Personal Data Protection (PDP) Bill: Review and Recommendations from India's technology community, based on the Draft (2019) Bill
Note: This submission is developed by the Privacy Mode to share with the Joint Parliamentary Committee (JPC) on the Personal Data Protection (PDP) Bill 2019 Draft when the JPC is reconstituted (following Cabinet reshuffling and JPC members being given ministerial positions as on 8 July 2021).
Respected Joint Parliamentary Committee (JPC) Members,
Privacy Mode programme is grateful for the opportunity to contribute a submission consisting of recommendations from the technology and startup communities to the Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill, 2019 (PDP). The PDP Bill has legal and cultural significance for the privacy of the citizens of India, and how Data Fiduciaries and Data Processors will comply with the law going forward.
Privacy Mode’s - and Hasgeek’s - vision is to foster peer review in the practice of technology. Solutions and problem-solving approaches - those involving technology - need to be critiqued and discussed in public. The end goal is not a perfect solution. Discussing and acknowledging the pros and cons of different approaches - and putting it out there that vulnerabilities exist and must be watched - makes for sound technology (and policy) implementation.
Since 2010, Hasgeek has created platforms for practitioners to share case studies of technology (and subsequently legal and policy) implementations in the domains of data, large-scale infrastructure, Cloud, design, security and most recently, data privacy. Tech practitioners across a wide variety of companies and sectors share their work at conferences and forums that Hasgeek organizes. Presenters are vetted through a process of peer review and feedback. Participants benchmark their organization’s practices against what their peers from the industry share at these platforms. A safe and welcoming environment is created to collectively introspect on emerging business, economic and societal challenges where technology has a role to play.
In the spirit of peer review, Privacy Mode worked with the technology and startup ecosystems, especially between 2020 and 2021, to understand views and concerns about privacy and data security. Our Submission to the JPC is consolidated from the concerns and recommendations voiced at the following forums:
- Research on Non-Personal Data (NPD) with 50 representatives from engineering and product teams in startups, and with VCs and founders: The research and outreach are published at: https://hasgeek.com/PrivacyMode/non-personal-data/
- Research conducted with practitioners from the tech industry between April and November 2020 on the status of building privacy features and initiatives in products: https://hasgeek.com/PrivacyMode/privacy-in-indian-tech-2020/ with participants from PayTech, Fintech, SaaS, social networking, and health tech.
- India’s first Data Privacy Product and Engineering Conference organized in April 2021 brought practitioners from Fintech, Consumer Tech and SaaS companies to share experiential case studies about technology approaches and organizational processes for doing compliance, data security and privacy: https://hasgeek.com/rootconf/data-privacy-conference/videos. This conference included a talk by Prof. Matthew Green from John Hopkins University who spoke about the policy debates and technology developments around encryption globally1
- To present concerns that tech practitioners across Indian small, medium and large-sized businesses have with the PDP Bill, and what they foresee as significant compliance challenges.
- To request the JPC to carry out public consultations, with representatives from small, medium and large-sized organizations, and to take into consideration their inputs with regards to potential operational challenges with compliance.
- To incorporate the spirit of peer review in policy-making and in the process, foster an involved citizenry which is at the core of democracy.
Overall, for small-sized organizations to adhere to PDP compliance, two suggestions have been put forward:
1. Differential compliance for small organizations: put in a different set of rules based on the asset size of the organization and the number of records that they are processing. If organizations have to compulsorily follow a large set of controls or regulations which are beyond their business value, compliance will be weak or even circumvented.
2. Scaled down Data Protection (DP) practices which can be implemented by small businesses: these can be proportional to a risk score tagged to the business. The risk score needs to be objective, either based on turnaround or size of the user community that the business serves.
In this submission, we highlight the concerns of the small and medium-sized enterprises with regards to the PDP in the following areas:
1. Ambiguous definitions
2. Data localisation and international policy
3. Costs of compliance
4. Power of the Data Protection Authority (DPA) over Data Fiduciaries (DF)
5. Governance of Non-Personal Data (NPD)
Key Concerns and Recommendations: the following section expands on the concerns and recommendations.
