Adv. Sidhant Kumar has written an
article titled “don’t stifle
our digital economy with overbearing regulations”, which was published
in Live Mint. The article is about Personal Data Protection Bill 2019 and if
passed what would be its effect on Indian Digital Economy.
The author believes that our
leading digital economy received resounding validation through
Facebook’s $5.7 billion investment in Jio Platforms. This according to me may
not be entirely appropriate view. It could be at the most seen as marriage of
convenience or compulsion. The debt trap in which Reliance Industries is
passing through after huge investments in Jio and sharp fall in oil prices
world over is well-known and its deal with Saudi company Armaco has already ran
into trouble. On the other side Facebook wants to have some influential partner
in India which will influence Indian government policies and more particularly
on crypto currency and digital money by companies not having their offices in
India. So this deal should not be treated as validation of India as investment
destination by companies based in US.
The author also has raised five major objections in proposed
PDPB 2019, which are baseless and without application of legal mind and needs
to be countered. So let’s go by the objections raised by learned author.
Firstly the author feels that pivot of the framework appears
to be a domineering mandate to be given to a data regulator, structurally
geared to intervene rather than facilitate.
The functions and duties
of Data regulator as per proposed bill are 1) It shall be the duty of the
Authority to protect the interests of data principals, prevent any misuse of
personal data, ensure compliance with the provisions of this Act, and promote
awareness about data protection. 2) monitoring and enforcing application of the
provisions of this Act; 3) taking prompt and appropriate action in response to
personal data breach in accordance with the provisions of this Act; 4) maintaining
a database on its website containing names of significant data fiduciaries
along with a rating in the form of a data trust score indicating compliance with
the obligations of this Act by such fiduciaries; 5) examination of any data
audit reports and taking any action pursuant thereto; 6) monitoring cross-border transfer of personal
data etc.
These duties and functions are mostly
regulatory and appellate authority is prescribed if any arbitrariness is observed
by the authority or anyone is aggrieved by the order of regulator’s mechanism. So
it’s totally wrong to state that mandate of only intervening is wasted in hands
of regulator. Rather prompting awareness programs and ensuring compliance from
various fiduciaries shows its responsibilities as facilitator.
Second, the Bill has
broad-based restrictions on the transfer of data overseas from India, which
could hive our market off from the global digital economy.
This is totally misconceived and
misleading statement since the bill at section 33 makes it clear that subject
to the conditions in sub-section (1) of section 34, the sensitive
personal data may be transferred outside India, but such sensitive personal
data shall continue to be stored in India. Section 34 (1) says the sensitive personal data may only be transferred outside
India for the purpose of processing, when explicit consent is given by the data
principal for such transfer, and where—
(a) The transfer is made
pursuant to a contract or intra-group scheme approved by the Authority and (b)
the Central Government, after consultation with the Authority, has allowed the
transfer to a country or, such entity or class of entity in a country or, an
international organisation. This makes it amply clear that permissions can be
sought for transfer of data overseas in exceptional circumstances’. So this itself explains the concerns of the
author are false and if he is advocating that data be transferred cross border
without any government restrictions then I think he should show any example across
the world where any country has allowed free flow of data trans-border without
any restrictions.
Third objection of the author regarding the Bill seeking to protect privacy by way of
what looks like a regulatory sledgehammer that imposes extensive compliance
requirements with little aid to data protection needs explanation from author
himself. If he thinks some provisions of Data protection are arbitrary or
impractical he should point out those specific provisions rather than painting entire
provisions alike. When stakes involved are high the degree of care and
protection needs to be the utmost and same principle seems to be followed in
framing the law. Data Protection is core and the worldwide examples of social
media giants flaunting these norms are in open domain. The level of security
needs to be balanced taking into considerations millions of digital illiterates
exposed to digitalisation and author seems to be concerned about these digital
sharks which are ever eager to latch on
the private sensitive personal data on the users.
Fourth objection is that the Bill sets forth an inflexible
framework that is bereft of any formal consultative rule-making process, which
is likely to stifle innovation in the sector. The author seems to be unaware
about how much deliberations and discussions and public debates took place
prior to introduction of this bill and shows his lack of knowledge. He is more
concerned about what will happen to innovations in this sector as they all will
be regulated in some or the other law in future. Lawlessness has prevailed in
digital world for long and we are paying price for the same.
Lastly his objection is about substantial portions of the
Bill being out of sync with international data protection practices, which
could blunt India’s competitive advantage as a digital market. Again these are
hollow statements without any proof to back the same. The author seems to be
fond of most loved one keys known as Ctrl C and Ctrl V and used them to throw baseless
allegations without coming up with any concrete evidence.
Being an Advocate it was expected of him to put forward some
evidence/logic backing his allegations but he seems to have leveled the allegations
without making any preparations and with some ulterior and oblique motive. What
it is, presently not known to me, but at least after this rebuttal it is
expected from the author to come up with more studied document which will
enlighten illiterates like me, more about the topic.
Some counters to his
specific statements:
1) Each Facebook user in Asia (except China) generates only
$11 of advertising revenue a year. But who
is beneficiary of this revenue, the author has not explained. Does our
government get any tax on the same?
