Adv Dr. Mahendra Limaye’s reply on “don’t stifle our digital economy with overbearing regulations” published in LiveMint.

Adv. Sidhant Kumar has written an article titled “don’t stifle our digital economy with overbearing regulations”, which was published in Live Mint. The article is about Personal Data Protection Bill 2019 and if passed what would be its effect on Indian Digital Economy.

The author believes that our leading digital economy received resounding validation through Facebook’s $5.7 billion investment in Jio Platforms. This according to me may not be entirely appropriate view. It could be at the most seen as marriage of convenience or compulsion. The debt trap in which Reliance Industries is passing through after huge investments in Jio and sharp fall in oil prices world over is well-known and its deal with Saudi company Armaco has already ran into trouble. On the other side Facebook wants to have some influential partner in India which will influence Indian government policies and more particularly on crypto currency and digital money by companies not having their offices in India. So this deal should not be treated as validation of India as investment destination by companies based in US.

The author also has raised five major objections in proposed PDPB 2019, which are baseless and without application of legal mind and needs to be countered. So let’s go by the objections raised by learned author.

Firstly the author feels that pivot of the framework appears to be a domineering mandate to be given to a data regulator, structurally geared to intervene rather than facilitate.

The functions and duties of Data regulator as per proposed bill are 1) It shall be the duty of the Authority to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection. 2) monitoring and enforcing application of the provisions of this Act; 3) taking prompt and appropriate action in response to personal data breach in accordance with the provisions of this Act; 4) maintaining a database on its website containing names of significant data fiduciaries along with a rating in the form of a data trust score indicating compliance with the obligations of this Act by such fiduciaries; 5) examination of any data audit reports and taking any action pursuant thereto; 6)  monitoring cross-border transfer of personal data etc.

These duties and functions are mostly regulatory and appellate authority is prescribed if any arbitrariness is observed by the authority or anyone is aggrieved by the order of regulator’s mechanism. So it’s totally wrong to state that mandate of only intervening is wasted in hands of regulator. Rather prompting awareness programs and ensuring compliance from various fiduciaries shows its responsibilities as facilitator.

 Second, the Bill has broad-based restrictions on the transfer of data overseas from India, which could hive our market off from the global digital economy.

This is totally misconceived and misleading statement since the bill at section 33 makes it clear that subject to the conditions in sub-section (1) of section 34, the sensitive personal data may be transferred outside India, but such sensitive personal data shall continue to be stored in India.  Section 34 (1) says the sensitive personal data may only be transferred outside India for the purpose of processing, when explicit consent is given by the data principal for such transfer, and where—

(a) The transfer is made pursuant to a contract or intra-group scheme approved by the Authority and (b) the Central Government, after consultation with the Authority, has allowed the transfer to a country or, such entity or class of entity in a country or, an international organisation. This makes it amply clear that permissions can be sought for transfer of data overseas in exceptional circumstances’.  So this itself explains the concerns of the author are false and if he is advocating that data be transferred cross border without any government restrictions then I think he should show any example across the world where any country has allowed free flow of data trans-border without any restrictions.

Third objection of the author regarding  the Bill seeking to protect privacy by way of what looks like a regulatory sledgehammer that imposes extensive compliance requirements with little aid to data protection needs explanation from author himself. If he thinks some provisions of Data protection are arbitrary or impractical he should point out those specific provisions rather than painting entire provisions alike. When stakes involved are high the degree of care and protection needs to be the utmost and same principle seems to be followed in framing the law. Data Protection is core and the worldwide examples of social media giants flaunting these norms are in open domain. The level of security needs to be balanced taking into considerations millions of digital illiterates exposed to digitalisation and author seems to be concerned about these digital sharks which are ever eager  to latch on the private sensitive personal data on the users.

Fourth objection is that the Bill sets forth an inflexible framework that is bereft of any formal consultative rule-making process, which is likely to stifle innovation in the sector. The author seems to be unaware about how much deliberations and discussions and public debates took place prior to introduction of this bill and shows his lack of knowledge. He is more concerned about what will happen to innovations in this sector as they all will be regulated in some or the other law in future. Lawlessness has prevailed in digital world for long and we are paying price for the same.

Lastly his objection is about substantial portions of the Bill being out of sync with international data protection practices, which could blunt India’s competitive advantage as a digital market. Again these are hollow statements without any proof to back the same. The author seems to be fond of most loved one keys known as Ctrl C and Ctrl V and used them to throw baseless allegations without coming up with any concrete evidence.

