Data Protection Consultation open house Delhi, Live

We’re liveblogging the data protection consultation discussion from Delhi. Comments may be paraphrased. 

1243hrs: Ramajit Singh Chima, Access Now: Anyone who tells you that a global framework doesn’t drive what product managers do is lying. The GDPR has forced people to engage with this topic, and the number of studies commissioned to discredit it shows how impactful it is. There is a set of global principles on privacy.

Do’s and donts: [We’ll add this later after checking with Raman. He speaks very fast]

Puttaswamy judgment has focused on people and not data. Learn the lessons from the TRAI on regulatory powers. Tries conducts a consultation for everything it does. If there is a privacy commission, it should be for creation for regulation, not enforcement.

There is a problem about data being misused.

TrustID allows people to create profiles of people based on aadhaar information. Innovation is important but some forms of innovation are not acceptable. There are examples even in AI where there are forms of activity that are not allowed. Deep Mind was fined.

1239hrs: Ashutosh, ASSOCHAM: We are at the cusp of a position where we can be seen as the leaders of becoming the data analysts to the world. India today has all the three types of economies: really advanced, developing and the underserved. If we can innovate and create for these three, then we can innovate for the rest of the world. WE need a regime that builds trust in our country, we will create jobs, income. There shouldn’t be a regulator but an ombudsman. We’re not just talking about the IT industry, and privacy will impact all industries so we need a common framework.

On data flow, law enforcement access and data security, the security of data in a cloud first environment, is not dependent on where the data is. There are checks and balances which are in place, and tehre needs to be an accountability framework. Data localisation and residency were not the first point and were later addressed, and we need to see how we can become the leaders in data analysis. there could be a gradation in terms of things like national security etc.

1232hrs: Debashish, Broadband India Forum: Any curbs on data will hurt the country more rather than benefit the country. What is data processing about? Who is it benefiting? India is talking about having a 3 trillion dollar digital economy by 2022. The point we’re making is what is driving this digital economy, and thus any curbs on data collection and usage will harm the economy more. Who is it hurting if we could artificial curbs? let us not put ex ante curbs. If there are any noted harms that are evident then they should be regulation in place to make sure that those grievances are redressed, and the harms should have a redressal mechanism.

21st century is about IoT, cloud, M2M, big data, we believe India has the potential to leapfrog what has been done in the traditional IT industry. We can become the global knowledge hub, by undergoing rapid socioeconomic transformation fuelled by data innovation. Data is not restricted by boundaries. You cannot have India innovation and a china innovation. You need to have exchange of data. You need to be able to make innovation and utilise innovation for public good. For data localisation, the IT industry would not have survived it. We should allow cross border data flows, and we recommend no restrictions on cross border data flows.

Regulation is good, but regulation for the sake of perceived harms and threats is not the right way to go. Give them the freedom but with broad overarching principles. Industry is conscious that if they harm the customer, and they work in a self regulated environment. Because they are all good responsible entities.

Companies are operating in an environment where they understand the implications of causing harm, so we suggest a framework about preventing harm, rather than providing restrictive principles of preventing harms.

1231hrs: Justice Srikrishna: should the law prescribe classification, or should this be delegated legislation? Should parliament look into it?

1229hrs: Ravi Gupta from NIC: Create classification for what kind of data can be provided or displayed prominently, and classify.

1228hrs: Justice Srikrishna: if constitution is not in 23 different languages, how will you prescribe by law that privacy policies should be in regional languages?

1223hrs: Arjun from SFLC.in: I wanted to address the point about notice and consent, and that we shouldn’t do away with it. Notice and consent has not become obsolete. What has become obsolete is the legal form. It becomes a technicality. A number of steps can be taken to ensure that it is procured in a meaningful manner, by having privacy policies in a simpler manner. For this purpose, this should come with minimum standard disclosures, and disclose things that should be collected, what will it be used for, how long it will be retained, and how can you revoke consent. All of these information displayed by default then his will help in a big way to ensure that the consent is meaningful. In the context of the Indian situation, it becomes a problem for people to understand what these policies say, so using regional languages would help.

