After getting the nod of the Union Cabinet, the Personal Data Protection Bill, 2019, has been listed for introduction in Parliament’s winter session. The Bill, which is based on the report submitted by the BN Srikrishna committee, has come in for critical examination given its stance on some of the contentious topics. Rama Vedashree, CEO of Nasscom’s Data Security Council of India and one of the members of the Srikrishna panel, in particular, has registered her protest against the ‘localisation’ requirement through a dissenting note. Here, she shares some of her thoughts on the Bill and what it portends for personal data security in the country. Excerpts:

What’s your overall view on the Bill given the challenges and opportunities that the committee faced?

The task given to the committee was to create a framework that provides adequate protection to the users while balancing the economic value and utility that are associated with usage of personal data. Besides incorporating privacy principles, the Bill has adopted data principal rights, breach notification measures and best practices such as privacy by design and data protection impact assessment. It also provides for the appointment of data protection officers and the creation of an independent Data Protection Authority.

The draft Bill presents three big challenges. First, restricting the flow of data through local storage requirement, which creates barriers for trade and affects many business models. This cannot be seen as a good measure for economic development in the long run. Second, from a data privacy point of view, categorisation of ‘passwords’ and financial data as sensitive data is erroneous. Third, incorporation of criminal imprisonment for offences against companies could act as a deterrent for investment. Criminal provisions on top of high fines and compensatory provisions could lead to companies, specially boutique, specialised services firms, not offering services to Indian residents. The same was observed when the General Data Protection Regulation (GDPR) came into force, with heavy fines. And, the Indian Bill raises the bar even further.

In your dissenting note, you had said the data localisation requirement is “regressive” and goes against the “fundamental tenets of the liberal economy”. You have also said presenting localisation as a tool for developing the domestic market is “fuelled by unfounded apprehensions and assumptions”…

Globalisation and emerging technologies and new business models have dramatically accelerated the pace of economic development and innovation. The flow of data is as important as the movement of goods and people. The various provisions mandating localisation of any category of personal data must be understood to assess the impact of such provisions in a holistic manner. Our concerns around localisation are heightened due to the recent sectoral push for mandatory localisation through a) RBI circular for payment systems b) the FDI Policy 2017 for subscribers and users c) the Unified Access Licence for Telecom for subscribers’ databases (broadcasting sector) d) the IRDAI (Outsourcing of Activities by Indian Insurers) Regulations 2017 for insurance policyholders and e) the Proposed Draft E-Pharmacy Regulations for portal-generated data. All of these localisation requirements would have an intersection with personal data usage and expose an organisation to a wide spectrum of regulatory exposure, and significantly limit the usage of personal data for economic and societal benefit.

Localisation will likely make India an infeasible market for services that cannot offset the financial or logistical costs of localisation. In addition, localisation may lead to country-specific reciprocal measures that may prevent Indian start-ups or the services industry from expanding globally.

For realising the goal of digital innovation, individuals and enterprises are increasingly relying on the new capabilities made available online and cloud-delivered. Technology providers and start-ups have been providing these capabilities on a global scale. Localisation requirements will inhibit these capabilities-providers from offering their product and services in India.

Through our assessment and stakeholder engagements, we’ve ascertained that cross-border data flows aid greatly in gaining flexibility for business process optimisation, adaptive security and increasing efficiency. Well-developed web services might store data across borders for a number of economic and technical reasons which improved efficiency and lower costs such as Edge Caches, Load Balancing, Data Sharding, back-up in case of software failure, debugging, Reisman [an independent research engineer, currently collaborating with Princeton's Center for Information Technology Policy] argues that the ambiguous locations of data storage make it technically difficult to conceptualise a workable data localisation model. Therefore, the forced splitting of datasets might lead to the creation of vulnerable points, which is compounded by the possibility of error when the prospect of mirroring is introduced.

The ability to transfer data across borders has broad ramifications for human resource management too. Global companies manage offices and employees at multiple locations around the world; employees and contractors are increasingly able to work remotely from any location; and companies recruit from an increasingly global talent pool. To manage employees at multiple global offices, companies must transfer employees’ personal data across international boundaries. If a category of sensitive data is classified as critical, then it would impact the centralised systems that organisations have created for processing of employee data. As in the present formulation of the Bill covering any processing activities carried out in India, it would subject foreign employees’ data to exclusive localisation as well. India is the fast growing hub for Global Inhouse Centres (GICs) that manage such shared services from a location anywhere in the globe as they deem fit for their business. A policy regime which supported cross-border data flows helped India become a preferred destination for GICs.

Also, detecting credit card fraud at the point of sale offers one of the clearest examples of the benefits of cross-border data flows. No matter where you are in the world, your bank’s computer back home can analyse your purchase and location in a matter of seconds when you swipe your credit card. Based on that analysis, the system can allow the purchase, or flag it as likely fraud and stop it. Credit card systems also transfer data to detect online or “card-not-present” credit card fraud anywhere in the world. As a result, companies can detect and block online fraud attempts in five seconds on average.

India is becoming a financial hub for international banks and financial institutions. Most of the global banking and financial institutions have their second-largest facility in India after their home country. Due to innovation push, India's role is increasingly becoming important. Nasscom’s GCC 3.0 report, published in June 2019, estimates the revenue of Global Captive Centres at $28.3 billion in FY2019, a 21% share in total exports revenue and it employs over 1 million people. According to the Economist magazine in August 2019, India has become an intellectual force in shaping the future of global banking financial institutions. Due to the rising value in the supply chain of financial transaction processing quantum and complex data is flowing to the country. The flourishing service economy shows this potential to reach to a scale in the shortest time possible. The concept of localization contrasts with this development and will hamper future possibilities

There are lot of people who say that the recent Pegasus episode is a good example of the existing loopholes in the system that offers no failproof safeguards against snooping and data manipulation, particularly by the government agencies…

Protecting and safeguarding privacy demands both private businesses and public sector and government agencies taking responsibility in equal measure.

The critics are also linking the Snoopgate episode to the data localisation requirement that the Bill insists on. How do you see this?

The data localisation came up way before this episode surfaced. So, I am not so sure they are linked.

Another big complaint against the Bill is that it is said to be ambivalent about the “right to be forgotten” unlike the GDPR in the EU. You think the criticism is justified? Could the committee have done more or done anything different on the subject?

The interpretation of the ‘right to be forgotten’ adopted by the Bill is one which recognises the implementation difficulties associated with the ‘right to be forgotten’ when it is associated with complete erasure of personal data.

The GDPR has adopted the right as a ‘right to erasure’ where an organisation is required to erase the data completely, including all copies of the data in its ecosystem. The Indian Bill limits it to restriction of processing of personal data, not complete deletion. Once the right is exercised, the organisation can’t use the data further for any process; the data would be purged or anonymised based on organisational processes once it reaches the storage limitation time period. This is a welcome change to increase the implementablility of this right.

Another change is approaching the data protection authority for execution of the right, unlike GDPR where the individual has to approach the organisation processing the data which then judges the legitimacy of the request. Under the Bill, this assessment is done by the authority. This is also a welcome change to protect users from arbitrary dismissal of requests.