Being an Advocate it was expected of him to put forward some evidence/logic backing his allegations but he seems to have leveled the allegations without making any preparations and with some ulterior and oblique motive. What it is, presently not known to me, but at least after this rebuttal it is expected from the author to come up with more studied document which will enlighten illiterates like me, more about the topic.

Some counters to his specific statements:

1) Each Facebook user in Asia (except China) generates only $11 of advertising revenue a year. But who is beneficiary of this revenue, the author has not explained. Does our government get any tax on the same?

2) In its present form, the Personal Data Protection Bill could result in the largest expansion of the regulatory state in India since economic liberalization in 1991. The author has forgotten that The Personal Data protection bill’s objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” It was also mentioned in preface of Personal Data protection bill that the issue of data protection is important both intrinsically and instrumentally. Intrinsically, a regime for data protection is synonymous with protection of informational privacy. As the Supreme Court observed in Puttaswamy’s, “Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state.”

Instrumentally, a firm legal framework for data protection is the foundation on which data driven innovation and entrepreneurship can flourish in India. Fostering such innovation and entrepreneurship is essential if India is to lead its citizens and the world into a digital future committed to empowerment, experiment and equal access, observed by Apex court in India and thereafter Justice Shrikrishna committee was formed and which recommended the draft Personal Data Protection Bill after due deliberations and consultations with the experts.

3) He criticizes the creation of a Data Protection Authority with the power to impose penalties to the tune of 4% of a company’s global turnover but forgot that Competition Commission of India has also imposed in Feb 2018 a penalty amounting to 5% of the average revenue generated from India over the three years to FY15, an amount of 135.85 crore and a maximum penalty of 10% can be imposed under the Act.

4) The author criticizes that the Bill contains substantial restrictions on the transfer of sensitive personal data (including financial and health data) outside India and authority’s prior approval would be needed for any such transfer. Has the author gone through provisions of Personal Data protection and more specific to Health data prevailing across globe and more particularly in US? The US healthcare act HIPPA and HITECH mandates even non US companies to be HIPPA compliant if they are handling any health data related to citizen of US.

5) According to the author, Bill also requires large players to have data protection officers physically located within India. These proposals could have an adverse impact on our digital economy, the basic characteristic of which is connectivity beyond barriers. When Indian companies handling any data related to health parameters of US citizen, they have to be compliant with US laws but when Indian law mandates Data Protection Officer to be located in India the author dislikes the same. The present provision does not say he should be Indian Citizen and the physical presence of Data Protection officer in India will rather ease the burden on many foreign companies as DPO will be in better position to understand the situation on ground while performing his duties. This in turn will create more job opportunities to Indian people and will have positive impact on Indian economy.

6) The outside world is likely to see these measures as less about protection and more about protectionism. It needs to be mentioned that most of the provisions of PDPB 2019 are inspired or influenced by GDPR which is already operative in European Union and GDPR is never seen as protectionism of data of European citizen etc. And when our Apex Court has been vocal that Right to Privacy is integral part of our Fundamental Rights and there can be always reasonable restrictions (as contended by author) on exercise of Fundamental Rights in exceptional circumstances.

7) The Bill contains extensive compliance requirements, including the conduct of audits and impact assessments to be filed with the Authority. It would have been better if the author has been kind enough to make few suggestions to make compliance requirement simpler. The normal accounting audits by tax authorities were also seen as stringent initially. The personal data in today’s world of digitalisation is equivalent to free and fresh air required for one’s physical survival. It’s fundamental responsibility of state to see that all its citizen get free and unpolluted air for which there are many environment friendly regulations related to Pollution, Plastic usage etc. passed by parliament. Similarly the Personal Data being part of fundamental rights, its protection becomes responsibility of our government and if stringent provisions are needed to safeguard interest of Indian Citizen, the parliament has every right to do so.
8) The author has shamelessly conceded that the fulcrum of the Reliance-Facebook deal would be the transformation of WhatsApp, a messaging platform, into a one-stop platform for a large number of everyday transactions. Facebook’s bet on India underscores India’s enormous potential as a market. But author has not taken any pain to study what is revenue model of Facebook or Whatsapp? How the only messaging platform, Whatsapp, without any commercial or revenue generating model could survive this long? It has been proved time and again that most social media companies trade in data and make enormous amount of money by such trade alone and still there are few who want that trade should remain unregulated forever. The PDPB only intends to have some safeguards in place where the privacy or confidentiality of the information should be maintained by social media companies or for that matter all data fiduciaries.