Definition for compliance: Clauses 14, 24
Clause 14 allows for the processing of personal data without consent. Specifically, sub-clause 14(1)(c) believes that any data in need of public interest shall be given the right without consent. Nowhere in the legislation is there a definition of what constitutes public interest. This can lead to large-scale misinterpretation of the legislation and can further lead to non-compliance by smaller entities2, requiring them to incur new costs. In addition to this, further protections are required to ensure that minority groups’3 concerns are also included in the definitions for public interests.
On the other hand sub-clause 14(1)(b) allows for fiduciaries to assume consent in certain cases. In such a situation, it can lead to legal ramifications. An example could be the case of AOK Baden-Wuerttemberg4 in Germany that used personal data from its customers for a raffle. In this case, the company assumed that consent of the 500 participants were received. However, as per legal consent requirements, this was not the case and was fined 1.5 million dollars.
Similarly, Clause 24 focuses on the actual process of data processing. It is important to understand that many entities might have already begun implementing their own data processing tools, but due to the arbitrary definitions of the process, their work may not be considered compliance ready. Therefore it is necessary to provide clear articulation for what practices are deemed acceptable in each sub clause 24(1)(a)(b)(c) (which looks at the process of de-identification and encryption, protection of integrity of personal data and steps necessary to prevent misuse of data, respectively). For example, StarMed Specialist Centre Ltd5 in Singapore reported a breach due to a Remote Desktop Protocol (RDP) Port left open allowing for unauthorised access. Fiduciaries must know of all the possible risks and correct methods for implementation to avoid such situations. Without such clarity, many stakeholders might be investing in protocols that are not deemed adequate and shall result in non-compliance, data breaches and penalisation.
Arbitrary Governance: Clauses 26, 35, 86
Clause 26 allows for the DPA to have final say in judging whether a stakeholder might be defined as a Data Fiduciary (DF) or a Significant Data Fiduciary (SDF). Thereby, they have the power to overwrite previous sub clauses which take into account aspects such as turnover and size of the organization. We know from penalisation clauses that financial costs of non-compliance grows extensively upon definition of a DF as an SDF, thereby without a clear code of conduct for allowing such a judgement many smaller stakeholders will be unable to financially recover from the PDP.
Similarly, Clause 35 allows for the Central Government to also have unbridled exemption powers over the governance of data that needs to be revisited. From the findings of the privacy-tech survey and the lack of forums for peer review and sharing privacy practices, we suggest that the DPA must focus on capacity building for helping organizations upskill for PDP compliance. The DPA should support/partner with organizations that undertake such initiatives. As one of the participants at the Data Privacy Conference said,
“Technological implementations are overrated. Investment has to be done in people and setting up processes. To address something at the technical layer, it is easy if you have to enable say encryption and access management. The larger problem is people. Here, you need a lot of investment in the form of skill training and making employees aware of what is required - the legalese and then the implementation approaches and alternatives.”
This is further accentuated by sub-clause 86(3) which allows for the government to override the DPA’s authority.
Broad Definition Irrespective of Varied Stakeholders: Clauses 27, 50, 53
Except for clauses articulating financial penalisations, other aspects of governance remain the same despite having completely different effects on the ground. Even though aspects of governance remain vague and open to interpretation, without clarity many stakeholders will be confused which might lead to further non-compliance. Instead representatives believe that there must be a fairer risk assessment protocol for different organizations and options for scaled down data processing practices for organizations.
As the DPA has the final authority over what can be defined as fair processing of personal data, this ambiguity does not help stakeholders who do not have adequate knowledge or support with regards to data protection. Similarly, even the inquiry process may not be difficult for larger organizations to comply with but for smaller entities it could lead to financial collapse. Therefore, it is important to take into account the nature of the organization and further details regarding their functioning when trying to govern stakeholders. Clause 27 provides a great example of how this could be confusing, as many entities might be defined as SDFs due to them using social media technologies, etc the updating of technology practices might be halted, stalling opportunities for innovation.
