The past as a compass for the future

The past as a compass for the future

SMEs and the startup ecosystem in India share concerns about the (retracted) draft Data Protection Bill, 2021 - and the way forward for businesses

To understand the impact of the Draft Data Protection BIll (DPB) on Small and Medium Businesses (SMBs) and startups, Privacy Mode interviewed representatives across the industry. The interviewees shared their perspectives on how complying with the mandates and provisions of the Bill is likely to affect opportunities for innovation, investment and the costs of doing business in India.

This report provides a more nuanced discussion on data governance policies, especially regarding the regulation of data protection laws in India, and helps inform more consultations around data governance, data protection and rights.

The Personal Data Protection (PDP) Bill, 2019, was first introduced in the Lok Sabha by the Ministry of Electronics and Information Technology (MeitY) in December, 2019. Its primary intent was to protect the digital privacy of individuals relating to their data, while acknowledging the right to privacy as a fundamental right and necessary to protect personal data as an essential facet of informational privacy. It also aimed to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion.

Cite this report- Dash, Sweta “The past as a compass for future - SMEs and the startup ecosystem in India share concerns about the (retracted) draft Data Protection Bill, 2021 - and the way forward for businesses” (2022) at https://hasgeek.com/PrivacyMode/dpb-survey-report/

Executive Summary

(The reference text of the Draft Data Protection Bill, 2021 is mentioned in the citations. You can also see the timeline, showing how the text and provisions of the Bill have evolved through various stages.)

According to the Bill, personal data is defined as data about or relating to:
1. Natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such a natural person.
2. Whether online or offline.
3. Any combination of such features with any other information.
4. Shall include any inference drawn from such data for the purpose of profiling.

In 2019, the Union Government referred this Bill to a Joint Parliamentary Committee (JPC). The updated Draft Data Protection Bill (DPB), 2021 emerged from the JPC report tabled in 2021.

The Draft DPB had changed the initial PDP Bill significantly, and received mixed responses and concerns from stakeholders 1.

To understand the impact of the Draft DPB on Small and Medium Businesses (SMBs) and startups, Privacy Mode interviewed representatives across the industry. The interviewees shared their perspectives on how complying with the mandates and provisions of the Bill is likely to affect opportunities for innovation, investment and the costs of doing business in India.

This report provides a more nuanced discussion on data governance policies, especially regarding the regulation of Data Protection Laws in India and helps inform more consultations around data governance, data protection and rights.

Disclaimer

The conduct of this survey and the drafting report was done prior to the withdrawal of the DPB on 3rd August, 2022. The intent of producing this report was to collect peer review from industry practitioners and compile this as feedback to be shared with MeitY and the JPC. We believe that this report is relevant and timely because the findings presented here provide insights into industry concerns which can be leveraged when the government drafts the next version of India’s privacy bill. For data privacy of users to be genuinely achieved in India, privacy policies and laws must provide guidelines and directions to the industry without detailing operational requirements. Else, compliance becomes a checkbox to tick, while privacy continues to be put on the backburner2.

Participant Profile Distribution

{
  "height": "320",
  "width": "480",
  "autosize": {
    "type": "fit",
    "contains": "padding",
    "align": "centre"
  },
    "data": {
    "values": [
      {"category": [" ","Architect"], "value": 4.2, "label": "4.2%"},
      {"category": "Product manager", "value": 12.5, "label": "12.5%"},
      {"category": ["Senior", "Engineer"], "value": 33.3, "label": "33.3%"},
      {"category": "Founder", "value": 50, "label": "50%"}
    ]
  },
  "mark": "arc",
  "encoding": {
    "theta": {"field": "value", "type": "quantitative", "stack": true},
    "color": {"field": "category", "type": "nominal", "legend": null}
  },
  "layer": [
    {"mark": {"type": "arc", "outerRadius": 130, "innerRadius": 70, "padAngle": 0.01}
},
    {
      "mark": {"type": "text", "radius": 105, "fill": "#fff"
      },
      "encoding": {
        "text": {"field": "label", "type": "nominal"},
        "size": {"value": 12}
        }
    },
    {
      "mark": {"type": "text", "radius": 170
      },
      "encoding": {
        "text": {"field": "category", "type": "nominal"},
        "fill": {"value": "#000"},
        "size": {"value": 12}
        }
    }
  ]
  }

