Adv Dr. Mahendra Limaye’s reply on “don’t stifle our digital economy with overbearing regulations” published in LiveMint.

Adv. Sidhant Kumar has written an article titled “don’t stifle our digital economy with overbearing regulations”, which was published in Live Mint. The article is about Personal Data Protection Bill 2019 and if passed what would be its effect on Indian Digital Economy.

The author believes that our leading digital economy received resounding validation through Facebook’s $5.7 billion investment in Jio Platforms. This according to me may not be entirely appropriate view. It could be at the most seen as marriage of convenience or compulsion. The debt trap in which Reliance Industries is passing through after huge investments in Jio and sharp fall in oil prices world over is well-known and its deal with Saudi company Armaco has already ran into trouble. On the other side Facebook wants to have some influential partner in India which will influence Indian government policies and more particularly on crypto currency and digital money by companies not having their offices in India. So this deal should not be treated as validation of India as investment destination by companies based in US.

The author also has raised five major objections in proposed PDPB 2019, which are baseless and without application of legal mind and needs to be countered. So let’s go by the objections raised by learned author.

Firstly the author feels that pivot of the framework appears to be a domineering mandate to be given to a data regulator, structurally geared to intervene rather than facilitate.

The functions and duties of Data regulator as per proposed bill are 1) It shall be the duty of the Authority to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection. 2) monitoring and enforcing application of the provisions of this Act; 3) taking prompt and appropriate action in response to personal data breach in accordance with the provisions of this Act; 4) maintaining a database on its website containing names of significant data fiduciaries along with a rating in the form of a data trust score indicating compliance with the obligations of this Act by such fiduciaries; 5) examination of any data audit reports and taking any action pursuant thereto; 6)  monitoring cross-border transfer of personal data etc.

These duties and functions are mostly regulatory and appellate authority is prescribed if any arbitrariness is observed by the authority or anyone is aggrieved by the order of regulator’s mechanism. So it’s totally wrong to state that mandate of only intervening is wasted in hands of regulator. Rather prompting awareness programs and ensuring compliance from various fiduciaries shows its responsibilities as facilitator.

 Second, the Bill has broad-based restrictions on the transfer of data overseas from India, which could hive our market off from the global digital economy.

This is totally misconceived and misleading statement since the bill at section 33 makes it clear that subject to the conditions in sub-section (1) of section 34, the sensitive personal data may be transferred outside India, but such sensitive personal data shall continue to be stored in India.  Section 34 (1) says the sensitive personal data may only be transferred outside India for the purpose of processing, when explicit consent is given by the data principal for such transfer, and where—

(a) The transfer is made pursuant to a contract or intra-group scheme approved by the Authority and (b) the Central Government, after consultation with the Authority, has allowed the transfer to a country or, such entity or class of entity in a country or, an international organisation. This makes it amply clear that permissions can be sought for transfer of data overseas in exceptional circumstances’.  So this itself explains the concerns of the author are false and if he is advocating that data be transferred cross border without any government restrictions then I think he should show any example across the world where any country has allowed free flow of data trans-border without any restrictions.

Third objection of the author regarding  the Bill seeking to protect privacy by way of what looks like a regulatory sledgehammer that imposes extensive compliance requirements with little aid to data protection needs explanation from author himself. If he thinks some provisions of Data protection are arbitrary or impractical he should point out those specific provisions rather than painting entire provisions alike. When stakes involved are high the degree of care and protection needs to be the utmost and same principle seems to be followed in framing the law. Data Protection is core and the worldwide examples of social media giants flaunting these norms are in open domain. The level of security needs to be balanced taking into considerations millions of digital illiterates exposed to digitalisation and author seems to be concerned about these digital sharks which are ever eager  to latch on the private sensitive personal data on the users.

Fourth objection is that the Bill sets forth an inflexible framework that is bereft of any formal consultative rule-making process, which is likely to stifle innovation in the sector. The author seems to be unaware about how much deliberations and discussions and public debates took place prior to introduction of this bill and shows his lack of knowledge. He is more concerned about what will happen to innovations in this sector as they all will be regulated in some or the other law in future. Lawlessness has prevailed in digital world for long and we are paying price for the same.

Lastly his objection is about substantial portions of the Bill being out of sync with international data protection practices, which could blunt India’s competitive advantage as a digital market. Again these are hollow statements without any proof to back the same. The author seems to be fond of most loved one keys known as Ctrl C and Ctrl V and used them to throw baseless allegations without coming up with any concrete evidence.

Being an Advocate it was expected of him to put forward some evidence/logic backing his allegations but he seems to have leveled the allegations without making any preparations and with some ulterior and oblique motive. What it is, presently not known to me, but at least after this rebuttal it is expected from the author to come up with more studied document which will enlighten illiterates like me, more about the topic.

Some counters to his specific statements:

1) Each Facebook user in Asia (except China) generates only $11 of advertising revenue a year. But who is beneficiary of this revenue, the author has not explained. Does our government get any tax on the same?

2) In its present form, the Personal Data Protection Bill could result in the largest expansion of the regulatory state in India since economic liberalization in 1991. The author has forgotten that The Personal Data protection bill’s objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” It was also mentioned in preface of Personal Data protection bill that the issue of data protection is important both intrinsically and instrumentally. Intrinsically, a regime for data protection is synonymous with protection of informational privacy. As the Supreme Court observed in Puttaswamy’s, “Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state.”

Instrumentally, a firm legal framework for data protection is the foundation on which data driven innovation and entrepreneurship can flourish in India. Fostering such innovation and entrepreneurship is essential if India is to lead its citizens and the world into a digital future committed to empowerment, experiment and equal access, observed by Apex court in India and thereafter Justice Shrikrishna committee was formed and which recommended the draft Personal Data Protection Bill after due deliberations and consultations with the experts.

3) He criticizes the creation of a Data Protection Authority with the power to impose penalties to the tune of 4% of a company’s global turnover but forgot that Competition Commission of India has also imposed in Feb 2018 a penalty amounting to 5% of the average revenue generated from India over the three years to FY15, an amount of 135.85 crore and a maximum penalty of 10% can be imposed under the Act.

4) The author criticizes that the Bill contains substantial restrictions on the transfer of sensitive personal data (including financial and health data) outside India and authority’s prior approval would be needed for any such transfer. Has the author gone through provisions of Personal Data protection and more specific to Health data prevailing across globe and more particularly in US? The US healthcare act HIPPA and HITECH mandates even non US companies to be HIPPA compliant if they are handling any health data related to citizen of US.

5) According to the author, Bill also requires large players to have data protection officers physically located within India. These proposals could have an adverse impact on our digital economy, the basic characteristic of which is connectivity beyond barriers. When Indian companies handling any data related to health parameters of US citizen, they have to be compliant with US laws but when Indian law mandates Data Protection Officer to be located in India the author dislikes the same. The present provision does not say he should be Indian Citizen and the physical presence of Data Protection officer in India will rather ease the burden on many foreign companies as DPO will be in better position to understand the situation on ground while performing his duties. This in turn will create more job opportunities to Indian people and will have positive impact on Indian economy.

6) The outside world is likely to see these measures as less about protection and more about protectionism. It needs to be mentioned that most of the provisions of PDPB 2019 are inspired or influenced by GDPR which is already operative in European Union and GDPR is never seen as protectionism of data of European citizen etc. And when our Apex Court has been vocal that Right to Privacy is integral part of our Fundamental Rights and there can be always reasonable restrictions (as contended by author) on exercise of Fundamental Rights in exceptional circumstances.

7) The Bill contains extensive compliance requirements, including the conduct of audits and impact assessments to be filed with the Authority. It would have been better if the author has been kind enough to make few suggestions to make compliance requirement simpler. The normal accounting audits by tax authorities were also seen as stringent initially. The personal data in today’s world of digitalisation is equivalent to free and fresh air required for one’s physical survival. It’s fundamental responsibility of state to see that all its citizen get free and unpolluted air for which there are many environment friendly regulations related to Pollution, Plastic usage etc. passed by parliament. Similarly the Personal Data being part of fundamental rights, its protection becomes responsibility of our government and if stringent provisions are needed to safeguard interest of Indian Citizen, the parliament has every right to do so.
8) The author has shamelessly conceded that the fulcrum of the Reliance-Facebook deal would be the transformation of WhatsApp, a messaging platform, into a one-stop platform for a large number of everyday transactions. Facebook’s bet on India underscores India’s enormous potential as a market. But author has not taken any pain to study what is revenue model of Facebook or Whatsapp? How the only messaging platform, Whatsapp, without any commercial or revenue generating model could survive this long? It has been proved time and again that most social media companies trade in data and make enormous amount of money by such trade alone and still there are few who want that trade should remain unregulated forever. The PDPB only intends to have some safeguards in place where the privacy or confidentiality of the information should be maintained by social media companies or for that matter all data fiduciaries.

The author should have used his knowledge to point out the specific lacunas, if any, in the PDPB2019. Lot of time is already wasted in passage of this crucial act which is concerning Fundamental Right of, practically every citizen of this country.

I hope that to my best abilities I have tried to advocate need for passage of Personal Data Protection Bill 2019 at the earliest. The amendments are always possible once the law is implemented and enforced and tested on various fronts.

Advocate Dr. Mahendra Limaye

About the author- Advocate Dr Mahendra Limaye is Cyber Legal Consultant and Cyber Law practitioner in India. He specifically practises in Information Technology Act based litigation's before Civil as well as Criminal Courts in India. He has obtained his doctorate on topic Fundamental Rights and Cyberspace. He can be contacted on mahendralimaye@yahoo.com or + 919422109619.