill under Section 2 is vast, including both territorial and extraterritorial provisions.
  • In horizontal application, the Bill applies to both governmental and private actors, as well as any data processing within India, and to any processing by the State, Indian companies or Indian citizens.
  • After RBI requirements for payment companies to store data in India, data localisation rules to be imposed under Section 40 emphasise that one copy of all personal data to which the law applies are to be kept in a server within India.
  • Further, certain categories of data, which are to be specified by the government as critical personal data are to be stored in India alone.
  • At the same time, requirements for cross-border transfer of data are also imposed.
  • The Bill introduces new definitions of “personal data” and “sensitive personal data”:
    • Personal data refers to any data of a natural person which allows direct or indirect identifiability.
    • Sensitive personal data includes financial data, biometric data, positive additions such as religious and political beliefs, caste, intersex/transgender status, and official government identifiers like PAN etc.
  • A broad list of exemptions has been included and is applicable on legal proceedings, research, domestic purposes, journalistic purposes, and manual processing.
  • Another ground has been created for data processing on other reasonable purposes under Section 17. Under this, the Data Protection Authority of India (DPA), which is to be established under the Bill, will specify the purposes, including a broad and vague range of activities such as whistle blowing, preventing unlawful activities, debt recovery, and processing of publicly available data.
  • On a positive note, Chapter VI provides some basic rights to data principals including the right to access and correction, the right to data portability, and right to be forgotten.
  • Section 32 requires data breach notifications to be made to the DPA only if the breach is likely to cause ‘harm’ to the data principal.
  • The Bill prescribes steep penalties including penalties higher than INR 5 Cr or 2% of annual global turnover (of the company in question) for violations like failing to conduct a DPA.
  • A penalty of higher than INR 15 Cr or 4% of the annual global turnover of the company in question is prescribed for violations such as processing of personal data in contravention of the Bill.
  • Complaints can be filed by an aggrieved data principal to adjudicating officers appointed under the Bill. Appeals from their orders will go to an Appellate Tribunal and thereafter to the Supreme Court.
  • The Bill also prescribes a list of non-bailable and cognizable criminal offences.
  • This includes a maximum fine of INR 2 Lakh or imprisonment of three years for obtaining, transferring, or selling personal data in violation of the law.
  • If the data is serial presence detect (SPD), then this goes upto 5 years or INR 3 Lakh. Similar provisions apply to re-identification of data.

 

Highlights of the report of Justice BN Srikrishna committee:

  • From recommendations to make the Unique Identification Authority of India (UIDAI) the constitutional authority for the Aadhaar Act to defining a fiduciary relationship between the data ‘principal’ (the natural person whose data is being collected) and data fiduciary, a lot has to be examined by the committee.
  • The report focuses on what kind of data has to be mandatorily stored in India, identifies the circumstances for data localisation, and also identifies other instances where data can be stored with mirroring provisions.
  • This report was only the first step and that as technology changes, it may become necessary to fine-tune the law.
  • Some of shortcomings highlighted by the committee members in the bill are as follows:
  1. The first voices of dissent against the Personal Data Protection Bill 2018 came from some of the Justice Srikrishna Committee members itself.
  2. One of the Srikrishna Committee Member Calls Data Protection Bill Regressive.
  3. The data localisation requirement in the Bill is regressive and against the “fundamental tenets of the liberal economy”.
  4. Portraying localisation as a tool for developing the domestic market is “fuelled by unfounded apprehensions and assumptions.
  5. The localisation could be a trade barrier in key markets.
  6. The requirement that every data fiduciary should store one live, serving copy of personal data in India is against the basic philosophy of the Internet and imposes additional costs on data fiduciaries without a proportional benefit in advancing the cause of data protection.
  7. They disagreed with the classification of passwords and financial data as sensitive personal data.
  8. On the inclusion of criminal offences for data breaches in Bill, Vedashree said she believes it is draconian. “The steep civil penalties and fines are sufficient as a deterrent
  9. The committee has highlighted consent as the primary ground for processing.
  10. The consent, which is required to be free, informed, specific, clear and capable of being withdrawn, is necessary for the performance of a contract.
  11. If the data principal has to withdraw consent, all legal consequences will be theirs.
  12. The Bill does not provide a right to erasure and also rights against automated decision making and profiling are not provided.
  13. Leaving the discretion to the data fiduciary to judge if the data breach causes harm to the data principal is a concern.

 

The issue now

  • U.S. technology giants say that the provisions of the bill will undermine their growth ambitions in India.
  • The foreign firms fear the norms may raise costs, increase scrutiny; Industry ramping up lobbying efforts, India-U.S. row possible.
  • Technology firms worry the mandate would hurt their planned investments by raising costs related to setting up new local data centres.
  • S. trade groups, representing companies such as Amazon, American Express and Microsoft, have opposed India’s push to store data locally.
  • The issue could further undermine already strained economic relations between India and the United States.
  • Technology executives and trade groups have discussed approaching Prime Minister Narendra Modi’s office to apprise him of their worries.
  • Separately, the industry is considering pitching the issue as a trade concern, including at the India-U.S. talks in September in New Delhi.

 

Conclusion

  • The European Union (EU) and the UK have already introduced one of the toughest data protection laws in the world, the General Data Protection Regulation (GDPR), which is applicable to companies across the world processing data belonging to EU residents.
  • Indians, meanwhile, were looking forward to a similar, strict Data Protection Bill that would address the security flaws of the present Aadhaar and other systems and enable close monitoring of data usage and breaches by the Indian government, companies, and individuals, along with protection of personal data.
  • Even as dissent against the bill is flowing thick and strong on social media and other platforms since its release in the public domain, there are several opinions supporting it as well.
  • Many experts believe that the privacy and security is at the heart of the Data Protection Bill.
  • Justice Srikrishna Committee report on data protection and the draft Personal Data Protection Bill 2018 is a step closer towards ensuring a legal framework for the consumers and data protection. This is a big boost to digital India.
  • The bill has received support from the industry as well.
  • In today’s day and age, where cyber attacks happen regularly and data gets stolen or leaked out, an entity that has your data would be required to inform you of a data breach if your data is among the affected cases and the breach is likely to cause harm to you.
  • This is a big step forward from the current situation where no entity in India is obliged to inform you if your data has been compromised.
  • The Indian data protection law should become a model globally, blending security, privacy, safety and innovation.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: