Govt access, localisation norms in data protection bill need rethink: CIS' Sunil Abraham

The Centre for Internet and Society (CIS), a non-profit organisation, has been working on data privacy issues for a decade. Its executive director and co-founder Sunil Abraham spoke with TechCircle on the draft Personal Data Protection Bill, which he says is modelled around the European Union’s General Data Protection Rules (GDPR) and proposes to give Indians control over their own data. Abraham also feels the proposed data localisation norms are rather strict and unwarranted and that providing the government access to citizens’ data is a cause for concern. Edited excerpts: 

What are your thoughts on the bill? What are the positive and negative aspects of the bill?

The most positive aspect is that the bill is very closely modelled along the line of the GDPR. Therefore, Indians have the benefit of a world-class regulation that is fast becoming the global norm.

The most negative aspect is exactly the same — since the bill is modelled on the GDPR there are no comprehensive surveillance reforms. It assumes regulatory maturity and institutional checks and balances when it comes to non-consensual processing of data by the government.

Additionally, the data localisation requirements are overly broad and not configured to achieve the various policy objectives.

What are the loopholes in the draft bill that need to be plugged before it becomes a law?

These are still early days. So far, I have reached the conclusion that the “strictly necessary” test needs to be eliminated. The “necessary” test needs to be tightly defined so that the objective is impossible without that particular piece of personal data. The “proportionate” test needs to be included in all cases of non-consensual processing. The grounds for non-consensual processing of employee data by employers need to be deleted.

Re-identification for the purposes of improving ‘anonymisation’ and ‘pseudonymisation’ techniques should not be made an offence. Companies will try to exploit the “reasonable purpose” grounds for non-consensual processing of customer data. We need to see how the regulator interprets the law to understand what this will actually mean in practice. Even in European countries many companies think they can get away with “legitimate interest”.

How will a common citizen ever know his data has been sold or compromised? Like in the case of Facebook, nobody knew for years...

If the data are sold then the individual needs to be provided notice under the regulation. If there is a breach, the data controller has to inform the regulator. The regulator can then decide whether the individual should be informed about the breach.

Is the government's access to personal data a cause of concern?

The provision for non-consensual processing of data by the government for “functions of the state” seems too broad without a “public interest” test and a “proportionality” test. At the moment, the state thinks it is necessary to collect biometrics in order to provide e-governance services. In other jurisdictions, biometrics are considered necessary only when crimes are being investigated. Therefore, the necessary test is hard to interpret when there are engineers with competing visions for systems and lawyers with competing world-views.

The whole premise of the internet is an open and free world. Are data localisation rules going against it?

Data localisation mandates should be narrowly tailored. Ideally, data should be localised based on the sector. For instance, military, intelligence and law enforcement might need strict localisation rules. There is no policy objective that will be served by localising social media data. The data localisation provision in the bill needs to be thought through again.

What about the Indian IT and BPO industry? They benefitted from it, right?

Yes, having a law that is similar to the GDPR is good for the Indian IT and BPO industry because it reduces regulatory burden; they don't have to do two different things for two different jurisdictions. Hopefully, we will pass a stronger version of the bill soon after fixing some loopholes and then establish an independent regulator at the earliest. This might result in the EU giving us adequacy. That will make it even easier for Indian industry.

What does the GDPR say on the state's position on citizens’ data protection?

The GDPR also has a similar ground for the state to non-consensually process personal data, called “functions of the state”. This ground has two sub-provisions: One of them, like the bill, is a loophole and the other requires the “public interest” test.

The state is bound by the obligations in Chapter Two, that is, fair and reasonable processing, purpose limitation, collection limitation, lawful processing, notice and data quality and data storage limitations and accountability—and, in addition, clear the “necessary” test. But I still feel this can be abused unless the “proportionality” test is also introduced.

The better option would be to close this loophole and require consent for all data processing by the state of law-abiding citizens.

The GDPR puts the consumers' data at the forefront. Does the draft bill put the same emphasis on empowering consumers?

The data controller is required to act as a fiduciary. Consent is only one element of the regulatory regime. There are eight data processing obligations, four rights and in cases of non-consensual processing the “necessary” test has to be cleared.

Before Justice BN Srikrishna came out with the draft, he had spoken about privacy terms and conditions format during the Facebook-Cambridge Analytica imbroglio. Does the draft speak about legally binding companies to make these privacy consent information easier to access or understand like the international standards?

There is an obligation that the notice be in a “clear and concise manner that is easily comprehensible to a reasonable person and in multiple languages where necessary and practicable”. This will address some of the concerns with obfuscation in privacy notices.

The draft speaks about reasonable processing. Does it define what reasonable processing is and where can we draw the line?

In the GDPR everyone looking for a loophole has identified “legitimate interest” as their best bet. The Indian bill has a similarly worded ground called “reasonable purposes”. Only future actions by the regulator and decision from courts will give us more clarity on what this exactly means. Till then we will have both expansive and conservative interpretations from different stakeholders.

What will be the impact of the draft if applied to the Right to Information (RTI) Act and Aadhaar Act?

I haven't studied the RTI provision yet. The question before the regulator will be whether Aadhaar clears the “necessary” test. In my view it does not. But given 10-odd years of Aadhaar propaganda, it is hard to say what the regulator or courts will say.