Industry Domain Distribution

{
  "height": "430",
  "width": "480",
  "autosize": {
    "type": "fit",
    "contains": "padding"
  },
    "data": {
    "values": [
      {
      "category": [[" "," ","Agritech"], [" ","AI Tech"], [" "," ","Software", "Development"], ["B2B", "eCommerce"], "CRM",  "Cloud Tech", [" "," ","MLOps"], ["IT Services ", "& Consulting"], [" "," ","OSS Products", "& Services"], [" "," ","SSD Cloud"], ["Cybersecurity", "Tech"], "Fintech", "Health Tech"],
      "value": [7.1, 14.3, 3.6, 3.6, 3.6, 7.1, 3.6, 3.6, 3.6, 3.6, 3.6, 25, 14.3],
      "label": ["7.1%", "14.3%", "3.6%", "3.6%", "3.6%", "7.1%", "3.6%", "3.6%", "3.6%", "3.6%", "3.6%", "25%", "14.3%"]
      }
      ]
    },
  "transform": [
  {"flatten": ["category", "value", "label"]}
  ],
 "mark": "arc",
  "encoding": {
    "theta": {"field": "value", "type": "quantitative", "stack": true},
    "color": {
      "field": "category",
      "type": "nominal",
      "legend": null,
      "scale":{"range": ["#267278","#3363a9","#4e82ea","#f2a354", "#3db3a3", "#f46767", "#d15a69", "#f49667", "#f7cc19", "#2abca7", "#2c96ff", "#569d79", "#78b3ce"]}
    }
  },
  "layer": [
    {"mark": {"type": "arc", "outerRadius": 170, "innerRadius": 85, "padAngle": 0.01}
    },
    {
      "mark": {"type": "text", "radius": 145, "fill": "#fff"},
      "encoding": {
        "text": {"field": "label", "type": "nominal"},
        "size": {"value": 12}
        }
    },
    {
      "mark": {"type": "text", "radius": 200, "align": "left", "dx": -10, "dy": -5},
      "encoding": {
        "text": {"field": "category", "type": "nominal"},
        "fill": {"value": "#000"},
        "size": {"value": 10}
        }
    }
  ]
  }
Summary of key concerns
Ambiguities about sensitive and personal data, and the addition of non-personal data (NPD) into the ambit of DPB
Increase in compliance burden and costs owing to provisions such as privacy by design and algorithmic fairness which will be certified by the Data Protection Authority (DPA)
Restrictions on cross border flow of data, and impact on innovation
Mandates for privacy by design and algorithmic fairness are unviable and impractical to implement
Overreaching powers for the government further increase unjustified surveillance

Top Concerns

{
  "height": "430",
  "width": "520",
  "autosize": {
    "type": "fit",
    "contains": "padding"
  },
    "data": {
    "values": [
      {
      "category": [["Mixing of personal", "and non-personal data"], ["Ambiguities and", "uncertainties"], ["Data localisation and", "cross border data transfer"], ["Privacy by design", "and algorithmic fairness"], ["Overarching powers", "to the government"], ["Compliance", "burdens"]],
      "value": [8.4, 19.2, 19.2, 17, 17, 19.2],
      "label": ["8.4%", "19.2%", "19.2%", "17%", "17%", "19.2%"]
      }
      ]
    },
  "transform": [
  {"flatten": ["category", "value", "label"]}
  ],
 "mark": "arc",
  "encoding": {
    "theta": {"field": "value", "type": "quantitative", "stack": true},
    "color": {
      "field": "category",
      "type": "nominal",
      "legend": null,
      "scale":{"range": ["#f46767", "#d15a69", "#f49667", "#f7cc19", "#2abca7", "#2c96ff", "#569d79", "#78b3ce"]}
    }
  },
  "layer": [
    {"mark": {"type": "arc", "outerRadius": 165, "innerRadius": 85, "padAngle": 0.01}
    },
    {
      "mark": {"type": "text", "radius": 145, "fill": "#fff"},
      "encoding": {
        "text": {"field": "label", "type": "nominal"},
        "size": {"value": 12}
        }
    },
    {
      "mark": {"type": "text", "radius": 215, "align": "left", "dx": -45, "dy": -10},
      "encoding": {
        "text": {"field": "category", "type": "nominal"},
        "fill": {"value": "#000"},
        "size": {"value": 10}
        }
    }
  ]
  }

Mixing of Personal and Non-Personal Data

While the JPC report recommended that both personal and non-personal data must be brought under the ambit of the same data protection law, or rather under “a single administration and regulatory authority”, respondents remain sceptical of the intent and implications of such a move. They said this transition from PDP to the current DPB relegates users to the margins instead of putting them on the centrestage in the discourse on privacy 3.

To them, the onus of the user’s privacy now shifts on to businesses. And, since data aggregated by businesses is a mix of both personal and non-personal, it increases their operations and compliance costs. Segregating this data into non-personal data, sensitive personal data, and critical personal data is a herculean task for businesses, especially those who operate on a data heavy model4.

📖 Read more about this key finding


Consent Management

On one hand, the DPB now allows non-consensual processing of data under several circumstances. That is concerning because consent must ideally be the foundation of a Bill on data protection, especially given the fact that DPB is still a chapter in the history of the milestone Puttaswamy judgement.
Clause 13 of the DPB, for instance, notes that non-consensual processing of data “can reasonably be expected by the Data Principal.” The next Clause then disregards user consent for measures like search engine operation and credit scoring.

