Data Protection Law should provide a Jurisdictional umbrella

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

The Justice Srikrishna Committee (SKC) has propounded 7 key principles of the Data Protection Act and proceeded to provide several questions in its report seeking public comments.

The Seven key principles under which the proposed Data Protection law would be based are as follows.

1.Technology agnosticism– The law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance.

2.Holistic application– The law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims.

3.Informed consent– Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful. The law must ensure that consent meets the aforementioned criteria.

4.Data minimisation– Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject.

5.Controller  accountability–  The  data  controller  shall  be  held  accountable  for  any processing of data, whether by itself or entities with whom it may have shared the data for processing.

6.Structured enforcement– Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms.

7.Deterrent  penalties–  Penalties  on  wrongful  processing  must  be  adequate  to  ensure deterrence.

The above principles may determine the broad contours under which the SKC may work out a draft of the Data Protection Act of India (DPAI). In the background  the Supreme Court’s views on Aadhaar as an instrument of Governance and a potential tool of breach of Privacy will be weighing in the minds of those who will work on the drafts.

One of the first counters to be raised therefore is “Whether these principles need to be expanded? or Modified?”

It is in this context that we raise the first supplementary principle to be added to the list.

“The proposed Data protection Act should be amenable for compliance by all stakeholders with pleasure and appreciation of the purpose. It should not attempt to enforce the law compliance by pain… except to the inevitable minimum required pain that accompanies all changes.”

The second principle which follows the first is that the proposed law should confine itself to the limitations that is inherent in such a legislation. The law is proposed as “Data Protection Act of India” but is it the right defining of the proposed law? or should it be considered differently? is a question to ponder.

When the honourable 9 member bench of the Supreme Court (Puttaswamy Judgement) declared in a hurry that “Privacy is a Fundamental Right under the Constitution of India”, there was no time to deliberate and come to a conclusion on “What is Privacy”. The order did not specify the definition but said Privacy is a fundamental right. So the task before the Data Protection Act legislators include defining what they propose to protect.

A question naturally arises therefore that if the 9 eminent jurists could not define the enigmatic concept of “Privacy”, should the Data Protection Act of India attempt to do it?

Data protection legislation may not be the right law to define Privacy. It should be through a different law under the overall domain of  “Democratic Rights of an Indian Citizen under our constitution”.

On the other hand the Data Protection law can effectively define the “Security to be accorded to Data” of a particular type. “A Data Protection Act” should confine itself to protection of “Data” which may be personal data, sensitive personal data, or even corporate data. Calling an Act as “Data Protection Act” and confining it only to being an “Individual Information Privacy Protection Act” is not warranted.

However, India already has a law called “Information Technology Act” which has several provisions that fall in the category of “Data Protection”. It also has provisions that are meant to protect “Information Privacy” because of Sections 72A and 43A. Sections 43 and 66 along with several other sections such as Section 67C, Section 79, etc define responsibilities of individual information privacy protection. Sections like 69, 69A and 69B also provide the “Reasonable Exemptions”.

Now whatever the new Data Protection Act proposes will be in partial modification of ITA 2000/8 and will introduce a conflict with ITA 2000/8 and perhaps also on the UIDAI act.

The new Data Protection law should therefore decide if it steers clear of the existing ITA 2000/8 or trample upon its provisions and replace them with a new set of the same provisions under a different legal provision.

We should not forget that there is a “Health Care Data Privacy Act” which is also on the drawing board and has already been partially rolled out in the form of EHR guidelines (though the industry has largely ignored it).

One of the other principles that the proposed law should declare for itself is therefore the following:

The Proposed Data Protection Act shall work in harmony with the current established laws in the country such as Information Technology Act 2000Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,

The Key principles should therefore be increased from 7 to 9.

The main purpose of the suggestion is that we need a legislation that the stakeholders will absorb as a necessary legislation that is good for our society and hence all of us have a duty to comply with it.

Unlike the GDPR which tries to impose its will through  obnoxious penal provisions, Indian Data Protection Act or Information Privacy Protection Act, or Individual/Personal Information Privacy Protection Act, as it may be called should not bank upon its ability to control the market with its penal provisions. By stating that the penalty can be 4% of global turnover or 20 million Euros, GDPR is showing its muscle. India can counter this by saying that the penalty may be 5% of global turnover and INR 2 billion and make it applicable to any entity in the world. With such a provision we can also make the international community raise eyebrows and recognize our existence.

But is this the way law should be imposed? by threatening to wipe out a company in case of non compliance? and leave it to the mercy of the adjudicator to determine the final penalty and if possible use his discretion as a leverage to ask for favours from the accused?

Penalty should be a deterrent but it should not be so huge that the accused either declares bankruptcy immediately or thinks of bribing his way out. It is in this context that we say law should promote compliance not with pain but with pleasure.

