Would be difficult for businesses to operate: Legal expert Rahul Matthan on data protection Bill

Rahul Matthan, a partner-lawyer in technology and media practice at the law firm Trilegal and author of Privacy 3.0, spoke to Hindustan Times about his understanding of the draft Personal Data Protection Bill, what works and what doesn’t, and the way ahead. The proposed law drafted by a committee headed by former Supreme Court judge BN Srikrishna was submitted to the government on Friday. Edited excerpts:

After having taken a closer look, what are your thoughts on the draft Bill and the committee’s report?

When you read the Bill and the report together, you realise there is a lot in the report that fleshes out some of the concepts in the Bill. There is a significant discussion around the concept of significant data fiduciary. This is a category of data fiduciaries which, on the basis of large volume of personal data processed or turnover, is subject to a higher standard of privacy. For these fiduciaries, there are additional obligations that would apply, such as doing a Data Protection Impact Assessment. They are quite significant obligations. It would apply to a certain class of fiduciaries, such as hospitals, which possess a lot of medical data.

Could the law have been retrospective?

I don’t think so. It is terribly complicated as it is. The law says that anything going forward from the day the law takes effect needs to comply with the law. Even that is really complicated, because it’s not like everyone is going to stop processing data, wait for the law to come into effect, and start again.

The draft Bill says it aims at combining user data with common good for citizens. Do you think this draft Bill has achieved that?

That’s a really difficult question. One of my concerns with the Bill is I think it’s going to become very difficult for businesses, the data fiduciaries, to operate. Companies are not used to this level of collecting or processing personal data. That would be a huge shock to the system. The Bill talks more about direct data collection, such as data collected from a person to open a bank account. It doesn’t say much about the data collected, say for example, by Netflix to target better movies at you. When it comes to this, it is going to be much more challenging for both businesses as well as users.

What will this mean for Aadhaar? Has the committee underestimated the concerns on Aadhaar or is it right?

Aadhaar will be subordinate to the data protection framework under this law. The Aadhaar Act may have certain provisions that talk about how you need to protect information under it. But Aadhaar will be used outside this construct as well. Now those uses will need to come under the larger data protection law. There is a recommendation that says the Aadhaar authentication services must be used only by the government. It is not the place of the committee to look into that as it is a matter currently before the Supreme Court. So it’s unfortunate that recommendations on sub-judice matters have been made.

Is the draft tilted towards government regulation?

In only one case. The whole penalty regime is meaningless to the government because they don’t have a turnover. Paying a penalty is not an issue for them. This is a serious gap in the way the framework is structured. There is a section for offences which applies to both people as well as the government. But the government has several exceptions. So how are we going to hold them accountable?

How will data localisation impact businesses?

I think this is a very serious concern. There are many views on it and it’s a polarizing topic. I don’t think we should have data localisation. I think it’s not good for business. The recommendation to have a mirror server in India is also a bit of a problem. Start-ups can easily open an Amazon cloud server and just start without any expenditure. Once you start this data mirroring, it’s going to be very difficult. I have a feeling this is going to have a chilling effect on innovation.

What does this mean for Facebook and WhatsApp as well as their users?

Both Facebook and WhatsApp comply with Europe’s General Data Protection Regulations (GDPR), so they will already have similar kinds of provisions in place. So they can modify their privacy slightly, at least for the plain vanilla clauses, to comply with the Indian law. But it does affect them in the case of data localization. They may have to look at how their costs are going to be affected.

Users get the ‘Right to Data Portability.’ It’s there in GDPR as well. You can ask Facebook to give you a copy of all the data on you, it’ll be given to you. Can you port data such that your likes and profiles on Facebook can be shared with, say, Google? That is special media graph portability, which is something that all the social media giants have been resisting. I don’t know if that is the extent to which data portability will go.

What are some of the recommendations you would keep, and three you would modify or discard from this draft?

A lot of the general obligations are all fine. I like the data portability framework. It is very powerful for users to move data from say one person to another. And you can do it through a consent dashboard. In my mind, I think they have gone overboard with notices, obligations to maintain a record of consent. I am very keen to remove data localisation provisions. As much as we say we must do Artificial Intelligence and big data, this Bill can even harm them due to the purpose and use limitation. Big data works on a lot of data. Only de-identified data that can’t be traced to an individual should have been allowed for data fiduciaries to use for big data. This would have been a forward-thinking way.