The author should have used his knowledge to point out the specific lacunas, if any, in the PDPB2019. Lot of time is already wasted in passage of this crucial act which is concerning Fundamental Right of, practically every citizen of this country.

I hope that to my best abilities I have tried to advocate need for passage of Personal Data Protection Bill 2019 at the earliest. The amendments are always possible once the law is implemented and enforced and tested on various fronts.

Advocate Dr. Mahendra Limaye

About the author- Advocate Dr Mahendra Limaye is Cyber Legal Consultant and Cyber Law practitioner in India. He specifically practises in Information Technology Act based litigation's before Civil as well as Criminal Courts in India. He has obtained his doctorate on topic Fundamental Rights and Cyberspace. He can be contacted on mahendralimaye@yahoo.com or + 919422109619.

Advocate Dr Mahendra Limaye’s take on Reliance Gio’s stake purchase by Facebook.

The much notable news in Indian corporate circle in this gloomy situation of COVID19 is of Facebook’s $5.7 billion investment in Reliance Jio. The Indian stock market celebrated it with much fanfare and Reliance’s shares closing was almost 10% higher than the previous day closing.

It reminds me of one of the unusual incident of 12 July 2019, wherein when US Federal Trade Commission imposed a fine of roughly $5 Billion on Facebook, the stock of Facebook zoomed rather than sinking. It is normal trend in stock market that when a company is penalised, its share price slides.

But wherever there is involvement of this world tech giant known as Facebook, the unimaginable happens. Otherwise who would have thought that penalty of $5 Billion could be news for celebration? Obviously the market was expecting a more stringent penalty including criminal action, which was not imposed on Facebook by FTC.

Now what’s logic of the comparison of these two stock market incidents with our present discussion?

Indian corporate are believing that this stake sale will impose confidence in foreign corporate investors to invest in India and Indian stock market will witness huge foreign investment in other Indian Companies. Many have came to the conclusion that now Indian companies are commanding respect from global investors and this is first step in that direction.

I do not endorse these perceptions of the people for the views expressed hereafter;

The Jio-Facebook deal is the largest investment for a minority stake by a technology company, Facebook, anywhere in the world and the largest FDI in the technology sector in India. A somewhat distant second is Softbank’s $2.5 billion investment in online retailer Flipkart. This also marks Facebook’s third direct investment in India, after it backed social commerce firm Meesho and online learning firm Unacademy in the past year, although in much smaller deal sizes of between $20-30 million. The fate of both these investments in Meesho and Unacademy is not known yet since these are very initial days of both the investments.

Why Facebook has decided to invest in Reliance Gio and what could be strategic angle behind its investments in India and particularly in Gio needs careful scrutiny.

1)      Few years ago, Facebook was eager to roll out free internet service in India. Facebook pretended to be doing social work by providing a low-bandwidth connectivity to maximum population of India residing in even distant locations and the most popularised philosophy of Marc Zuckerberg being “ CONNECTING THE PEOPLE”. But many people and fortunately the Indian government read the intentions correctly and the proposal never received the nod by government. The so-called Free Basics service never seen a light of the day and this incident has taught Marc Zuckerberg a lot many things and one of which could be he needs a strong Indian helping hand if he wants to implement his projects in India.

Many of us still remember that Facebook has called on Indian people and government to allow free flow of data across borders to discover its true value, urging against “hoarding” it.

“There are many in India and around the world who thinks of data as the new oil, and that, like oil, having a great reserve of it held within your national boundaries will lead to sure fire prosperity. But this analogy is mistaken,” were the words of Nick Clegg, Facebook’s global head for public policy, at one of the event in India. “Data isn’t oil — a finite  ... Commodity — to be owned and traded, pumped from the ground and burned in cars and factories. Of course, no analogy is perfect, but a better liquid to liken it to is water, with the global internet like a great borderless ocean of currents and tides,” Clegg added.

His views were in contrast to those of Reliance Industries chairman Mukesh Ambani, who has repeatedly described data as the new oil and it should not flow out of National boundaries. What will happen now? Whose thoughts have changed? If Mr Ambani is convinced that Data is not new oil and it could flow out of National boundaries then it is more dangerous situation because for saving his empire from debt trap he must have agreed to compromise with his previous nationalist views of need of Data Localisation. A close scrutiny is needed.