Wide definitions of Data that intersect: Clauses 3, 15:
Sensitive personal data under sub-clause 3(36) include financial data, health data, official identifiers, biometric data, sexual orientation, etc. Then in Clause 15 the Central Government once again has the final authority along with the DPA to define what may be considered sensitive personal data defined by risks based on significant harm. What may be defined as significant harm needs to be addressed.
Under these clauses, we see that there are questions regarding the broad scope of personal data and the final authority’s arbitrary use of power for defining sensitive personal data.
Therefore we believe that such definitions need to be reviewed so as to not cause further confusion for implementation by all parties.
Competitive Disadvantage: Clause 34
Clause 34 highlights governance over the transferring of data between different countries, giving exceptions to only certain allowances such as emergencies, etc. By doing so the ease of doing business with multiple entities6 situated in different countries becomes more complex, requiring loss of opportunities for up and coming Indian businesses to compete at a world stage. The UNCTAD estimates roughly 50 percent of all trade services are enabled by technology and cross border flow of data[^ICRIER], it is therefore important to keep in mind how such practices might cause difficulties for tech entities. As one respondent on a discussion of the law explained,
“If we are building for privacy, why not build it globally, as a holistic infrastructure? … why deal with different countries, (and) different things? … what we thought about is that we will take the best of the privacy laws, what are the most stringent of them, and enforce them globally? … (This) … helps us and in the future, as more countries come under privacy regulations, it is easier for us to comply with those laws. …, there might be slight, minor changes here and there with respect to the nitty gritties of policies, which might say that, ‘you have to notify differently, or you might, you might have different requirements.’ … with that in mind, I feel we are fairly comfortable with where we are with the GDPR and other regimes …”
Therefore it is also important for the law to take into account international regulations and ensure that for entities that have already begun their efforts towards compliance with international legislations, they will not be forced to incur huge financial pressures for compliance to the PDP.
It is estimated that India would lose roughly 0.7-1.7% of its GDP8 if data localisation practices were to be implemented. It is also important to remember that many smaller entities depend on cloud storage software for daily tasks. All of these entities are internationally owned and globally recognised products. Harvard Business Review9 states that over the last decade, global flows of goods, services, finance, people, and data have contributed at least 10% of world GDP, adding $7.8 trillion in 2014 alone. Similarly, in a study by McKinsey[McKinsey] published in 2016 that 86 percent of the tech based start-ups they surveyed had some type of cross border interaction.
Based on the above observations Clause 34 must be reviewed and closer observations of current and future digital infrastructure capabilities be taken into account.
Expensive Hiring Requirements: Clause 30
Clause 30 in the PDP requires the hiring of a Data Protection Officer (DPO) requiring him/her/them to be responsible for aspects of grievance redressal mechanisms and accountable during periods of the inquiry process. This hiring requirement doesn’t provide adequate clarity as to whether such a role can be outsourced to third parties who focus on such compliance requirements. According to the GDPR there are clear definitions of DPO requirements11, that include no short-term or fixed term contract for the role in addition to other factors. Similarly, the GDPR also takes into account the type of organizations that requires such hiring requirements12 such as those which have large-scale processing or those handling sensitive data, such variations also need to be specified here.
In our discussions during the privacy-tech survey and the Data Privacy Conference, representatives felt that hiring specialized personnel such as legal and compliance teams, Chief Data Officer (CDO), Privacy Officer, etc is not only a matter of budgets. Such hiring also needs dedicated time and concerted efforts on the part of top management and leadership. Small and mid-sized organizations deal with this issue by assigning privacy and compliance roles to existing mid to senior executives. These executives assume compliance roles in addition to handling other responsibilities, resulting in decision-making being split between implementing for privacy versus operational exigencies. For a small-sized organization, especially a startup that is perhaps tapping an unexplored product market, product decisions are influenced more by go-to-market speeds than privacy respecting features. In such cases, Compliance Officers have no veto power on product decisions. In research conducted by Privacy Mode, organizations across the size spectrum said they were either unaware about the CDO/Compliance officer’s veto powers, or reported that the officer could not veto product decisions when privacy concerns were raised. Of large organizations surveyed, only 52%13 said their Compliance Officer could veto product decisions. Undoubtedly, operational imperatives win.
