PDP Skepticism: Big Brother, Big Tech and a Sandbox
The politics of data protection can be seen through three lenses. That of the government, the individual, and private companies. The concerns of all three have to be addressed to devise an effective data regulation framework. For the government, pressure is mounting to safeguard citizens’ personal data. However, it is their prerogative to preserve national security. This may require access to personal data to combat illegal activities like trafficking. Companies are grappling to strike a balance between compliance, personalization and interoperability. It then becomes the data regulator’s responsibility to safeguard personal data. But, without risking national security or hampering innovation and economic growth.
The Indian Personal Data Protection Bill (PDP) of 2019 is on the verge of becoming a law. So, questions on it’s power and compliance are at the fore. This blog addresses prominent questions on the bill in the global & national context:
- Would PDP compliance result in GDPR (General Data Protection Regulation of the European Union) violation?
- Does the bill itself threaten global cybersecurity?
- Will government mission creep grow as a side effect?
- Is innovation stagnancy a real possibility stemming from the bill?
A preliminary understanding of the data protection regulations in place in the EU and India is helpful. You can take a look at our article comparing the GDPR and PDP Bill.
Will complying with India’s PDP Bill mean violating the GDPR?
The intent of the regulations is identical. Both were created to safeguard data and privacy. But, their criteria for compliance is not. This means that if a company’s operation is compliant to the GDPR, it won’t necessarily be PDP compliant. To remain compliant the data fiduciaries will have to chart their course according to the standards of each framework. Both regulations have different requirements and prerequisites. The question is if compliance to any provision in the PDP is contradictory to the needs of the GDPR.
- Many obligations overlap or are at different degrees on the same spectrum. But, the International Association of Privacy Professionals (IAPP) points out a problem. Indian companies may find themselves at a crossroads when processing data under the purview of the GDPR. If the data they collected was only on the basis of “contractual performance”.
- This is one of the lawful bases that permits an entity to process data under the GDPR. The PDP does not list “contractual necessity” as a legal basis for processing. This is why the confusion arises. Many businesses in the online services environment heavily rely on this criteria to process personal data. It allows an entity to transfer data to another entity as a contractual obligation. For example, shipping a product requires the data to be shared with the deliverers and customs officials. Travel agents require the data be shared with the hotel or airlines.
- This creates a grey area. Complying with one regulation may make it difficult not to violate the other. This is because swapping the lawful bases (to comply with the PDP) is not allowed under the GDPR.
It can be assumed that the data fiduciaries/ data controllers are not violating the GDPR when they change the lawful basis. Even then it will be a challenge for larger entities. For example: Companies with several foreign subdivisions. They will have to redefine, re-communicate, and re-implement processes. In particular, data collection, usage, & protection protocols for all parties involved in the data flow.
Does the Indian Personal Data Protection Bill threaten global cybersecurity?
PDP proposes banning re-identification of data. Cybersecurity and privacy researchers have revealed that this discourages researchers. They cannot thoroughly investigate security weaknesses, thereby encouraging cybercriminals to exploit them.
But, what is re-identification? First it’s important to define de-identification and its necessity.
When a company processes an individual’s data, algorithms are used to decouple sensitive details from identifying information. For example: medical records and traces of location separated from phone numbers and email addresses . This is de-identification.
Organizations can recover the link between the users’ identities and their data when required. The reverse process is called re-identification. This is a routine practice when done in a controlled environment designed for security by legitimate entities.
The risk is of malicious parties getting their hands on a de-identified database and re-identifying it. Data breaches and leaks are an increasing concern in our data-fied world. The PDP proposes to criminalize the process of re-identification without consent of user data. It’s called illegitimate re-identification. While this seems only logical, it may threaten global cybersecurity.
Researchers often perform meticulous cybersecurity tests and privacy guarantees without knowledge or consent of an organization. They act with public interest in mind and their work makes the digital world a safer place. The blanket ban could hamper research altogether. With risk of penalties and even jail time, security researchers would not partake in this testing for social good. Worse yet, software vendors might be tempted to instigate legal action against such researchers.
At India’s scale, impeding cybersecurity and privacy research could leave the cyber realm at large to malicious forces. This threatens global cybersecurity.
What exceptions are given to the government and what does this mean?
The bill gives the central government the power to exempt its agencies from the purview of this act. The purpose of revoking the regulations are vaguely defined. It can be
- In the interest of sovereignty and integrity of India or
- To preserve national security
This thereby eliminates the obligations of consent, accountability and transparency to ensure just processing of data. A regulation drafted for the protection of personal data can rid the government it’s duties and result in mission creep. This can give rise to a Big Brother like situation with the government morphing into a surveillance state under the guise of national interest. In the absence of a privacy law, it can be dangerous for the State to have access to all our personal data.
Are there any provisions for companies working on innovative data driven tech?
Companies are preparing to adapt to the new compliance requirements. But, there are growing concerns for tech companies:
- Mounting operational expenses
- Compliance constraints
- Rising cost of doing business
- Increase in barriers to entry
This could limit the ability of new competitors to enter the market. Restrictions on sharing data with third parties could make it difficult for companies to collaborate on data-driven innovation.
There is a massive flux of data across borders. Governments are increasingly considering data and digital infrastructure as integral to national security and economic growth. Developing economies in the past wanted to foster domestic auto production. Today, governments are focusing on endeavors to make their domestic tech industries thrive.
Governments are drafting policies on data infrastructure and technology. This includes data localization constraints, and limits on foreign investment on technology. The aim here by this is to foster innovation at a local level. Barriers and constraints have the tendency to prioritize national goals over global innovation. And so it is important to find the right balance between multiple objectives.
As a welcome counter to such provisions, the PDP introduces the concept of a “sandbox”. It gives the Data Protection Authority the power to modify provisions for certain data fiduciaries. Those that work for “innovation in artificial intelligence, machine-learning or any other emerging technology in public interest”. Under Section 40 of the PDP bill exemptions may be given as part of the sandbox. This includes relaxations. Specifying a clear purpose for data processing and collection may be relaxed. The limits to the period of data retention can be revoked.
About Signzy
Signzy is an AI powered RPA platform for financial services. No matter how complex your workflow or operational complexity, Signzy is able to completely automate your back-operations decision making process into a real-time API. This is possible due to a combination of Nebula — Our no code AI model builder and our Fintech API Marketplace of over 200+ APIs. Today we work with over 90+ FIs globally including the 4 largest banks in India and a Top 3 acquiring Bank in US. Globally we have a strong partnership with MasterCard and offices in New York and Dubai to serve our customers in the 2 geographies. Our Product team of 120+ people is building a global AI product out of Bangalore.
Visit www.signzy.com for more information about us.
You can reach out to our team at reachout@signzy.com
References
Note: The references below were used for preliminary research for this article.
[1] “It’s time to redefine how data is governed, controlled and shared” by World Economic Forum
https://www.weforum.org/agenda/2020/01/future-of-data-protect-and-regulation
[2] “Will complying with India’s privacy law mean violating GDPR” by the International Association of Privacy Professionals
https://iapp.org/news/a/will-complying-with-indias-privacy-law-mean-violating-the-gdpr/
[3] “India’s data protection bill threatens global cybersecurity” by Wired https://www.wired.com/story/opinion-indias-data-protection-bill-threatens-global-cybersecurity
[4] “Regulatory governance under the PDP Bill” by Medianama
https://www.medianama.com/2020/01/223-pdp-bill-2019-data-protection-authority/
[5] “The Personal Data Protection Bill, 2019: Key changes and analysis” by Indus Law