1220hrs: Rahul Sharma: If we form a law which becomes a non starter for startups, it will have an impact on our economy. We need to be careful about direct and indirect impact on the economy. India’s outsourcing business have grown because of cross border data flows. We have to assess our situation. We don’t have to consider EU GDPR as a gold standard. They’ve had discussions for 10 years. The final draft of 2016 is very different what the law for 2012 was. We need to look at how they started. The EU GDPR is more of a handle for imposing penalties on google and facebook.

1207 hrs: Usha Ramanathan: I think a basic principle in data protection is that it is not about protecting data but protecting people. Taht’s the fundamental principle. I don’t think we should go around US route, because that’s giving us innovation but its also giving us monster. It’s also important that a lot of what we’re talking about data out, or resources.

I found the white paper disappointing because it didn’t seemto be taking into account the problems and situation, and changing in the constitutional understanding of what people are. People have said that privacy and law should should wait until innovation is over, and should not impl

1204hrs: Kamlesh Bajaj, individual capacity: On data minimisation: the question on data collection is that should it be restricted in the first instance. The key point is that if we restrict data in the beginning, what are we achieving, we’re talking in the context of innovation. The key point is on preventing misuse and harm. To my mind, data minimisation has the potential of harming innovation in the country. We’ve just started with AI, IoT, and if we put a condition which will harm innovation in the country, startups which need data, or innovation on drones, traffic control, we dont know which way this will go.

On adequacy test on EU GDPR, it doesnt serve any purpose. We’ve always treated this as a non tariff barrier. it doesnt increase or enhance security or privacy.

1230hrs: [Someone]: we need to incentivise data localisation not force it. We’re living in the era of virtualisation, we will lose business if there is localisation.

TRAI has gone the MLATS path for law enforcement considerations.

11:59pm: Venkatesh from DSA: If we accept the accountability principles in our framework, we can… [sorry couldn’t get his point]

11.59pm: Arghya Sengupta: On legitimate interest, do you think that this is a balancing test that we can leave to every single data controller in India?

11.48pm: Venkatesh from DSA: DSA urges that outside of consent there are other legal basis for processing data, including contractual obligations, compliance with legal obligations. To go into one extra level of detail, the question of what constitutes legitimate interest, and when you’re taking about data controllers taking onus of the data they’re taking. Whether legitimate interest constitutes intervening in individual rights. That’s one part that I wanted to mention, that there are other legal grounds for processing.

The white paper points towards click fatigue. We believe implied consent could come in to relief some of this burden. this could be an area where the framework could focus on. For example, when you go through a turnstile at a metro station, you’re giving consent. Wrt childrens consent, the age that we’re proposing is 13, which is lower than GDPR and complies with US.

Consistent with our views of consent, we should have context for data processing when it comes to notice. Notice should support choices that are contextual. The number of devices that we use to access the same apps are increasing, and it could be complicated if we’re looking at click fatigue based consent. One suggestion could be outside of having consent int he device as well. Where you have a public place where you put the notice, outside of the device.

On data scorecard and consent dashboard, some of those frameworks have not been understood well enough. We caution against a consent dashboard. The reason being that as you see technology increase, and prescription could prove unworthy of the decision that you took.

11.38 pm: Amber Sinha, CIS:

We require a strong data protection authority, market incentives for data controllers to comply, vigilant and active citizenry and security enhancing technologies.

