Decoding India's Personal Data Protection Bill with Prashant Mali

In an interaction with Prashant Mali, cyber and privacy policy expert, thought leader and practicing lawyer, we go beyond the hype and paranoia and drill down into the details to understand the impact of Personal Data Protection Bill on Indian enterprises and individual privacy.

1200x800
IDG

In July 2018, a 10-member committee spearheaded by Justice BN Srikrishna submitted its report on data protection to IT minister Ravi Shankar Prasad. Prior to that, in August 2017, the Supreme Court passed a historic verdict in Justice KS Puttaswamy vs Union of India. It declared the right to privacy as a fundamental right under the constitution.

Read: 4 key facts India Inc. ought to know about the Personal Data Protection Bill

It is no secret that India is in the throes of a massive digital shift – enabled by public platforms like Aadhaar, UPI, among others. Then there’s the government’s ‘Digital India’ vision and ‘India’s Trillion-Dollar Digital Opportunity’, which rely on large scale digital transformation and adoption.

So, how does individual privacy and consent fit into all this? And why should the citizens care? In an interaction with Prashant Mali, cyber and privacy policy expert, thought leader and practicing lawyer, we go beyond the hype and paranoia and drill down into the details to understand the impact of Personal Data Protection Bill on Indian enterprises and individual privacy.

Edited excerpts:
There is an argument that the proposed Data Protection Bill 2018 lacks the provisions to anonymize public data, what is your view on this?

1200x800 IDG

Data controller has to inform about the risk associated to the data principal or data subject whenever it is taking the consent under section 12 of PDP. "Privacy by Design” should be the mantra of organizations and that means when the system or software is designed, privacy should be inbuilt.
Cyber & Privacy Policy Expert and Thought Leader Prashant Mali

Mali: Yes, Personal Data Protection Bill lacks provision for pseudonymising or anonymising any public data. Anonymising of personal data makes it impossible to identify the individual data principal. Under Article 25 of GDPR, it is required to use appropriate technical and organizational measures to protect the rights and freedom of the data subject. By having such measures the controller should pseudonymise the personal data as soon as it has been processed.

Such provisions are missing in Personal Data Protection Bill, which shall undermine the Rights and freedom of data principal and at the same time gives open opportunities to the big organization to harvest information from such easily available data. I think someone in the parliament should raise this issue during the debate and should move amendment in this direction.

Do you think the current draft needs more clarity on defining the types of harm people can suffer? How can people be informed of the risks, instead of just focusing on the regulation?

Mali: Section 2(21) of PDP covers wider areas - it includes bodily or mental injury, any discriminatory treatment or any observation or surveillance that a data principal or data subject is not expecting. Sometimes, clarity brings in ambiguity - it is always better to have encompassing words, which can be interpreted as need, and time arises.

Having said that, data controller has to inform about the risk associated to the data principal or data subject whenever it is taking the consent under section 12 of PDP. Personal Data Protection Bill has explicitly pointed out under section 8, what information does a Data controller have to give to the data principal – for instance, “for what purpose the personal data is processed”, “what are the rights of the data principal if it wants to withdraw its consent”, “Right to complaint to the Adjudicating officer ” etc.

People awareness would be a key factor in implementation of PDP. My concern is that if the government has no implementation plans with regards to awareness then just bringing in a law would serve no meaning.

I feel the last section of proposed draft should have the next date of amendment too and its subsection should have something about how much each state Government would spend in awareness year wise. Government should learn lessons from the faulty implementation and lack of awareness amongst citizens about The IT Act, 2000.


What about critical data that is already being misused, or left the Indian shores - should the bill have clarity on that?

Mali: Although critical data has not been defined under the Personal Data Protection Bill, but it has been entrusted on central government under section 40(2) to notify which critical personal data shall only be processed in a server or data center in India.

Yes, I feel there should be more clarity if any critical data is violated or has left the Indian shores before implementation of this bill. It may help us in case Aadhaar data is already compromised too.

Also, similar to GDPR, it would be difficult to regulate retrospectively as it would require time for the data fiduciary to implement those regulation. If the data is leaked prior and the misuse continues after the Bill becomes the Law, then under section 90 and 91 of the PDP Bill, if any person violates any provision of this act by misusing the personal or sensitive data - then that shall be punishable with imprisonment not more than 3 years or fine up to two lakh rupees.

How does one protect "people" without affecting the app or "data" economy?

Mali: Firstly, organizations need to take proper consent from the people. The consent form shall have all the attributes like “What will they do with the data?”, “Where the data will be stored?”, “Are they going to transfer to any third country?”, “Are they using any behavioral profiling on the customer?” etc. This entire attribute should be in plain and simple language that is easily understandable to the customer while he/she is giving his/her consent.

Second, the organization has to have an internal Data Privacy policy that is aligned to the PDP. The said, policy should be such that it gives all Rights entrusted under the bill to the customer like “Right to Access”, “Right to be Forgotten” etc.It should also maintain a grievance redressal system that shall provide proper guidance to the customer if any violation occurs. I suggest this could be an online one.

Third, the new data privacy regime requires organizations processing personal data of children to follow due care in protecting the rights and interest of children. Organizations offering services primarily to children, other commercial websites or online services directed at children or those processing a large volume of personal data of children will be identified as ‘guardian data fiduciaries’.

Organizations with a user base under the age of 18 years will have to make changes to their technology platform to incorporate parental consent and age verification. Advertising-based revenue models, if they involve profiling of children, will have to be modified.

Lastly “Privacy by Design” should be the mantra of organizations and that means when the system or software is designed, privacy should be inbuilt.

Please elaborate on any other critical factors that people must be aware of when it comes to the impact of Personal Data Protection Bill.

Mali: To start off with, citizens should know for what purpose they have given consent, as it is mandatory for the organization to provide such information. I sincerely feel a Consent Management App is the need of the hour for Citizens.

Secondly, citizens have the right to access to obtain summary report from the organization that has collected your data. Your Right to be forgotten which means you can have your personal data removed from the organization database.

Thirdly, citizens have right to file a complaint against the organization in event of any violation of your Rights provided by PDP.

We need to develop the culture of privacy in India, only then we can effectively implement rights of data privacy and efficient data protection of our citizens. 

Copyright © 2019 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon