India’s Personal Data Protection (PDP) Bill has been in the news for multiple reasons. This includes tech giants such as Whatsapp unwilling to implement data protection policies until the Bill was passed in mid July 1. In addition to this with the passage of the IT Rules, 2021 debates regarding Indian governance over data, through shifts in encryption policies were also heavily reported on 2. One can also view Hasgeek’s ongoing research on the IT Rules, 2021 for further understanding of the complexity it poses to Indian’s today.
On 8 July, members of the JPC were elevated to ministerial positions, leaving the future of data protection regulation in India uncertain. Hence, there were concerns about the passage of PDP Bill without consultation with other members of the Joint Parliamentary Committee (JPC). Postponing the submission of the JPC report post the reconstitution of it’s members till the winter session in November 2021 3.
Thus, the 2019 version is the latest draft of the PDP Bill that one can access and is the main frame of reference for our critique. The text of the Bill can be viewed at http://126.96.36.199/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf
Peer review and feedback for the PDP Bill: Privacy Mode programme took the opportunity to submit a peer reviewed set of recommendations for the 2019 draft PDP Bill between 10 and 14 September. The peer reviewed recommendations document has been shared with:
- B N Mohapatra of the Joint Parliamentary Committee (JPC) Secretariat.
- P P Chaudhary, JPC Chairperson.
- Ashwani Vaishnaw of MEITY.
- Rajeev Chandrasekar of MEITY.
- Piyush Goyal of the Department for Promotion of Industry and Internal Trade (DPIIT).
- ~30 representatives from Lok Sabha and Rajya Sabha.
Privacy Mode’s and Hasgeek’s vision is to foster peer review in the practice of technology. Solutions and problem solving approaches - those involving technology - need to be critiqued and discussed in public. The end goal is not a perfect solution. Discussing and acknowledging the pros and cons of different approaches - and putting it out there that vulnerabilities exist and must be watched - makes for sound technology (and policy) implementation.
Since 2010, Hasgeek has created platforms for practitioners to share case studies of technology (and subsequently legal and policy) implementations in the domains of data, large-scale infrastructure, Cloud infrastructure and systems engineering, security and most recently, data privacy. Tech practitioners - across a wide variety of companies and sectors - share their work at conferences and forums that Hasgeek organizes. Presenters are vetted through a process of peer review and feedback. Participants benchmark their organization’s practices against what their peers from the industry share at these platforms. A safe and welcoming environment is created to collectively introspect on emerging business, economic and societal challenges where technology has a role to play.
In the spirit of peer review, Hasgeek worked with the technology and startup ecosystems, especially between 2020 and 2021, to understand their views and concerns about privacy and data security. This submission to the JPC is consolidated from the concerns and recommendations voiced at the following forums:
Research on Non-Personal Data (NPD) with 50 representatives from engineering and product teams in startups, and with VCs and founders: The research and outreach are published at: https://hasgeek.com/PrivacyMode/non-personal-data/
Research conducted with practitioners from the tech industry between April and November 2020 on the state of privacy-tech and readiness to implement data protection in India: https://hasgeek.com/PrivacyMode/privacy-in-indian-tech-2020/ with participants from PayTech, Fintech, SaaS, social networking, and health tech.
India’s first Data Privacy Product and Engineering Conference organized in April 2021 brought practitioners from Fintech, Consumer Tech and SaaS companies to share experiential case studies about technology approaches and organizational processes for doing compliance, data security and privacy: https://hasgeek.com/rootconf/data-privacy-conference/videos.
- To present the concerns of tech practitioners from small4, medium and large businesses with the PDP Bill, and what they foresee as significant compliance challenges.
- To request the JPC to carry out public consultations with software architects, product teams and legal teams from small, medium and large-sized organizations about potential technical challenges in implementing the PDP Bill.
- To incorporate the spirit of peer review in the policy-making process, where practitioners can offer feedback on the ‘technique’ and technicalities of implementation, and safeguards that have to be put in place to ensure true data protection.
In this submission, we have highlighted the following concerns that small and medium enterprises have with regards to the PDP Bill:
- Ambiguous definitions.
- Data localization and international policy.
- Costs of compliance.