Expensive Documentation: Clauses 24, 28, 36
Clause 24 highlights that an integral process of data protection under PDP requires periodic reviews to be implemented. Again, there is a lack of information regarding what is the intervals required for such companies. Clause 28 requires that periodic reports be sent to the Data Protection Authority (DPA). This clause does not expand on what might be defined as periodic intervals. Similarly, what constitutes the correct format for such reports remains vague. Irrespective of ambiguity, it is also important to take into account that this is a time consuming process for stakeholders, especially if they are unable to hire additional staff to consistently produce such outputs. In addition to this Clause 36 states that data protection would not be enforced with regards to legal cases of clients. Currently, there are over 4.4 crore pending cases14 in the country, with such a precedent being allowed in terms of pure compliance Data Fiduciaries (DF) cannot predict the mountain of data they might need to publish for such cases.
Expensive Adjudicating Processes: Clauses 32, 36, 53
Clause 32 highlights the grievance redressal mechanism for DFs to implement and provides adequate resources for data principals to protect their data. However, the process for redressal mechanisms remains vague and doesn’t give stakeholders a clear process to help them implement this. Similarly, the time frame of 30 days may not be adequate time for stakeholders to adequately address the grievances, thereby leading to further litigation and difficulties, specifically organizations that do not have adequate manpower to address these concerns. A participant in the discussion about readiness of Indian tech companies for PDP (at the Data Privacy Conference) said that this was often because a startup doesn’t look at the problems of data governance from day one, which considering the growth of governance tech might need to change in the coming years. Another participant explained the situation on the ground for startups:
“Some of them, I can tell you, for them to think about compliance is like taking away 50% of their engineering bandwidth. They are that small, like, I don’t know, how would they come in? I don’t think they think about data that much. Like some of them are starting to look at the analytical aspect of it and they are collecting information and analyzing it. But … data governance as a concept in itself is a huge massive engineering, product and operational effort.”
Small and medium-sized organizations do not have the organization structure or capability to have specialised departments to handle risk and compliance, which – combined with their lack of training budgets for privacy and lack of standard procedures to handle privacy concerns or risk – is a point of great concern and will have implications across the tech ecosystem. Under GDPR15, there is no specific time frame but has a time range for handling grievances and complaints.
On the other hand, GDPR highlights what can be considered grievances16 under the law and also highlights the period within which the controller must issue the petition to the DPA. Simultaneously, as highlighted in the above sub-heading, Clause 36 also enforces that personal data protections are not subjected to legal cases due to which organizations will be embroiled in more litigation. Finally, we note that Clause 53 focuses on the inquiry process when the DPA believes that any organization that has not complied with the PDP. This is important when taking into account the final authority for compliance is based on Clause 24 which also means non-compliance is also governed by the arbitrariness of the DPA’s discretion. The inquiry process not only holds everyone who works with the DPO accountable to the enquiry process but also those who were outsourced for specific service they provided to the DPO’s office. Many third parties will be disinclined to provide services due to such an inquiry process. Hence, requiring many stakeholders to mass hire for compliance which they may not be able to afford.
Penalisation: Clauses 58-61
Clause 58-61 highlights the financial costs of non-compliance, and leads to DFs with a range of financial penalties for non-compliance. In such a situation, there are different ranges for DFs and Significant DFs (SDF). As the final authority for defining who can and cannot be an SDF, the DPA possesses the arbitrary right to highlight whether smaller enterprises can be considered SDFs. In doing so, many might be unable to survive in the current climate.
Thus we believe that clauses highlighted must provide further clarity on the exact process required for processing personal data, terminologies such as public interest need to include an appendix with examples. Similarly, periodic intervals must be specified and must take into account the size of the organization and manpower/investment for such implementation.
