Data Privacy Day’s significance in creating awareness is peaking in India: Yashovardhan Azad
Data Privacy Day tries to create awareness about the importance of privacy and data protection amongst various stakeholders like businesses, individuals, governments etc., says Yashovardhan Azad, Former Special Secretary, IB
On World Data Privacy Day, Yashovardhan Azad, Former Special Secretary, Intelligence Bureau, in an interview with HT Tech, provides his insights on the personal data privacy issue, takes a deep look at the Data Protection Bill in India and furnishes a comprehensive view about its pros and cons. More than that, Azad also gives a detailed list of what is missing from the bill and how to make it better in order to operationalise progressive rights enabling data protection regime in India. Here are the edited excerpts:
Q.1 Today is World Data Privacy Day. How do you see the issue?
This marks the 41st anniversary of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Commonly known as Convention 108). It is the first international binding treaty opened for signature in Strasbourg for countries to follow evergreen data protection and privacy principles, which are still relevant today. In 2006, the Council of Europe (an international organisation that upholds human rights) decided to celebrate January 28th as the Data Protection Day in Europe- globally celebrated as Privacy Day. In addition to marking the significance of Convention 108, Privacy Day tries to create awareness about the importance of privacy and data protection amongst various stakeholders like businesses, individuals, governments etc.
Privacy Day's significance in creating awareness is peaking in India with its tremendous growth in digitalisation efforts and internet penetration. The COVID-19 pandemic has accelerated this trend as people moved toward the digital ecosystem to stay connected and avail contact-less services. This rise in utilisation of digital platforms means increased data generation to avail various public and private services through platform businesses, over the top services, e-commerce businesses etc. For instance, the COVID-19 pandemic led to an increase in online learning where schools moved toward using learning platforms for uninterrupted teaching; in return, the users of this service, i.e., students, teachers etc., leave digital traces in the form of data. As we leave of traces of data, it is important for individuals to be aware of their privacy rights such that can ensure a secured digital experience.
While privacy day is celebrated once a year, learning through interventions and awareness programmes must be carried forward. Besides, we must look back and analyse how far we have come in creating awareness, which translated into actions to evaluate and appreciate our efforts.
Q.2 Any concerns around data privacy? Are we vulnerable?
Every data-driven industry and business, i.e., data fiduciaries, have their data infrastructures, functions, targets, output and outcomes. Still, overarchingly they follow the almost same process when crunching data for extracting utility. The crunching of the data brings privacy risks and concerns to the forefront, where the data fiduciaries have created a privacy void that needs a fix.
Data lifecycle has six stages, i.e., data collection, data retention, data structuring, data transfer/sharing, data processing, and data expunction. At the infrastructural level, the vulnerabilities in terms of data protection are predominant in data retention, processing and expunction stages as follows:
1. Data retention: The data collected and generated is stored in the cloud servers or on physical devices, etc. The biggest data protection threat at the data storage stage is the data breach through hacking, leaks etc. Data breaches cause reputational loss to data fiduciaries in addition to heavy fines from the regulators. From a consumer perspective, data principals lose control over data at rest (when stored at the data fiduciaries servers or with a third party), creating a lack of consumer choice and opacity in treating sensitive data like payments, medical history, etc.
2. Data Processing: Data fiduciaries process data for providing services to data principals, betterment of service delivery, marketing purpose, competition purpose etc. At this stage of data processing, unintended data protection breaches happen due to lack of purpose limitation, data minimisation and privacy violations both at input and output levels. From the demand-side, data principals are unaware of how their data is processed, thus losing control over it.
3. Data Expunction: Various jurisdictions, including India's upcoming data protection law, suggest data expunction. These regulations empower data principals to seek deletion of data (through consent withdrawal) if they think it no longer serves the purpose. At this stage, a data protection threat occurs when the data fiduciaries do not map the data flow and only destroy the data at the primary store, leaving all historical backups intact.
Q.3 How can we strengthen India's data privacy?
Individual perspective: The upcoming data protection regulation tries to tackle the issue from the supply-side perspective. Still, we as individuals can also secure our privacy from the demand-side by using tools to carry out some privacy-enhancing practices. When data fiduciaries collect data directly from us, we can control the information we provide through both digital and analogue means. For instance, it is okay to say “no” to shops where they insist on sharing your mobile number for billing. While it is important to secure the data by saying “no”, it is also essential to balance this act with sharing the data at the appropriate places for tapping various benefits and availing services. Therefore, a simple privacy checklist that reminds us about privacy safeguards before sharing data with the data fiduciaries or processors would be helpful.