On the other hand, the mechanisms for businesses to adhere to consent have become more cumbersome. With the requirements of consent managers and multiple levels of checks and balances, respondents are confused about what is even expected of them. To them, this will eventually be a reason for greater compliance costs for the business and friction for the end-users.

📖 Read more about this key finding


Data localization and cross border data flows

The draft DPB’s mandates on physical data storage and processing the data within the country’s jurisdictional borders is seen as a serious impediment to growth, investment, and innovation opportunities for businesses.
Additionally, the DPB has different standards for handling sensitive personal data and critical personal data adds to compliance costs because businesses are finding it difficult to understand what this will mean for costs of operations. They also find it challenging to now segregate three categories of data and having to invest in resources that will be needed to do the same.
Transfer of data cross-border requires explicit consent of the Data Principal, pursuant to a contract or intra-group scheme approved by the Data Protection Authority (DPA) in consultation with the Centre. This leaves businesses worried about extra approval mechanisms and audit systems. So much so that some said they might consider moving the base of their business to a different country instead.

📖 Read more about this key finding


Privacy by Design and Algorithmic Fairness

In principle, respondents welcomed the move to build mechanisms and processes for Privacy By Design and Algorithmic Fairness. They think it is time that privacy and fairness gets its due recognition and importance in data businesses. However, they are concerned that these are theoretical concepts and not viable to implement and adhere to on a routine basis. Respondents said that it is difficult to have broad but uniform standards for these approaches, and that a blanket solution will not cater to the nuances of data that each business operates with.

Respondents also shared that these are not measurable metrics - which then translates into:
1. It will be difficult to comply with and get certifications by the DPA; and
2. It is always possible for some algorithms to have roundabout ways to seem fair without actually being fair. Respondents felt that this defeats the purpose of this provision in the DPB 5.

📖 Read more about this key finding


Problems with government exemptions; fear of data sharing with government and central agencies; anonymized datasets

The DPB 2021 assures exemptions for the government and central agencies (including the police, Central Bureau of Investigation (CBI), Enforcement Directorate (ED), Research and Analysis Wing (RAW), Intelligence Bureau (IB) and Unique Identification Authority of India (UIDAI) after the JPC report with the insertion of a non-obstante provision in Clause 35.

Respondents remain fearful of such provisions that grant overarching powers for the government and central agencies to process data without the user’s consent. Among other things, they are concerned that these exemptions are “scary”, “unjustified”, and “unconstitutional”.

They are also worried that such unregulated data access by the State can have potential security threats to their digital and proprietary information.

📖 Read more about this key finding


Way forward

The objective of this qualitative study was to understand the concerns that startups and SMBs had regarding the Draft DPB. At a time when startups and SMBs play such a crucial role in the digital economy of the country, and data itself holds the centrestage across sectors, it is imperative to hear from the individuals who have firsthand experiences that can inform more consultations around data governance, data protection and rights.

The interviews reveal that there is a strong need for:
1. Clarifying the scope and intent of the DPB;
2. Include provisions for reasonable and proportional legal safeguards as part of the mandates drafted in the DPB. Without this, respondents are worried that the ramifications will be fatal for innovation, growth and security of data, among other things.

Now that the DPB has been withdrawn and it is likely that the Government will table a new set of legislations for data privacy in the winter session of the Parliament later this year, we hope that these concerns of SMBs and startups will be taken into account. We hope the report helps to facilitate more interactions between practitioners and policymakers for such future iterations of India’s privacy bill, and in turn, will inform policy directions and guidelines that can genuinely protect users’ digital data.


Conclusion

After four years since it was first tabled in the Parliament, the Draft DPB was withdrawn in August 2022. The next version of data protection legislation is likely to be tabled in the winter session of the Parliament later this year. It has been said that the DPB will be replaced by a more “comprehensive framework” that will be in alignment with “contemporary digital privacy laws”. 7

It is worth remembering that a robust legislation on digital data protection is, indeed, the need of the hour, and surely long overdue. And, the road to this legislation has had a commendable history - one that stems from the Puttaswamy judgement which acknowledged privacy as a right. That the country needs a reliable data protection law, especially in these times of digitization and consensus on the importance of data, cannot be emphasized enough.

We do consider this a milestone that the State is finally invested in the framing of a legislation that is meant to safeguard the users’ data privacy and sovereignty as well as facilitate growth and innovation of businesses dealing with digital data. Reports already suggest that certain concerning aspects of the DPB are likely to be taken care of. 8 Having said that, the fact remains that four years later, we are at square one again.

