Clipped from: https://economictimes.indiatimes.com/tech/internet/can-we-protect-data-dutifully/articleshow/80485640.cms
SynopsisThe Personal Data Protection (PDP) Bill has undergone significant changes, and is expected to be tabled in the upcoming budget session in Parliament.
The Personal Data Protection (PDP) Bill has undergone significant changes, and is expected to be tabled in the upcoming budget session in Parliament. Around 130 countries now have data protection regulations in some form to tackle the quagmire of the data ecosystem, a near black box on personal data gathering, and processing by entities across layers. The law should lead to empowered consumers, result in more transparency, curb excessive and bad faith processing, and power trusted innovation to advance digital economy goals.
‘Recovery of debt’ is listed as a reasonable purpose for processing without consent. But it drastically impacts rights and reasonable expectations of data principals. The law should restrict unreasonable processing and ensure the individual’s right to remedy, even if acts are punishable offences under other laws.
Provisioning blanket exemption to government agencies poses a challenge to reform the data access-surveillance regime. Inadequacy of procedural safeguards, right to effective recourse, and implementing necessary and proportionate access principles is reiterated by numerous court judgments. It may also curtail GoI’s vision of India becoming a global data processing and analytics hub.
The updated draft of the European Commission’s Standard Contractual Clauses (SCCs) requires data exporters to assess regimes enabling access of transferred personal data through binding requests by public authorities in the transferred country, and gauge if they meet necessary and proportionate requirements expected from a ‘democratic society’. If governments and companies find such exemption excessive, the ability to forge digital trade agreements and investments may be impacted.
Exempting data processors for processing personal data of foreigners received using contracts may seem a fix. But it could result in the mushrooming of a sinister data processing industry legitimised through contracts. The Court of Justice of the European Union (CJEU) cited lack of safeguards and limited recourse against processing by US government agencies. Such matters will soon hit Indian courts. So, personal data processing by foreign governments needs to be addressed.
The tricky part is to find out how national laws uphold sovereignty as well as an individual’s rights in foreign government processing. The Bill restricts transfer of sensitive personal data, unless contracts provide effective protection of rights of data principals and fix accountability of the data fiduciary for any harm caused. Besides, if harm resulting from processing is not restricted by borders, should exercise of fundamental rights be?
GoI recommended a new form of sovereignty based on data ownership: jurisdiction based on individual citizenship, irrespective of location of data storage and processing. A data protection law should carefully navigate different approaches of jurisdiction applicability based on location of entities, location of storage-processing facilities and origin of data (with extraterritorial reach) as it will chart direction of digital economy.
Bilateral digital trade agreements and multilateral arrangements like Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), United States-Mexico-Canada Agreement (USMCA), and Regional Comprehensive Economic Partnership (RCEP) entail limiting restrictions on data transfers, and curbing ‘localise as much computing facilities’ tendencies. There seems to be a rough consensus on localisation of financial data. Healthcare may be next. But seeing extensive localisation as panacea to privacy and geotech-data strategic woes may be counterproductive.
Implied localisation impacts global value chains. The US and the EU are now attempting a third bilateral framework for personal data transfers. India and the EU, too, expressed a desire for ‘reciprocal adequacy’. This may be the right time for democracies to shed silos and develop acceptable standards for transfers, processing and access, before trust deficit peaks and data islands become a norm.
More is expected and required from significant data fiduciaries (SDFs). SDFs, with their principal place of business outside country, should self-certify that no data and inferences from Indian operations are shared with other governments, except when necessary and lawful access requests are made. Their boards should be required to sign off data processing risk assessment periodically. If SDFs repurpose or reverse data processing commitments made during mergers and acquisitions, or when amalgamating multiple services under a common platform, a regulatory intervention is warranted.
High compliance cost, coupled with provision of heavy fines, could hamper growth of MSMEs. Conversely, exempting them will adversely affect the privacy landscape. If accidental data breach is followed by responsible reporting, organisations should be allowed to earn back a substantial portion of penalties if they demonstrate corrective practices. GoI should also provide open-source tools for data processing management.
Privacy-invasive technologies like facial identification, drones and public CCTVs, or programmes like National Intelligence Grid (Natgrid) need legislative backing and systems approved through regulatory sandbox meeting privacy-by-design requirements before active deployment.
(The writer is founder, The Perspective)
aniltikotekar4sme.com 