Make a submission
Accepting submissions till 13 Sep 2021, 09:15 AM
India’s Personal Data Protection (PDP) Bill has been in the news for multiple reasons. This includes tech giants such as Whatsapp unwilling to implement data protection policies until the Bill was passed in mid July 1. In addition to this with the passage of the IT Rules, 2021 debates regarding Indian governance over data, through shifts in encryption policies were also heavily reported on 2. One can also view Hasgeek’s ongoing research on the IT Rules, 2021 for further understanding of the complexity it poses to Indian’s today.
On 8 July, members of the JPC were elevated to ministerial positions, leaving the future of data protection regulation in India uncertain. Hence, there were concerns about the passage of PDP Bill without consultation with other members of the Joint Parliamentary Committee (JPC). Postponing the submission of the JPC report post the reconstitution of it’s members till the winter session in November 2021 3.
Thus, the 2019 version is the latest draft of the PDP Bill that one can access and is the main frame of reference for our critique. The text of the Bill can be viewed at http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf
Peer review and feedback for the PDP Bill: Privacy Mode programme took the opportunity to submit a peer reviewed set of recommendations for the 2019 draft PDP Bill between 10 and 14 September. The peer reviewed recommendations document has been shared with:
Privacy Mode’s and Hasgeek’s vision is to foster peer review in the practice of technology. Solutions and problem solving approaches - those involving technology - need to be critiqued and discussed in public. The end goal is not a perfect solution. Discussing and acknowledging the pros and cons of different approaches - and putting it out there that vulnerabilities exist and must be watched - makes for sound technology (and policy) implementation.
Since 2010, Hasgeek has created platforms for practitioners to share case studies of technology (and subsequently legal and policy) implementations in the domains of data, large-scale infrastructure, Cloud infrastructure and systems engineering, security and most recently, data privacy. Tech practitioners - across a wide variety of companies and sectors - share their work at conferences and forums that Hasgeek organizes. Presenters are vetted through a process of peer review and feedback. Participants benchmark their organization’s practices against what their peers from the industry share at these platforms. A safe and welcoming environment is created to collectively introspect on emerging business, economic and societal challenges where technology has a role to play.
In the spirit of peer review, Hasgeek worked with the technology and startup ecosystems, especially between 2020 and 2021, to understand their views and concerns about privacy and data security. This submission to the JPC is consolidated from the concerns and recommendations voiced at the following forums:
Research on Non-Personal Data (NPD) with 50 representatives from engineering and product teams in startups, and with VCs and founders: The research and outreach are published at: https://hasgeek.com/PrivacyMode/non-personal-data/
Research conducted with practitioners from the tech industry between April and November 2020 on the state of privacy-tech and readiness to implement data protection in India: https://hasgeek.com/PrivacyMode/privacy-in-indian-tech-2020/ with participants from PayTech, Fintech, SaaS, social networking, and health tech.
India’s first Data Privacy Product and Engineering Conference organized in April 2021 brought practitioners from Fintech, Consumer Tech and SaaS companies to share experiential case studies about technology approaches and organizational processes for doing compliance, data security and privacy: https://hasgeek.com/rootconf/data-privacy-conference/videos.
In this submission, we have highlighted the following concerns that small and medium enterprises have with regards to the PDP Bill:
- [Bhavani Seetharaman](https://hasgeek.com/Bhavani-21) is a Research Associate at Hasgeek. She has previously worked for the Centre for Budget and Policy Studies (CBPS), Microsoft Research India, and the University of Michigan, Ann Arbor.
- Nadika Nadja is a researcher (https://hasgeek.com/nadikanadja) at Hasgeek. She has worked across advertising, journalism, TV & film production as a writer, editor and researcher.
We thank the following individuals for reviewing this submission and for providing valuable inputs during its drafting.
If you have comments and inquiries, post them at https://hasgeek.com/PrivacyMode/pdp-bill/comments. Follow #PrivacyMode on Twitter
WhatsApp and the wait for Data Protection Bill - https://www.thehindubusinessline.com/business-laws/whatsapp-and-the-wait-for-data-protection-bill/article35266846.ece ↩︎
The Encryption Debate in India: 2021 Update- https://carnegieendowment.org/2021/03/31/encryption-debate-in-india-2021-update-pub-84215 ↩︎
JPC gets time to present report on personal data protection bill - https://www.livemint.com/news/india/jpc-to-seek-time-to-present-report-on-personal-data-protection-bill-11627017273374.html ↩︎
MSME defines small, medium and micro enterprises based on investments and turnover amounts https://msme.gov.in/know-about-msme. In this submission, based on recommendations by the reviewers, we have defined small, medium and micro enterprises based on the number of employees and the community the enterprise is working for. If the product is extremely niche and focuses on very small consumer groups, then the compliance with regards to data protection as well as the definition of Significant Data Fiduciary (SDF) must be carefully looked into. ↩︎
Hosted by
Supported by
Submitted Sep 12, 2021
Clause 34 highlights governance over data transfers between different countries, giving exceptions to only certain allowances such as emergencies. By doing so, the ease of doing business with multiple entities1 situated in different countries becomes more complex, resulting in loss of opportunities for Indian businesses to compete on the global stage. United National Conference on Trade and Development (UNCTAD) estimates that roughly 50 percent of all trade services are enabled by technology, and there is cross border flow of data2. It is therefore important to note that such practices can cause difficulties for tech-enabled businesses. As a participant at the Data Privacy Conference explained:
“If we are building for privacy, why not build the infrastructure globally and holistically? The same infrastructure and architecture should be extendable to different countries instead of dealing with each country on a case-by-case basis. In our organization, we decided that we will take the best of the existing privacy laws and build privacy infrastructure for the most stringent of these regulations, and then enforce adoption globally. This helps us in the future because as more countries implement privacy laws, it becomes easier for us to comply with these laws.”
It is important for the law to take into account that for business entities that have already invested in compliance with international legislation, they should not be forced to incur huge financial pressures for compliance to the PDP because of vast differences between international regulations and PDP.
It is estimated that India will lose roughly 0.7-1.7% of its GDP3 if data localization practices were to be implemented. It is also important to remember that many smaller entities depend on cloud storage software for managing data assets and running infrastructure. All of these entities are internationally owned and globally recognized products. Harvard Business Review (HBR)4 states that over the last decade, global flows of goods, services, finance, people, and data have contributed at least 10% of world’s GDP, adding $7.8 trillion in 2014 alone. Similarly, the 2016 study by McKinsey[McKinsey] shows that 86% of tech-based startups they surveyed had some type of cross border interaction.
Supply chains are not necessarily data localized. This creates problems, because adherence to data localization does not mean that all parties depending upon for data flows are not automatically compliant. ↩︎
Read the report by Indian Council for Research on International Economic Relations (ICRIER) here: https://icrier.org/pdf/Economic_Implications_of_Cross-Border_Data_Flows.pdf ↩︎
Cory explains in his paper that concerns of cybersecurity can be managed through means other than data localization, and shares estimates of overall financial losses for countries that implement data localization policies. https://www2.itif.org/2017-cross-border-data-flows.pdf ↩︎
Article link: https://hbr.org/2016/03/globalization-is-becoming-more-about-data-and-less-about-stuff
[McKinsey]:Summary of the study is published at: https://www.mckinsey.com/~/media/mckinsey/business functions/mckinsey digital/our insights/digital globalization the new era of global flows/mgi-digital-globalization-executive-summary.pdf ↩︎
Hosted by
Supported by
{{ gettext('Login to leave a comment') }}
{{ gettext('Post a comment…') }}{{ errorMsg }}
{{ gettext('No comments posted yet') }}