As we wait for a data protection law in India, we hope that the new legislation will cater to the on-ground voices of the businesses who will be affected by such laws. Besides, as SMBs and startups have had a lot of experience with regulations and compliance procedures for their specific businesses already, be it with the European Union’s General Data Protection Regulation (GDPR) or with sectoral laws and policies for their industry, they certainly do have useful insights on what data protection regimes can actually do to foster innovation while safeguarding privacy rights.

Below are some recommendations, drawn from the survey, which Privacy Mode advocates need to be considered in the new data protection legislation when it is next tabled in the Parliament.

Regarding mixing of personal and non-personal data.

The mixing of personal and non personal data has given rise to a lot of confusion about the DPB, and adds more layers of compliance and operational costs for businesses.
Since non personal data can be de-anonymized, it poses a privacy threat to the ecosystem. Even when the data is in the form of aggregated, non-identifiable form, respondents said that there is always the possibility of re-identification.
We recommend that non-personal data be left out of the DPB, and that it be governed through other frameworks. We also recommend that the government must carry out consultations with stakeholders to decide on how non-personal data can be regulated. It is also recommended that policymakers provide concrete definitions for new categories of data as sensitive personal data, and not let this be an arbitrary process.

Regarding data localization and cross border data flows.

It is imperative that the DPB does not mandate restrictions on storage, transfer, and processing of personal data within the border of this country alone. This will be a serious blow to the open nature of the internet and digital data.
While it is commendable that this provision is meant to assure safety and privacy of personal data, these could very well be achieved without such restrictive measures. An environment ensuring free flow of data - while guaranteeing privacy and reasonable safeguards for data sovereignty - will help in promoting an open and innovative society and economy.
In fact, the latest National Trade Estimate Report on Foreign Trade Barriers released by the US government in March 2022 also makes a strong case against such provisions in the DPB. It said that these provisions “would serve as significant barriers to digital trade between the United States and India. These requirements, if implemented, would raise costs for service suppliers that store and process personal information outside India by forcing the construction or use of unnecessary, redundant local data centres in India … (and) could serve as market access barriers, especially for smaller firms.”9
To assure privacy in the free flow of data across borders, the future version of a privacy bill for India must endeavour to provide adequate legal safeguards that will be beneficial to the user’s data and to the business’s success. 10 Additionally, ambiguous phrases like “public policy” and “State policy” must be defined in it.

Regarding Privacy by Design.

First, as the founder of an MLOps business said,

“But I think the way to do privacy by design is to create public goods, shared recipes, scripts, tools, methods, in steps to be followed, make it really easy for companies to think about privacy, right? But you will not have this until you have means, motive, and opportunity.” By means, the founder referred to necessary background knowledge about tools and script required. By motivation, they referred to the creation of a general discourse on privacy in tech. And, by opportunities, they meant that individuals who pursue privacy research and design ought to be given incentives and made to feel valued. “The bill addresses a little bit of the motivation, but we have a long way to go,” the founder said.

Second, respondents suggested that there should be clarity about what Privacy by Design even means in the context of DPB, and how the DPA hopes to certify and approve this for businesses.

Third, many respondents suggested that Privacy by Design policy should not be a mandatory compliance requirement that needs approval by the DPA. “It should come into picture when there is a dispute in terms of data protection, i.e., if there have been some issues in terms of data protection, data privacy or information security, then the privacy by design policy of the company can be scrutinized.”

Fourth, one respondent involved with an agri-tech business suggested easing of the consent management systems involved with Privacy by Design policy as prescribed in the provisions of the DPB. They suggested one waiver instead of multiple consent management checks that add more friction to the process for users and for businesses.

Regarding algorithmic fairness.

First, the provision needs clarity. Since this is a design and technology principle that is largely a theoretical concept, it will be useful to have defined boundaries regarding what the DPB means by algorithmic fairness.

An architect with a FinTech business said,

“I think the regulation needs to define what exactly it tries to achieve with looking at the whole fair AI algorithm. In my view, that basically comes to the question of specific vulnerable groups, for example, groups of women who do not have access to the formal financial system. So for people with low income or people who are on social benefits, and make sure that the algorithms are not discriminating against groups of people.”

Second, it is necessary to have use cases for this provision. In the words of the respondent cited earlier,

“This is what needs to be defined very well by the regulation: what specific use cases need to be addressed? Otherwise, we can always find, you know, a criteria on which certain algorithms won’t be fair or want to get to groups of customers in the same way. So it is a very, I would say delicate question, which needs specific use cases to be defined to make it very much practicable and enforceable, especially in the financial technology sector.”

Third, data and technology experts, especially, recommended that this provision of the future version of a privacy bill for India can be closer to being practical only when measurability and accountability factors are clarified. Respondents said that it is essential to know what metrics the DPA hopes to use for algorithmic fairness.

Finally, that will then require a team of auditors who are well-versed with data and algorithms in ways that they can address nuances and specificities of all businesses. The auditors should be composed of neutral arbitrators too “who can actually assess how fair the algorithms are in that particular context” said one respondent.