On consent, points have been made about consent fatigue. The puttaswamy judgment places informed consent at the centre of any data protection regulation. It would be unwise to hedge our bets only on informed consent. We need practices which would be termed paternal, but they’re required for protection of citizens. We will empower the data subject, and he is expected exercise rational choice, but there is information o indicate that that doesn’t happen. If we recognise that privacy is a social good, and we hold data minimisation dear, then entirely relying on notice and consent is not absolute. Especially when it comes to sensitive personal data, a risk and harms approach on top of notice and consent would be important. The nature of the consent needs to be clearly set out. The consent has to be freely given, informed and unambiguous. It has to be given as an express and affirmative act. Consent should not be a tool for coercion. When someone is being denied access to service because you don’t want to give access to incidental data, we need to check if we rely on market forces. If the legislation sets out a clearly set of rights, that would be helpful.

On data localisation, I agree with what Apar and (karthik from Nishit Desai) said. Data vocalises also has various shaded. One form is that we mandate it exists in our jurisdiction, it would be exported but with a copy, and also where it can be exported without a copy. It’s important that it travels with the same protections when it goes outside India. We would look at adequacy and safe harbour mechanisms.

Finally, I would like to make the point that what the white paper does not delve into in suffient detail is surveillance practices, and grounds for surveillance. Given the kind of technology given to us, and the PUCL judgment, it should be important to check how surveillance can be regulated, and also regulation of surveillance will require the state to document its own surveillance practices. These are issues which require urgent attention.

11.36 pm: Justice Srikrishna: If you’re doing business in 20 countries, can you say that you will not comply with the laws of that country? maybe some day there will be a global concept, but to start with, your suggestion seems to be that all localisation is wrt govt data, and wrt private data, there should be cross border flow without restriction unless there are security issues.

There is a link between consent and purpose limitation. In some cases even when consent is provided, and if there is evidence to suggest that it cant be acted upon in public interest. Consent should not be an immunity from liability.

11.33 pm: Pankaj Sharma, Telenor: as telecom industry, we’ve faced this quite a lot. This has been one of the first hurdles. The current rules are, and led by security agencies, are about data localisation. That you cant monitor something outside our borders. The reason for issuing these issues is that there is no global framework for data and privacy. We need to move in that particular direction. How can any country apply a law that is not applicable in their country.

The moment you say the server has to be in India, the global aspects of efficiency will go away.

11.32 pm: Shruti Rao from Information Industry Technology Council: We’d like to opt for a globally interoperable regime. There need to be global voluntary standards. We emphasise that there should be no data localisation

11.30 pm: Kartik Maheshwari: on data localisation, when there are arguments for stored in India, the criteria for empanelment for Meghraj, the govt data is being stored in India. The interests of data subjects and industry are exclusive.

11.27 pm: Smriti Parasheera, NIPFP: data protection is also about your day to day dealings with your eployer and university, and not just big data. The calls for abandoning consent shouldn’t be there. There are really are contexts where consent can work quite effectively. For people who say there is consent fatigue: yes there is, and it has become difficult. Just as tech has made consent difficult, it also holds the solution for it. Then the idea of privacy by design needs to be talked about. There is no one size fits all, and we need a graded approach. The role of data protection agency and agency design is important.

There should be a principles levels approach at the level of a primary law, and have a strong enforcement framework for all of this.

11.24pm: Apar Gupta: The committee in the white paper has noted the work of professor anupam chander, his basic rationale against data localisation is that user interest and business are not fully satisfied and give govts more censorship control, and create barriers for business and users from availing services. Countries which have harsh data localisation laws are China and Russia. his work argues against it. I would argue against data localisation. There are several rationales for user interests. For business interests, a large part of the data localisation push comes from Indian industry, which wants to erect competitive barriers.

11.20pm: Shagufta Kamran: Internationally, there are frameworks like OECD which provide good guidance around cross border data flows, and harmonising with them would be useful. Too much prescription will not go in the favour of the industry. Self regulation should be the regime. If we encourage data localisation, it will be disastrous in case of natural calamities. Allow cross border data flows. In terms of the multiplicity of actors involved: there are a lot of allied laws. The point is how far are we incorporating the necessary changes in those laws as well.