Lack of Stakeholder Interaction: Clauses 26,34,53,93, 94
Although in Clause 50 there are stakeholder interactions used to aid in the code of practices through suggestions by trade associations, etc. But even in such a situation, the DPA does not have a clear practice that smaller entities could follow and if an organization doesn’t have membership with a trade association or enough bandwidth to argue for their practices they will be unable to comply with the PDP.
As one respondent highlighted,
“I work with one of the consulting organizations. … for those organizations, it can be a challenge because their model of business is a little different. They collect a lot of data. They have audit trails. They need to work a little bit more on implementing some of these PDP-related controls. They may be advising it to other companies. But I think they themselves need to put a lot of controls to make sure that they are abiding with PDP.”
From the above example we see that data fiduciaries provide different services to different clients across various sectors, and have differing audit requirements/reporting. Mandating a one-size-fits-all controls/reporting procedure under PDP will have adverse effects on reporting and other compliance requirements for each sector and increase compliance burden on both fiduciary and client.
Final Authority and Layers of Governance: Clauses 23, 34, 35, 86, 93, 94
Clauses 93 and 94 allow for the DPA to hire members of the Appellate Tribunal, finalise the regulations for the PDP. In addition to this Clause 34 allows for the DPA to have final say in what data can leave the country. And even this is overridden by the Central Government through Clause 35 for government departments and sub-clause 86(3). Simultaneously, the PDP creates the role of the consent manager and under Clause 23 is defined as a part of the data fiduciary but represents the data principal in case of complaints. Such a role requires further speculation and definitions.
The above clauses highlight a need for more consultations with stakeholders of different sizes, nature of work, manpower and funding to effectively create easier categorization for governance practices and better compliance overall.
Jurisdiction: Clause 91
This clause allows for the collection of non-personal data which should lie outside the jurisdiction of this law. As the NPD framework hasn’t been finalised and made into a policy, there needn’t be the inclusion of such a clarification in the PDP as it should lie outside the purview of this legislation.
Definition of Personal vs. Non-Personal data: Clause 3, 15
Definitions of what is personal and non personal data needs overhauling. As highlighted in the definitions of personal data and sensitive personal data (Clause 3, 15) the definitions are broad and intersect. We argue that the JPC could look towards the GDPR as a template for the definitions of data. In addition to this, representatives from the sector strongly contend that non-personal data is not a binary, but a continuous spectrum where data is generated and over time, spreads across this spectrum, acquiring different levels of inference and value. In addition to this, there needs to be a clear baseline of data that almost any business collects that need to be kept in mind while creating legislations.
According to our research, one of the primary concerns with regulating NPD17 is that de-anonymizing data presents the risk of identifying communities/broad user datasets, thereby directly contradicting the mandate of PDP. Startup founders and public interest technologists vehemently opined that India primarily requires a Personal Data Protection Bill - implemented in letter and spirit - before NPD regulation can be looked into.
We believe that non-personal data should not be governed within this legislation as there is another Bill attempting to regulate and govern it. We believe it is essential that two laws remain separate for the time being.
It is also important to note that Indian mid-sized entities aim to grow and capture global markets. It must be ensured that their innovation and growth is not halted. Small and medium organizations struggle to establish a business model with repeatable unit economics. This is a paramount concern in the early stages. While there is intent to embed privacy practices in the product-development cycle, small and medium organizations do not have the skills or budgets.
As the analysis of privacy-tech research clearly shows, adding regulatory pressure does not improve outcomes. On the other hand, regulation can increase the compliance burden, thereby adversely affecting small and medium organizations and turning them into non-viable businesses. Therefore, we sincerely believe the JPC should take note of the concerns of the industry and provide remedial measures in the final PDP Bill.
Bhavani Seetharaman is a research associate at Hasgeek. She has previously worked for the Centre for Budget and Policy Studies (CBPS), Microsoft Research India, and the University of Michigan, Ann Arbor.