Regarding overarching powers of the government.

To thwart the risks of overriding powers of the government’s access to data, some of the recommendations by respondents are as follows.

The lack of clarity about what constitutes as “necessary or expedient” to enable broad data sharing with the government needs to be addressed.

“I think the Bill needs to specify what exactly means by fair requirements, and in what cases this actually needs to happen. Otherwise, what is left at the discretion of the government agencies might be interpreted in multiple ways. It is important to outline more more concrete, specific use cases,” said an architect.

One of the respondents suggested that such demands for broad exemptions to the government and central agencies must be supported by “at least the High Courts or higher, and not even by the level of a magistrate or even SHO kind of thing.” Another respondent also echoed this recommendation,

“I think the exemptions need to have a process that the courts need to uphold, rather than the exemptions being blanket requests, which they can make at any time without any sort of checks and balances.”

It is worth noting that the earlier 2018 draft did have provisions for due authorization by law for such provisions. 11


Survey Design and Research Methodology

Participant Profile Distribution

{
  "height": "320",
  "width": "480",
  "autosize": {
    "type": "fit",
    "contains": "padding",
    "align": "centre"
  },
    "data": {
    "values": [
      {"category": [" ","Architect"], "value": 4.2, "label": "4.2%"},
      {"category": "Product manager", "value": 12.5, "label": "12.5%"},
      {"category": ["Senior", "Engineer"], "value": 33.3, "label": "33.3%"},
      {"category": "Founder", "value": 50, "label": "50%"}
    ]
  },
  "mark": "arc",
  "encoding": {
    "theta": {"field": "value", "type": "quantitative", "stack": true},
    "color": {"field": "category", "type": "nominal", "legend": null}
  },
  "layer": [
    {"mark": {"type": "arc", "outerRadius": 130, "innerRadius": 70, "padAngle": 0.01}
},
    {
      "mark": {"type": "text", "radius": 105, "fill": "#fff"
      },
      "encoding": {
        "text": {"field": "label", "type": "nominal"},
        "size": {"value": 12}
        }
    },
    {
      "mark": {"type": "text", "radius": 170
      },
      "encoding": {
        "text": {"field": "category", "type": "nominal"},
        "fill": {"value": "#000"},
        "size": {"value": 12}
        }
    }
  ]
  }

This report has been created through semi-structured interviews with individuals in SMBs and startups 6.
The Privacy Mode team identified and shortlisted business leaders, startup founders, Chief Executive Officers (CEOs), Chief Technology Officers (CTOs), security and compliance experts, product managers, and engineering heads from the Indian SMB and startup ecosystem. A total of 30 individuals were interviewed through June and July 2022. Domain diversity and scale of operations of the startups were the two factors considered when shortlisting and contacting individuals and organisations to participate in this research.

The Privacy Mode team reached out to the interviewees with a primer on DPB, interview questionnaire, and an ethics and consent form prior to the interviews. See Appendices I and II for reference to the primer and the questionnaire. The primer and background material were compiled so that respondents understood the nuances and trajectories of DPB before the interview, and were in a position to respond to the questions with an informed opinion.


Credits and acknowledgements

We thank all the interviewees who participated in this research and have shared their views.

  • Sweta Dash is the Lead Researcher of this study. She is a researcher and independent journalist based in New Delhi.

  • Kalki Vundamati was the research assistant for the report.

  • Aditya Sujith Gudimetla drafted the interview questionnaire, which was finalized taking into account comments from reviewers, and based on the responses during initial interviews.
  • Neeta Subbiah draft the primer, and participated in initial interviews.
  • Sankarshan Mukhopadhyay, editor at Privacy Mode, reviewed and provided critical feedback during various stages of this report’s preparation.
  • David Timethy is project manager at Privacy Mode. He oversaw the completion and publication of this report.
  • Anish TP create charts and visuals for the report.

Community participation and peer review

In keeping with Privacy Mode’s policy of peer review, interviews were conducted by the Lead Researcher and collaborators from the community. We thank the interviewers from the community for their active role in the research process, and for bringing a critical perspective to this report.

  • Dr. Akshay S Dinesh is policy and ethics consultant at Weavez Technologies.
  • Joshina Ramakrishnan from Weavez Technologies is a software engineer and an entrepreneur with a decade of experience in inclusive technologies.
  • Kritika Bhardwaj is an advocate practising in Delhi.
  • Maansi Verma is a lawyer and public policy researcher.
  • Sameer Anja is co-founder at Arrka Privacy Management Platform.

