In an episode of the sci-fi series Star Trek, the crew of the spaceship ‘The USS Enterprise’ chance upon the planet of a horrendously scary alien: Balok. The anticipation of encountering Balok, driving most of the crew into frenzy. It is only much later divulged that Balok’s ghoulish appearance, is a rouse and the actual Balok is timid, and infantile. The rouse had been to scare intruders away from his home planet.
It wasn’t too long ago, that previous versions of privacy legislation with severe restrictions on cross border transfer and intermediary obligations, drove Indian corporates in a similar frenzy, and yet the latest version, much like Balok’s true form, appears much less scary.
The current version, which interestingly includes ‘Digital’ in the title, is a bare bone version of a necessary privacy legislation. Gone are the previous mentions of ‘Non-Personal Data’, and the attempt to categorise around various categories of data (sensitive, critical). Also gone are the restrictions around cross border data transfer. Anticipated Rules (under this Act) and an upcoming ‘Digital India Act’, are assumed to elaborate over what has been left out.
The resultant ‘privacy-lite’ legislation is not without its share of concerns though.
Consent
The removal of categories of personal information, would seem to imply that all personal information would require the same degree of consent, protection, and restrictions. Readers will know European privacy legislation, the General Data Protection Regulation (GDPR)’s segregation of health data, biometric data, etc. An obligation to treat all categories of data with the same level of care (e.g. a database of cell phone numbers with say that of medical records), is unreasonable, and will add dramatically to compliance costs.
Unlike the GDPR, which prescribes six different grounds for processing data, the Indian version relies on an ambiguous ‘lawful purpose’ to be followed by the data fiduciary (processor) as required grounds for processing. The draft Act, requires express consent of the data subject to allow their data to be processed, but also seemingly allows for the above ‘lawful purpose’ to constitute ‘deemed consent’.
The world over, ‘legitimate interest’, which allows usage of subject data for purposes similar to what consent was previously collected for, or is co-related to the original purpose (emailing a customer for renewal of the membership, when such customer has previously provided email for membership purposes) is replacing ‘consent’ as primary rationale for processing, and the absence of ‘legitimate interest’ in the proposed draft, specifically mentioned as an enablement for data controllers to use data, will throw up challenges for Indian corporates who will have to resort to ensuring digital records of consent of their vast consumer database for each use of their data; resulting in steep compliance costs.
Consent Management
The draft legislation introduces an intermediate and independent entity ‘the Consent Manager’ whose role involves assisting the data subject in management of their consent. How successful will this concept of a third party will be in ensuring prompt feedback to data subject’s requests remains to be seen.
Security Standards
Unlike the GDPR which details requirements around the secure processing of data, including encryption, pseudonymisation, and certification mechanisms, the India draft limits itself to stating that data fiduciaries should follow an appropriate level of security, which will no doubt lead to confusion around what could be ‘appropriate security’ levels.
Cross Border Data Flow
As mentioned above, previous drafts of the legislation, carried restrictions around the cross border flow of personal data. The current version, unburdens itself and enables the government to create a list of countries outside India, which personal data could be transferred to. Unlike the GDPR, which specifies standard contractual clauses to be entered into between two parties involved in a cross border transfer, the draft remains silent.
A major criticism of earlier drafts was the wide list of exemptions given to governmental authorities under the Act (in the name of sovereignty, integrity, and national interests). It appears that such exemptions are continued under current draft, again leading to concerns over potential misuse of surveillance powers (in contravention of the Supreme Court’s in the J Puttaswamy judgment). Readers will be aware that the GDPR lists as criteria for cross border transfer, the regulatory environment of the recipient jurisdiction, and the proposed exemptions will not help allay those concerns.
Technological Laggard
Given the years that have passed since the above privacy judgment, new tech trends have enabled deeper intrusions into privacy. Today’s society, deals commonly with biometrics, surveillance as part of transactions, and employment obligations. Wearable devices and social media, host a trove of sensitive personal information. The Indian draft, is surprisingly short on guidance around these new trends. Will relevant legislation be Balok-esque or less scary, and a review of the anticipated Digital India Act, will tell.
Vikram Koppikar is a privacy lawyer. Views are personal, and do not represent the stand of this publication.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