Data Controller is also a stake holder

In the data protection law, the drafting people should also decide who is the stake holder/ or stake holders?. Is the stake holder solely the individual and others like the Data Controller or Data Processor only targets for imposing a penalty if they donot comply? ..when what they need to comply itself is unclear?

We must accept that a Company registered in India is as much an entity that needs Government protection as the individual who is a citizen of India. Hence the law of privacy cannot go over board and look at punishing the Data Controller severely as the EU law tries to do. Of course we donot trust the Companies as also the Government when it comes to Privacy protection and hence the need for the law. Law some times tries to provide protection to the Government separately (eg UIDAI) but imposes hefty fines on the private sector for the same offence. This may not be fair.

What follows therefore is that whatever law which is now being proposed, it should be equally applicable to a Company or the Government or an individual.

Secondly, if Individual’s data needs protection, corporate’s data also needs protection. If one is called “Privacy”, the other may be called “Data Protection”.

Hence if we call this new law as “Personal Information Privacy Protection Act”, then it can confine itself to protecting individuals against invasion of privacy that may arise because such information is not protected by a corporate or Government.

If we call this a “Data Protection Act”, then it should extend to Corporate data as well. Since ITA 2000/8 is already covering this aspect, there is no need to cover security of corporate data through this Act. On the same logic, if this law has to be a comprehensive law on Personal Data Protection, then Section 43A and 72A needs to be removed from ITA 2000/8.

If Section 43A and 72A are to be retained and the new law has to extend to privacy protection, then the law should clearly explain that the new provision is in addition to the earlier provisions in ITA 2000/8 and not in derogation of the earlier provisions present in ITA 2000/8.

If this precaution is not taken into account, we will end up with the argument which was presented by an advocate in an adjudication proceeding in Karnataka and accepted by the then adjudicator that “Introduction of Section 43A applicable for body corporate in ITA 2008 automatically changes the meaning of Section 43 and confines its jurisdiction to individuals only”. Though the undersigned did not subscribe to this view at that time and does not even now, if law is not clear, it enables such manipulation by clever advocates to the detriment of the society.

I therefore urge the SKC to declare that

what they are proposing is not in derogation of any of the existing laws and in particular the provisions contained in ITA 2000/8 on data protection in general and personal data protection in particular.

Jurisdictional Umbrella

It is more or less imperative that the law will define that it is applicable to the processing of data of an individual citizen of India by any person including a Company incorporated in India or otherwise or by Government in India or otherwise.

However, this will naturally lead to a conflict in implementation when the law is breached by a foreign company or a Government. Similarly a foreign Company or a Government may also try to impose its own law (eg GDPR) on an Indian company and claim penalties which may be significant and also involve foreign exchange outflow.

The Proposed law provides an opportunity to ensure that this conflict between different laws applicable to a single company in India is resolved without the company (registered in India and therefore expecting the Indian Government to protect it’s legitimate interests) having to face several international regulatory organizations at a given time.

Typically an organization handling data processing may have personal data from persons of different nationality. Each   now trying to impose its own laws and also extend extra territorial jurisdiction just like what GDPR has done in respect of information that belongs to its citizens. It has therefore become necessary for companies (Data Controllers or Data Processors) to tag every piece of personal information with the citizenship of the individual and try to apply appropriate laws. In one case it may involve “Right to Forget” and in another case there may be an “Obligation to retain”. In such cases, the Companies will be unable to comply with conviction if they donot have a data classification system that tags the information to the country of citizenship. (Hopefully there will be no dual citizenship problem).

This data protection law should recognize this problem of the business community and try to provide a solution.

The solution we suggest is two fold.

  1. Every consent should incorporate a specific clause which states that “This personal data shall be protected as per provisions of personal data protection applicable to ….. country. 
  2. The adjudication and imposition of penalties if any shall be determined as per the personal data protection regulations applicable to India and the Indian Data Protection Authority shall have the final authority in sanctioning any penalty in respect of any individual who is a citizen of India, any corporate or other organization registered and subject to Indian laws.

The jurisdiction clause is proposed as a mandatory part of the consent which itself should be mandatory.

This provision also means that if any EU entity imposes a penalty on an Indian Company, the Indian Data Protection Authority shall intervene to accept or reject the penalty claims.

In order to make the provisions of the new law fair, the law can offer reciprocal arrangements of similar nature to foreign jurisdictions and state

“Where penalties are imposed under the Personal Data Protection Act of India on a person who is either not a citizen of India or is a company registered outside India, then the Indian Data Protection Authority shall provide an opportunity to the Data Protection authority (if any) of the country to which the said company/individual belongs to implead on behalf of the said entity.”

Since some of these suggestions could interfere with international obligations, these may need to be properly drafted. The suggested intent is that no Indian Company will be directly made liable to any foreign authority whether by a contractual agreement or otherwise without a sanction of the Indian authorities. If this umbrella of protection is not created, GDPR will be an instrument that will create colonies in India and allow European companies control Indian Corporate entities.

Naavi

(Discussions will continue)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.