- Power of the Data Protection Authority (DPA) over Data Fiduciaries.
- Governance of Non-Personal Data (NPD).
The key concerns and recommendations have been expanded in the following sections. Scroll down to read.
- Bhavani Seetharaman is a Research Associate at Hasgeek. She has previously worked for the Centre for Budget and Policy Studies (CBPS), Microsoft Research India, and the University of Michigan, Ann Arbor.
- Nadika Nadja is a researcher (https://hasgeek.com/nadikanadja) at Hasgeek. She has worked across advertising, journalism, TV & film production as a writer, editor and researcher.
We thank the following individuals for reviewing this submission and for providing valuable inputs during its drafting.
- Suman Kar, founder of security firm Banbreach, for participating in writing the early drafts of this submission. Suman’s work on data security includes analysis of predatory loan apps and impact on consumers - https://hasgeek.com/cashlessconsumer/killerloanapps-detecting-fake-fintech-apps/
- Rajiv Onat, Senior Leader working on Data Platforms, for reviewing key concerns and adding nuance on operational aspects of compliance.
- Yagnik Khanna, independent software architect and curator at Rootconf, for reviewing key concerns and adding nuance to compliance requirements from engineering and inclusion perspectives.
- Sathish KS, Senior Engineering Leader, for reviewing key concerns and adding nuance on operational aspects of compliance. Sathish has also shared perspectives and concerns about the costs of compliance and impact on engineering processes under the proposed NPD framework at https://hasgeek.com/PrivacyMode/impact-of-non-personal-data-npd-framework-on-engineering-processes/videos
WhatsApp and the wait for Data Protection Bill - https://www.thehindubusinessline.com/business-laws/whatsapp-and-the-wait-for-data-protection-bill/article35266846.ece ↩
The Encryption Debate in India: 2021 Update- https://carnegieendowment.org/2021/03/31/encryption-debate-in-india-2021-update-pub-84215 ↩
JPC gets time to present report on personal data protection bill - https://www.livemint.com/news/india/jpc-to-seek-time-to-present-report-on-personal-data-protection-bill-11627017273374.html ↩
MSME defines small, medium and micro enterprises based on investments and turnover amounts https://msme.gov.in/know-about-msme. In this submission, based on recommendations by the reviewers, we have defined small, medium and micro enterprises based on the number of employees and the community the enterprise is working for. If the product is extremely niche and focuses on very small consumer groups, then the compliance with regards to data protection as well as the definition of Significant Data Fiduciary (SDF) must be carefully looked into. ↩
Conclusion and recommendations
For smaller organizations to comply with PDP, two suggestions have been made:
- Differential compliance for small organizations: Put in a different set of rules based on the asset size of the organization and the number of records that they are processing. If organizations have to compulsorily follow a large set of controls or regulations which are beyond their business value, compliance will be weak or even circumvented.
- Scaled down Data Protection (DP) practices which can be implemented by small businesses. These can be proportional to a risk score tagged to the business. The risk score needs to be objective, either based on turnaround or size of the (user) community that the business serves.
Small and medium organizations struggle at various stages to establish a business model with unit economics. This is a paramount concern when the policy environment and legislations are create an environment of uncertainty. While there is intent to embed privacy practices in the product-development cycle, small and medium organizations face challenges with respect to people, budgets and autonomy in decision-making to implement the same.
Privacy Mode’s research on privacy practices in India’s tech ecosystem1 clearly explains that adding regulatory pressure does not improve privacy outcomes. On the other hand, regulation can increase the compliance burden, thereby adversely affecting small and medium organizations and turning them into non-viable businesses. Therefore, we sincerely submit that the JPC takes note of the concerns of the industry and provides remedial measures in drafting of the final PDP Bill. This includes taking suggestions from practitioners and incorporating feedback on practical suggestions that will help transition India to personal data protection smoothly.
The Annexure attached with this submission highlights in further detail each clause and the recommendations and justifications that the community believes must be considered in order to pave the way for smoother compliance.
See the recommendations section of the Privacy-tech research at https://hasgeek.com/PrivacyMode/privacy-in-indian-tech-2020/ for an elaboration of this finding. ↩