Citations and references for additional reading

👉 Draft Data Protection Bill, 2021:

👉 Seetharaman, Bhavani: “Understanding innovation in the Indian tech ecosystem” published at Mozilla Open Innovation Project: Understanding Innovation in the Indian Tech Ecosystem . Specifically, see the chapter on the impact of policy on entrepreneurs in non-urban ecosystems - https://has.gy/ipSo

👉 Timeline of the Bill

👉 Appendix - 1 Primer

👉 Appendix - II Interview questionnaire

👉 Glossary


Footnotes


  1. Privacy Mode reviewed the changes introduced in this PDP Bill, and its likely impact on SMEs. This review was shared with the newly constituted JPC in September 2021. The review is published at: hasgeek.com/privacymode/pdp-bill.
    Also see Data Protection Bill will increase compliance cost for small companies: Hasgeek: Business Line. Sept 2021 

  2. In the report on privacy practices in the Indian tech industry in 2020, Nadika Nadja and Anand Venkatnarayanan make the argument that compliance often becomes a checkbox to achieve instead of companies focussing genuinely on user data privacy. This particularly happens in heavily regulated sectors when leadership looks at compliance as an inconvenience that must be fulfilled, instead of paying attention to genuine user privacy issues. See - Privacy practices in the Indian technology ecosystem.
    Withdrawal of the DPB in August 2022:
    Government Withdraws Personal Data Protection Bill, Plans New Set of Legislations: The Wire. Aug 3rd 2022
    Explained: Why the Govt has withdrawn the Personal Data Protection Bill, and what happens now: The Indian Express. Aug 6th 2022 

  3. In a review of Telangana state government’s agriculture data management policy, it has been pointed out that policymakers discount the fact that non-personal data (NPD) stems from personal data, and hence, focussing excessively on NPD poses risks for deanonymization of personal data. Review of Telangana state’s Agricultural Data Management Policy 2022: Privacy Mode. Aug 6th 2022 

  4. See the summary of this public discussion on the internal and external organisational risks posed by NPD on businesses at India’s Non-Personal Data (NPD) framework: Privacy Mode.
    Justice K.S.Puttaswamy(Retd) … vs Union Of India And Ors. on 24 August, 2017: Justice K.S.Puttaswamy(Retd) … vs Union Of India And Ors. on 24 August, 2017: Indian Kanoon 

  5. In a panel discussion on current industry practices around Privacy by Design, it was suggested that policies be made on a principle basis, rather than with very specific technological recommendations. The implementation of these policies should be left to broad industry discussions, among tech and business communities. See Privacy Best Practices Guide: for a summary of the panel discussion : Privacy Mode. 

  6. According to the Government of India, small and medium businesses are those that have investments between 10-50 crores and turnovers between 50-250 crores respectively. Businesses are recognised as a startup till 10 years from its date of incorporation, with a revenue threshold of Rs 100 crore. MSME Gazette of India 1, MSME Gazette of India 2 

  7. Source: https://www.business-standard.com/article/economy-policy/70-respondents-want-data-protection-bill-to-drop-localisation-rule-survey-122082400325_1.html 

  8. See For better compliance, tech transfer, Govt to ease data localisation norms: Indian Express Aug 14 2022. Also see What MeitY Has Said On Upcoming IT Laws Since Withdrawing The Data Protection Bill: Medianama Aug 10 2022 

  9. See USTR Releases 2022 National Trade Estimate Report on Foreign Trade Barriers: ustr.Gov Mar 31 2022. 

  10. See Bhavani Seethraman’s critique of the data localization provisions in the PDP Bill, and the potential loss to GDP that this clause will clause were it to be implemented: Privacy Mode

  11. See Ugly Sides of Data Protection Bill and Fallacies of JPC Report: News Click Dec 20 2021, There’s an expansion of state power in the domain of privacy: Indian Express Dec 18 2021, Sweeping powers to government under data protection Bill a step backwards, say experts: Economic Times Dec 11 2019 

Hosted by

Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more

Supported by

about.facebook.com/meta

Sweta Dash

Overreaching powers to government and central agencies - problems with government exemptions; fear of data sharing with government and central agencies; anonymized datasets

Submitted Aug 17, 2022

The 2019 PDP Bill laid down exemptions for government agencies from data regulations prescribed in the Bill. The 2021 DPB continues to retain these exemptions for the government and central agencies, including police, CBI, ED, RAW, IB and UIDAI, after the JPC Report. The draft DPB also has an insertion of a non-obstante provision in Clause 35:

“Notwithstanding anything contained in any law for the time being in force…”

This clause is also backed by an explanation which states that such exemptions should be as per a “just, fair, reasonable and proportionate procedure.”

It states:

“Notwithstanding anything contained in any law for the time being in force, where the Central Government is satisfied that it is necessary or expedient,
(i) in the interest of sovereignty and integrity of India, the security of the State,
friendly relations with foreign States ox public order; or
(ii) for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order,
it may, by order, for reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data, as may be specified in the order subject to such procedure, safeguards and oversight mechanism to be followed by the agency, as may be prescribed.”