Nadika Nadja is a researcher at Hasgeek. She has worked across advertising, journalism, TV & film production as a writer, editor and researcher
- Suman Kar, founder of security firm Banbreach, for participating in writing the early drafts of this submission. Suman’s work on data security includes analysis of predatory loan apps and impact on consumers - https://hasgeek.com/cashlessconsumer/killerloanapps-detecting-fake-fintech-apps/
- Rajiv Onat, Senior Leader working on Data Platforms, for reviewing key concerns and adding nuance on operational aspects of compliance.
- Yagnik Khanna, independent software architect, for reviewing key concerns and adding nuance to compliance requirements from engineering and inclusion perspectives.
- Sathish KS, Senior Engineering Leader, for reviewing key concerns and adding nuance on operational aspects of compliance.
The submission on the Personal Data Protection (PDP) Bill is drawn from insights gathered during research, conference proceedings and discussions held under the Privacy Mode programme.
Privacy Mode is a platform for discussing data governance, compliance practices and privacy in tech and consumer products. Practitioners share experiences and operational challenges in solving privacy-related challenges in organizational workflows and vis-a-vis consumers. These discussions - and the ethnographic research that the Privacy Mode team carries out - contributes to the development of a knowledge repository of innovative ideas and approaches to data governance, privacy in technology, and compliance. Privacy Mode’s vision is to improve the practice of technology vis-a-vis privacy in India.
A primer on global encryption debates - drawn from Prof. Green’s talk - is published at: https://hasgeek.com/PrivacyMode/it-rules-il-guidelines-2021/sub/the-wages-of-fear-a-compendium-of-global-and-domes-GzdvpEhXmLH6uyMaNT2gJx This primer also contains a shorter version of Prof. Green’s talk. ↩
The MSME defines small, medium and micro enterprises based on investments and turnover amounts https://msme.gov.in/know-about-msme, however for our definition we would also like to include the number of employees and the community the enterprise is working for. If the product is extremely niche and focuses on very small consumer groups then the compliance with regards to data protection as well as the definition of significant data fiduciary must be carefully looked into. ↩
For this document we believe it is important to articulate that public interests should take into account the protection of minority and marginalised groups. Which means that while formulating such a definition, representation from multiple stakeholders including caste and tribe representation, religious minority representation and representation from marginalised/alienated groups such as the LGBTQ community and disability groups must be ensured. ↩
To read further on the topic refer to https://edpb.europa.eu/news/national-news/2020/baden-wuerttemberg-state-commissioner-imposes-fine-aok-baden-wuerttemberg_en ↩
Read the case in further detail here: https://www.pdpc.gov.sg/Undertakings/Undertaking-by-StarMed-Specialist-Centre-Pte-Ltd ↩
Supply chains are not necessarily data localized. This creates problems because just ensuring one party to adhere to data localization means others they depend upon for data flows are not automatically compliant. ↩
Read the report by ICRIER here: https://icrier.org/pdf/Economic_Implications_of_Cross-Border_Data_Flows.pdf ↩
Cory explains in his paper that concerns of cyber security could be governed through other channels than Data Localisation and does estimate overall financial losses for countries that do implement such policies. https://www2.itif.org/2017-cross-border-data-flows.pdf ↩
The GDPR’s rules for DPO’s: https://edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en ↩
Helps us expand on the compliance variations based on the organization: https://www.compliancejunction.com/small-business-dpo-gdpr/ ↩
The number of pending court cases have only gone up since the pandemic, going up by 19 percent since last year. https://timesofindia.indiatimes.com/india/pending-cases-in-india-cross-4-4-crore-up-19-since-last-year/articleshow/82088407.cms ↩
Complaints handling under GDPR: https://edps.europa.eu/data-protection/our-role-supervisor/complaints-handling-data-protection-notice_en ↩
Complaints definition and processes under the GDPR: https://edps.europa.eu/data-protection/our-role-supervisor/complaints_en ↩
Hasgeek’s Study on the Non-Personal Data Protection Bill: https://hasgeek.com/PrivacyMode/non-personal-data/ ↩