Data as a concept, or a basic principle applies to various sectors. We need to start engaging with the automobile sector and other sectors, who are in possession of that data. There needs ot be a distinction made between data processors and data controllers. That’s best governed by contractual laws.

11.18pm: Pavan Goel, individual: The public conversation has been around Aadhaar, but there is private data owned by google and facebook, and this data is stored in the United States. The US laws provide privacy guarantees only to US citizens. These services either willingly or under a US court order violate Indian citizens privacy. Our law may be against that but it will be in conformance with the country where it is. One solution: it’s necessary for this entity to have an Indian entity. In order to reconcile jurisdictional issues we should have data in India, and only allow cross border data flows which allow data access.

11.12pm: Pankaj Sharma, Telenor: The team who wrote the paper needs to be commended. What we need to understand here is that as India, we are the cusp of a digital economy. We are looking at questions which are really framed with the right intent, we could have a good regulation, but we could have a disaster for digital India. We should discuss this question by question.

On notices and consent is that consent fatigue is already there. I dont think anyone reads it, whether us or anyone else. What happens is that the aspect of having the facility is taken more than privacy. We say yes to everything. What are we going to incorporate which is going to matter. We need a simple law with protection, and the notice says as long as whatever is happening is being covered by the data privacy law of India, it should be okay. We can’t have lengthy consent. If you’re taking about privacy law, the paper says that there are two types of data which can be used: anonymised and pseudonimised. Then consent part does down. When do I need to share my data? Or the portaibility of data. These issues come when I’m interested in sharing that data. As a data controller I want to use the data or as a consumer I want to share my data. If they can use anonymised and pseudonimised data, no consent is required. For medical records, we can have a stricter law. Even for Aadhaar there is an OTP based system. I could say okay on biometric based system.

For Children, it has to be over parental guidance, and that age could be just 15 years.

1110pm: Charu Malhotra Indian institute of public administration: This is less about data and more about people. Data protection has two aspects: the privacy issue and second is commercial issues. I did not find clarity on the remedial action in case it is breaches, in case a company breaches data protection for the masses. Let citizens be partners in crime in case of commercial aspects of data. Why aren’t we able to think of a dashbord scenario, if I give informed consent then I know where data is given in the pipeline, and what is my percentage share of it.

1109: Sharad from institute of company secretaries: About medical records, it’s sensitive information for patients but important for regulating the medical profession. How to balance this, because the data has to be provided for competition, but sensitive parts could be taken care but also competition is taken care. Balance has to be maintained, it should be portable, available for research as well.

1105: Ujjwal Kumar from CUTS International: Data protection isn’t just necessary from data protection, but also from competition point of view. The right to data portability is something I want to flag as an issue. Every economy follows its own rules and philosophy. Data portability needs to be upfront as a principle, because it goes beyond privacy. The right to data portability depends on the definition of personal data. The larger principles should also include the consumer usage data, allowing them to be portable to help increase competition.

1103: Gopalakrishnan S: Topics for discussion:

• How can notice and choice be incorporated in a data protection law to operationalize consent? How can children’s personal data be effectively protected?
• How should “data localisation” and “cross border transfer of data” be dealt with under a data protection law?
• What should be the nature and scope of the possible exemptions under a data protection law in the Indian context?
• What are the different types of individual rights, their nature and scope which can be incorporated in a data protection law?
• What are the different types of individual rights, their nature and scope which can be incorporated in a data protection law?
• To what extent should data controllers be held accountable under a data protection legal regime?
• What will be the impact of a data protection law on allied laws, particularly, the Information Technology Act, 2000, Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, and Right to Information Act, 2005?

1101: Justice Srikrishna: We’re here to ensure that the data protection law, which has been the buzz word in the country, becomes crystallised, and the inputs that are necessary to crystallise it are taken forward. An opportunity has to be given to stakeholders what their concerns are so that they can be noted and addressed.

If you point out a flaw, I’ll say what is your solution to your problem. I want solutions from you. We’ll note what is wrong, and set it right.