2) In its present form,
the Personal Data Protection Bill could result in the largest expansion of the
regulatory state in India since economic liberalization in 1991. The author has forgotten that The
Personal Data protection bill’s objective is to “ensure growth of the digital
economy while keeping personal data of citizens secure and protected.” It was
also mentioned in preface of Personal Data protection bill that the issue of
data protection is important both intrinsically and instrumentally.
Intrinsically, a regime for data protection is synonymous with protection of
informational privacy. As the Supreme Court observed in Puttaswamy’s, “Informational
privacy is a facet of the right to privacy. The dangers to privacy in an age of
information can originate not only from the state but from non-state actors as
well. We commend to the Union Government the need to examine and put into place
a robust regime for data protection. The creation of such a regime requires a
careful and sensitive balance between individual interests and legitimate
concerns of the state.”
Instrumentally, a firm legal framework
for data protection is the foundation on which data driven innovation and
entrepreneurship can flourish in India. Fostering such innovation and entrepreneurship
is essential if India is to lead its citizens and the world into a digital
future committed to empowerment, experiment and equal access, observed by Apex
court in India and thereafter Justice Shrikrishna committee was formed and
which recommended the draft Personal Data Protection Bill after due
deliberations and consultations with the experts.
3) He criticizes the creation of a Data Protection Authority with the power to impose
penalties to the tune of 4% of a company’s global turnover but forgot that Competition Commission of India has also imposed in
Feb 2018 a penalty
amounting to 5% of the average revenue generated from India over the three
years to FY15, an amount of 135.85 crore and a maximum penalty of 10% can be
imposed under the Act.
4) The author criticizes that the Bill
contains substantial restrictions on the transfer of sensitive personal data
(including financial and health data) outside India and authority’s prior
approval would be needed for any such transfer. Has the author gone through provisions of Personal Data protection
and more specific to Health data prevailing across globe and more particularly
in US? The US healthcare act HIPPA and HITECH mandates even non US companies to
be HIPPA compliant if they are handling any health data related to citizen of
US.
5) According
to the author, Bill also requires large players to have data protection
officers physically located within India. These proposals could have an adverse
impact on our digital economy, the basic characteristic of which is
connectivity beyond barriers. When
Indian companies handling any data related to health parameters of US
citizen, they have to be compliant with US laws but when Indian law mandates
Data Protection Officer to be located in India the author dislikes the same.
The present provision does not say he should be Indian Citizen and the physical
presence of Data Protection officer in India will rather ease the burden on
many foreign companies as DPO will be in better position to understand the
situation on ground while performing his duties. This in turn will create more
job opportunities to Indian people and will have positive impact on Indian
economy.
6) The outside world is
likely to see these measures as less about protection and more about
protectionism. It needs to be
mentioned that most of the provisions of PDPB 2019 are inspired or influenced
by GDPR which is already operative in European Union and GDPR is never seen as
protectionism of data of European citizen etc. And when our Apex Court has been
vocal that Right to Privacy is integral part of our Fundamental Rights and
there can be always reasonable restrictions (as contended by author) on
exercise of Fundamental Rights in exceptional circumstances.
7) The Bill contains extensive compliance requirements, including the
conduct of audits and impact assessments to be filed with the Authority. It would have been better if the author
has been kind enough to make few suggestions to make compliance requirement
simpler. The normal accounting audits by tax authorities were also seen as
stringent initially. The personal data in today’s world of digitalisation is
equivalent to free and fresh air required for one’s physical survival. It’s
fundamental responsibility of state to see that all its citizen get free and
unpolluted air for which there are many environment friendly regulations
related to Pollution, Plastic usage etc. passed by parliament. Similarly the Personal
Data being part of fundamental rights, its protection becomes responsibility of
our government and if stringent provisions are needed to safeguard interest of
Indian Citizen, the parliament has every right to do so.8) The author has shamelessly conceded that the fulcrum of the Reliance-Facebook deal would be the transformation of WhatsApp, a messaging platform, into a one-stop platform for a large number of everyday transactions. Facebook’s bet on India underscores India’s enormous potential as a market. But author has not taken any pain to study what is revenue model of Facebook or Whatsapp? How the only messaging platform, Whatsapp, without any commercial or revenue generating model could survive this long? It has been proved time and again that most social media companies trade in data and make enormous amount of money by such trade alone and still there are few who want that trade should remain unregulated forever. The PDPB only intends to have some safeguards in place where the privacy or confidentiality of the information should be maintained by social media companies or for that matter all data fiduciaries.
The author should have used his
knowledge to point out the specific lacunas, if any, in the PDPB2019. Lot of
time is already wasted in passage of this crucial act which is concerning Fundamental
Right of, practically every citizen of this country.
I hope that to my best abilities I
have tried to advocate need for passage of Personal Data Protection Bill 2019
at the earliest. The amendments are always possible once the law is implemented
and enforced and tested on various fronts.
Advocate Dr. Mahendra Limaye
About the author- Advocate Dr
Mahendra Limaye is Cyber Legal Consultant and Cyber Law practitioner in India.
He specifically practises in Information Technology Act based litigation's
before Civil as well as Criminal Courts in India. He has obtained his doctorate
on topic Fundamental Rights and Cyberspace. He can be contacted on mahendralimaye@yahoo.com or + 919422109619.