Institutional perspective: Thinking beyond compliance to data protection regulation, data fiduciaries must approach privacy and data protection at par with supply-side incentives such as innovations, competition, creativity which are default embedded within the technological systems and processes i.e., privacy by design. Data fiduciaries must adopt an anticipatory approach where they have a comprehensive set of ex-ante measures to secure data in addition to ex-post measures to remedy the violation/harm. Lately, we see many debates on privacy vs security, privacy vs data empowerment etc., while these are important debates, privacy should be a full functionality where data fiduciaries don't trade-off privacy at the cost of others. Besides, data principles must put data principal at the topmost priority such that systems and processes of technologies offer strong privacy defaults, appropriate notice, and empowering user-friendly options.
Q.4 Can you provide some clarity on Data Protection Bill?
India's envisioned data protection regime had a long journey since the Supreme Court recognised privacy as fundamental right. Recently the Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill, 2019 (PDP Bill 2019), tabled its report and draft Data Protection Bill 2021 (DPB 2021) in both houses of the Parliament. Below are some of our thoughts on the bill.
- DPB 2021 widened the scope of the PDP Bill 2019 to govern both personal and non-personal data (NPD), with less clarity on how the regulator will effectively regulate, how companies will comply, and how individuals will exercise the rights granted to them.
- Clause 35, which exempts the state from the applicability of the PDP Bill, is broadly worded. While JPC has suggested having a “such procedure,” i.e., just, fair, reasonable and proportionate for applicability Clause 35, this sub-clause remains wide. In addition, without proper direction on constitution, composition, and accountability, this sub-clause again provides room for arbitrary powers of government in developing procedures.
- The Data Protection Authority in its present form envisioned in the DPB 2021 still lacks separation of power, is executive driven, needs a robust accountability framework, financial and functional independence and transparency in its operations.
- The DPB 2021 retained the data localisation requirements proposed in the PDP Bill 2019 with additional restrictions on the cross-border data transfers requirement, which is problematic for both domestic and international businesses. The DPB 2021 suggested that the DPA need the central government's approval to transfer data to third countries for contract and intra-group schemes.
- The penalties prescribed in the DPB 2021 continue to include criminal penalties for reidentification and financial penalties and the possibility of instituting class action suits if multiple persons suffer from privacy on data fiduciaries. This is a strong deterrent for many start-ups and Small and Medium Enterprises (SMEs) from innovating.
Q.5 Anything that can be added to the Data Protection Bill?
As tabling of the JPC's report in the Parliament indicates that we are at the cusp of having a privacy regime for India, it is essential to consider the below pointers to operationalise progressive and rights enabling data protection regime in India.
- The objective of the data protection bill must not deviate from the Puttaswamy Judgement I mandate, i.e., to balance individual interests and legitimate concerns of the state like national security, public order etc. Therefore, the objective of the data protection bill 2021 must be restored to its 2019 version, i.e., to protect the privacy of individuals relating to their data.
- While it is ideal for having separate NPD regulations, in the case of a combined regulation, the government has to address some of the nuanced issues related to non-personal data in detail and provide clarity on regulatory structures and processes.
- The DPB 2021 must contain adequate checks and balances with respect to the State's access to data, which must be in line with the apex court's three-part test of legality, necessity, and proportionality, as enshrined by the Puttaswamy judgement I. In addition, the DPB 2021 must list specific instances or purposes and discuss procedural accountability to reduce the potential misuse of the state exemptions clause.
- The DPB 2021 must ensure that India is in a position to negotiate and agree on a cross border data transfer mechanism to enable future interoperability of data protection laws at the international level.
- The DPB 2021 must strive to build a healthy relationship and cooperation with data fiduciaries and processors, from big tech to MSMEs to government agencies. Where (a) the provisions must be tailored to reduce the compliance burden and cost for the MSMEs and start-ups (b) Criminal liability must be considered to be removed to increase innovation.
- The DPA envisioned in DPB 2021 must have a balanced composition with both government and independent member representation, financial and functional independence, appropriate accountability framework and in-built transparency.