2) Zuckerberg is additionally looking at the Indian market for his crypto-currency project called Libra which is to be unveiled by Facebook soon, but will not be available in India, as current Indian regulations do not permit use of the banking network for block chain currency transactions. The social network’s digital wallet, Calibra, also won’t be available in Indian markets where “crypto currencies are banned. It is also in public domain that Reliance Jio is planning crypto currency 'JioCoin' and also invested heavily in the project. So both the companies’ motive is to enter crypto currency market and for which both the companies have already made huge preparations and this move could be a win-win situation. But as per my understanding the Indian government has not framed its policy on crypto currency yet. Recently Apex court has delivered a landmark judgement wherein it was evident that Indian governments stand on allowing crypto currency in India has always remained shaky and government has not firmly decided on the fate of same. Crypto currency is still a grey area. Could the strategic investment in Reliance Gio be one of the angles for this Facebook’s move to introduce crypto currency in India? Can they together be able to give finality to India’s response to crypto currency? RBI has made it amply clear that it is not in favour of allowing crypto currency in India. Will RBI’s views honoured?

3) Personal Data Protection Bill 2019 is before Indian Parliament and is in its final stage of becoming a law. Facebook till recently contended that “Data isn’t oil — a finite  ... commodity — to be owned and traded, pumped from the ground and burned in cars and factories. Of course, no analogy is perfect, but a better liquid to liken it to is water, with the global internet like a great borderless ocean of currents and tides”. This proposed Personal Data Protection (PDP) Bill will mandate companies collecting data of Indian citizens to store certain ‘critical’ data only within the country. Foreign companies and more particularly Internet giants like Facebook and Google have opposed the move thinking that it would hurt their planned investments by raising costs related to setting up new local data centres on Indian lands. The present move will give Facebook much needed access to Gio’s infrastructure in India and will help in minimising its future costs. Facebook always believed that the true value of data comes from allowing it to flow freely and encouraging the innovation that stems from it which without any doubt gives more profit to Facebook. The global internet is built on this principle of cross-border data flows just as global economy relies on capital, human resources and technological innovation to cross borders in order to flourish, is what Facebook believes in. Can this strategic investment be one such small step by Facebook in controlling Indian user’s data in much authorative and legalised manner? Will the Personal Data Protection Bill 2019 be ever reality now? As Facebook has openly opposed to PDPB, whether joining hands with Gio will give much needed boost to that opposition? If this happens then the one of the fundamental right i.e. Right to Privacy will be in danger and this aspect also needs to be debated.

4) Facebook’s this partnership with Gio, India’s largest telecom operator will also be a key to Zuckerberg’s proposed business plans, particularly in domains of virtual reality and Internet of Things. All these future plans need access to 5G which Jio has, reportedly, developed. With Reliance Gio’s customer base of approximately 400 million Indian users and Facebook’s customer base of about 350 million and whatsapp’s customer base of approximately 400 million users, there will be absolute control over Data of maximum Indian population by this Gio-Fb combination and this is most frightening situation. What challenges could be posed by the absolute control over Data and also on financial markets through potential entry of crypto currency before Indian Citizen as well as Indian Government needs to be studied.

The answers for the above 4 questions are key to the fate of Indian digital users. Every Indian digital user has Fundamental Right to know How his Data is being handled and for which purpose it is used. When the social media Data Handler will also be your telecom service provider as well as your financial service provider, the scenario looks more worrisome. With weak regime of enforcement and investigation of Technology laws based crimes and absolutely non-functional judicial wing dealing in matters related to technology crimes, the situation is currently pathetic. This combined power of Gio-FB will make the privacy of digital users more vulnerable because FB survives wholly on Data Trading.

We need to find the ways for protection of millions of Digital Illiterates using digital mediums without knowing the inherent risks and future traps of crypto currency and AI being laid by this Gio-FB deal.

Immediate Passage of Personal Data Protection Bill 2019 and formation and functioning of DPAI mechanism seem to be the need of hour.

I am certain that many readers will find these views absurd and illogical. Let me remind them that it took India’s Apex Court almost 60 years to reverse the views on Right to Privacy previously held in matters of Kharak Singh and M.P.Sharma, in recently decided Puttaswamy’s case. I only hope that my above views should not remain in isolation for that long 60 years. The Internet technology is most dynamic thing which has happened in these recent years and our response to the activities in internet and their effects on fundamental rights of citizen should be equally dynamic. I conclude by some unknown writers’ words, “It’s not a sin to think ahead of time but its sin to remain silent about what perils you think of in future”.

About the author- Advocate Dr Mahendra Limaye is Cyber Legal Consultant and Cyber Law practitioner in India. He specifically practices in Information Technology Act based litigation before Civil as well as Criminal Courts in India. He has obtained his doctorate on topic Fundamental Rights and Cyberspace. He can be contacted on mahendralimaye@yahoo.com or + 919422109619.