You don't own your data, your data can reside in a foreign land - and, you could be liable for withdrawing consent. Those are just some of the shocking clauses in the much delayed "The Personal Data Protection Bill 2018" architected by the Justice Srikrishna Committee. Despite submitting a draft report way back in November 2017, this is far from a complete Bill. "The Bill could have been prescriptive. But it's still very open-ended," says Vidur Gupta, Partner, Cyber Security, Government, Ernst & Young India.
In fact, a few from the 10-member panel say the committee did not even consider the Telecom Regulatory Authority of India (Trai) recommendation that ownership rests with the individual (data principal in this Bill), everybody else is a mere custodian. Instead, who owns the data of individuals is a question not even answered by the Srikrishna Committee. "It's better to separate it from ownership and look at rights," says Rahul Matthan, Partner, Trilegl. That's at the core of the glaring shortcomings in the Bill. Here are a few more.
No right to erase data: For the first time in India, the Bill has introduced the right to be forgotten. If you cease to be a bank or a telecom customer, the service provider should have no right to use your data. But globally, the right to be forgotten is now widely accepted as the right to erase data. The Srikrishna panel, however, has invented a different definition: "data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal where such disclosure was made on the basis of consent and such consent has since been withdrawn" This implies that the data collector or processor will only be required to restrict or stop sharing data rather than erase it. "Right to forget is anyhow a difficult law to implement. It came from Europe's General Data Protection Regulation (GDPR) that if a local law requires an organisation to hold data for a period of time, they can," says Atul Gupta, Partner, IT Advisory, KPMG India.
Second right to data breach: Globally, including in GDPR, the subject of data breach is required to be informed immediately once a hack is discovered. In its wisdom, the Srikrishna Committee recommends that such a breach must first be reported to the data protection authority to be set up under the Bill. It is the authority that will decide whether the person whose data has been breached needs to be informed or not: "Upon receipt of notification, the authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal," says the report.
This is an outrageous suggestion. "The intent is to make sure the processor of data is aware they have the responsibility to inform the authority. It does not say you can't inform the subject," says KPMG's Gupta. Companies, however, are unlikely to inform of their own volition for fear of disrepute. In the Cambridge Analytica case, even Facebook did not inform the users. "It has a lot of interpretation. It has given power back to the Centre or data protection authority. Timeline has been left open-ended," says EY's Gupta.
Individual liable: "Where the data principal withdraws consent for the processing of any personal data necessary for the performance of a contract to which the data principal is a party, all legal consequences for the effects of such withdrawal shall be borne by the data principal." That individuals will be liable when they withdraw their consent is a bizarre clause. By implication it means the individual has no right over his own data. This clause could be misused widely by inserting it in the fineprint in the heap of conditions and then invoking it when consent is withdrawn. Such a clause has little locus standi and must be struck off. "If the subject revoked consent the subject must have the ability to prevent use of information. Some of these areas will be sharpened out when the draft is put out," says KPMG's Gupta.
Conflicting signals: More than 80 countries have laws that mandate data on their citizens stays in servers within the legal and geographical jurisdiction of the country. Unfortunately, India isn't one of them. Data residing on foreign shores is governed by local laws and can be legally blocked by a foreign entity or individual, preventing legitimate access to Indian authorities.The Srikrishna Committee has left it open-ended, sending a conflicting signal. Specifically, its suggestions are at odds with RBI's diktat to payment systems companies to store data on servers in India.
Besides suggesting that the government will decide which data cannot be stored outside India, it recommends: "Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies." This implies that while a copy is stored in India, the data may actually reside in another nation which gives rise to its own set of complications, including accessing it when Indian authorities require it. "How do you manage such conflicts? It should be clear in no uncertain terms which regulation applies," says KPMG's Gupta.
Why so lenient? The Srikrishna Committee's penal provisions appear to have been inspired by the European GDPR and have identical two-stage process. Lesser violations are penalised 2 per cent of global turnover of the preceding year while graver violations are fined up to 4 per cent of global turnover.
This has two problems. First, Europe is better integrated with the US to be able to impose such fines. Indian courts may not be able to enforce a penalty on global turnover. That begs the question: Instead of copying GDPR, don't we require an India-specific penal provision? Besides GDPR, the European law also provides for a maximum fine of 10 per cent of global turnover. That's ignored by the Bill.
Second, the Bill has recommended Rs 5 crore or 2 per cent (whichever is higher) and Rs 15 crore or 4 per cent, respectively, for lesser and graver contraventions. Since the size of companies involved runs into billions of dollars, these penalties are puny and not deterrent enough. "If the intent was 2 and 4 per cent, then the minimum threshold should have been much higher where it starts having an impact on the board and management," says KPMG's Gupta. Perhaps, Rs 250 crore and Rs 500 crore, respectively. For smaller Indian firms, the threshold may still be turnover-based - 2,4 and 10 per cent
And while the Bill rightly recommends setting up the Data Protection Authority of India, the Appellate Tribunal as well as data protection officers, it appears the report has laid far greater emphasis on the architecture of data protection framework than on data privacy and protection itself. After all, more than half of the 62-page report is dedicated to the governance architecture.
But that could also be to ensure that the Bill does not meet the fate of India's toothless Information Technology Act whose biggest failure was enforcement.
The report appears to be a patchwork of laws collated from across the world. Devoid of new ideas, it has lax and lenient clauses and is a missed opportunity of creating a ground-breaking law. "We had an opportunity to do something different from GDPR, but we stuck to GDPR," says Trilegal's Matthan. India has already wasted a year waiting - a very long time in the rapidly changing Internet world. Time is of essence. Setting up another panel is not an option any more.