Respondents fear that such provisions grant overarching powers for the government and central agencies to process data without the user’s consent. Among other things, they are concerned that these exemptions are “scary”, “unjustified”, and “unconstitutional”.

“While companies were being held to a standard in terms of how they should store, collect, report all of that stuff, keeping government agencies out of the ambit of this (draft) Data Protection Bill, when we are seeing so many cases of a lot of data aggregation being done by various government departments,”

said a concerned senior engineer of an IT services business.

Engineers of a business that deals with open source software products and services said,

“The excessive grant which the government has been given under this bill, that, is very scary. And it is also very unjustified, I would say.”

To explain their concerns about how this is likely to affect the future of businesses in India, an architect of a FinTech business said,

“People are talking about the fear of mass surveillance by the government. And, you know, there is a lot of scepticism in general, because of these overarching powers of the government.” The “ripple effect” of this will be the “loss of confidence in sharing data with private enterprises.” and “significantly impact” all businesses that operate in the “extremely data dependent industry”.

Respondents said they get requests to share data from law enforcement agencies for regulations and in cases of financial fraud, cybercrime, consumer complaints, and so on. They said that they have had to share details like financial transactions, call logs, and IP addresses.

“Sometimes all this does not even require customer consent,”

said an architect of a FinTech business.

Only two respondents felt that overarching powers to the government for data access might actually be justified when it is a matter of national security, specifying the instances of curbing fake news and avoiding social unrest. But, even they had concerns regarding these provisions. As one of the respondents said,

“It should be as a matter of exception, not the rule. Nowadays, I think it has become a rule rather than an exception.”

Others were also sceptical about what the exceptional circumstances even meant anymore to justify such provisions.

One of the respondents asked, “What is not covered in national security?” It was unclear to the respondents what could be classified as a reason for national security, but they were apprehensive of this resulting in intensified surveillance instead of protecting privacy.

A senior engineer of a FinTech business said,

“if there are any requests, we would always be conscious of the fact that why they are coming, what is the purpose?”

Another senior engineer from a cloud service business wondered what else even remains to be shared:

“Like, everything is getting linked by Aadhaar, etc. Right?

Interestingly, the DPB ignores the Justice Srikrishna Committee Report’s acknowledgment that unfettered government access to personal data without adherence to safeguards like “necessity and proportionality” is potentially “unconstitutional.”

Second, respondents worry about the potential misuse of data given the fact that the intention is unclear and the exemptions seem like an overreach of powers to them. One of the respondents asked what will happen if the data is passed on informally from one person to another within government agencies, or what is the procedure to handle the breach/leak of data from these businesses when in the hands of government agencies.

“The agency is also made up of people. You’re not confident that this data is going to be used against the person. So, on one hand, if you think this law is needed, like given that the agency needs to have access to certain data, but at the same time, how do I ensure that agencies are not misusing the data? So that is a concern,”

the founder of an agritech business said.

The founder of another agritech startup said she is not comfortable with this idea

“just for the fact that we have seen that in the past where things have got leaked, and not sure of how secure really the government is going to, you know, have these things taken care of. We know that there is bribery and corruption and you know, in all echelons. And, there could be personal data and non-personal data of my consumers that is available with the government and what if the government decides to give it to my competitor? I am not sure. So I’m not comfortable with the idea of the government peeping into our data.”

One specific example of the fear of such misuse is with data from the health tech industry. A respondent from a health tech business explained why he is in two minds about this provision.

“When you’re in healthcare, you kind of have a responsibility towards public health, you have responsibility towards making sure that policymaking is data-informed and things like that. So, I think, sharing anonymized and de-personalized data is probably a good idea. Except in the cases where you kind of need to identify the patient in epidemics and things like that. But again, the challenge is how the data gets shared and things like that, because of wildly different standards in different countries for different things.”

At least three respondents made direct or indirect references to a recently reported incident about Razorpay, one of the biggest business payment processing services in India, being caught sharing their user’s financial and personal information with the police.1

One respondent said that these cases of the power to access users’ private data from the government is becoming a norm in India, and needs caution. A product manager from an AI tech business said,

“So, for example, I think it was in the papers recently that the courts made a request for specific data of an individual through Razorpay. I think, again, they didn’t have to go through a court mandated process, but it’s not like they had to handle all financial leaders only towards that specific account.”

The founder of another AI tech business also said in reference to this,

“I guess we all follow what is happening in the news right now, too. So, it is that there are limits to what can be asked. And I guess it’s finding that fine balance between when a data request comes because many times it is of critical importance, but many times it also gets potentially misused for things.”

Respondents categorised this provision of the DPB to be more of a ‘civil liberties issue’. The founder of a FinTech company said that such blanket access to bypass existing legal frameworks to access any data means “terrifying ramifications” And, he said,

“If you incorporate that into an industry where it is known that the state can access whatever they want, whenever they want directly from any player, public or private institution, by bypassing the existing legal judicial framework, I think it is chilling. It will definitely affect businesses and investments and everything. I’m unable to enumerate how, but it is a much larger political problem.”

Third, respondents also find this to be another “compliance restriction”. The founder of an agritech business said,

“India is not very friendly for startups or for SMEs because the amount of regulations, the amount of different kinds of compliances, that we have to do on a regular basis is itself very large.”

Fourth, in the same vein, respondents also find this to be a threat to security of their digital information and proprietary information. An architect of a FinTech business said, “All these years, we’ve been collecting a lot of data. There is a lot of proprietary data, for example, how different types of consumers are using financial products, how they operate in our system, on our platform, and so on. So all these details are very much the way we created the technology to consume this data. We also created different models, where this data can be useful.” She said that it will be “unfair” to send out this data to the central agencies “because we spend a lot of our efforts to know our consumer better and if this data needs to be collected and then shared with everyone, I don’t think it is fair practice.”

Product managers of a software development business also said that this provision essentially “requires opening information systems and making it accessible to any central agency in any agency format, for that matter.” “I see any opening up of Information Systems, the first threat is digital security. This can hence lead to incidents that in a way affects the availability and integrity of the data. And, we are answerable to the users if anything happens to their data in this process. That is where I think it can be a double edged sword… a harmful thing for our business.”

A founder of an agritech business also added that this ultimately is discomforting for the end user. He said the end user must be thinking “I want to be anonymous, I want to use the system, my dealing with the system should be private. But if that data goes to someone else, so definitely, as a consumer, I’ll be apprehensive. And once I’m apprehensive, then I’ll stop using the system. So, it is not good for the company.”

One of the respondents, however, decided to gauge this as a glass half-full at the moment. He said, “You can argue that data is the base on which all research is built, and therefore, access to open source data means that more research and innovation will happen. The flip side of that is if all of my confidential information that I’ve worked hard to build is now available as a public dataset, then what is my incentive to continue to build on those datasets or to invest in creating that? So the minute I think it is a bit more nuanced than that question, I think it deserves a bit more attention and thought.”

Coupled with these concerns is the problem of segregating anonymized datasets and personal data on a regular basis for data sharing. Anonymization essentially means de-identification or separating data in a way that there is no personally identifiable information in it. Respondents agreed that it is not a viable solution.

Technical experts agree that irrespective of how one tries to anonymize data, there is always the inherent risk of re-identification. A founder of an agritech startup said, “I mean, everything could be traced back, especially if it is shared with the government or shared somewhere publicly, or shared to communities or to competitors. I’m sure there is a risk of it getting unencrypted and going back to the and the private data getting leaked.”2

A senior engineer of a cloud based business cited the example of a time when researchers could de-anonymize anonymized ratings data released by Netflix.3 Another founder of a FinTech business shared an example, “Google is trying to integrate some cohort-based advertising tracking directly into the Chrome browser. Where they say that users will be anonymized, and the browser will share like a generic anonymized identifier. But there have been so many examples, papers proving that even this generic identifier can be used to target specific groups of people.” So, he said, “anonymization, and dependency on anonymization, as a solution for data privacy is not bulletproof. And different kinds of data using different kinds of anonymization techniques or algorithms, there are always ways to backdoor and reverse engineer anonymization. Maybe not to the most granular possible level, but to a harmful level.”4

An architect from a FinTech business explained that there have to be guidelines, processing, and governance systems in place for anonymization of personal data to be even close to some success. “Because at the end of the day, there is always a human in the loop of any technology that is there. And, even if the technology is bulletproof and there are strong processes, almost in 100% of the cases there is a human involved in the loop. Hence a potential for breach exists.”5


  1. A similar critique of the risk of deanonymization with respect to NPD datasets has been made in response to Telegana State’s draft agriculture data management policy. See Why Is The Razorpay-AltNews Scenario A Reminder Of Section 91’S Vast Powers?: Medianama

  2. See Policy Reviews: Examining policies around privacy, data governance and usage for being explainable and specific with outcomes: Privacy Mode

  3. See You Can Be Identified by Your Netflix Watching History: Plain English.
    Also see Robust De-anonymization of Large Sparse Datasets: The University of Texas

  4. This critique and the sentiment underlying this was vociferously stated in a panel discussion on the risks of deanonymization of non-personal data. See India’s Non-Personal Data (NPD) framework Knowledge repo, archives and collaborations: Privacy Mode

  5. This point was also made during a panel of startup founders and executives who felt that when non-personal data is maintained in a company, the likelihood of an internal person accessing this data and breaching it is a constant risk. See India’s Non-Personal Data (NPD) framework Knowledge repo, archives and collaborations: Privacy Mode

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hosted by

Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more

Supported by

about.facebook.com/meta