🔒 Mathew Chacko, Srinjoy Banerjee, & Tilly Lang Fireside Chat

Hi everyone and welcome to International Privacy Day. I'm really excited for this session and I'm really pleased to have two guests who are experts in the Indian data privacy landscape.

My name is Tilly Lang and I am privacy counsel at Cloudflare, and I'd like to introduce my two guests, Matthew who's a partner at Spice LegalRoute, and Srinjoy who is the founder at Excalibur C in India so fantastic.

Wow, there's a lot going on in India at the moment in regards to data, data protection, data privacy.

And so I was just hoping, Matthew, if you'd be able just to kind of give us a little bit of background into kind of the growth and development of data privacy in India, and how we've kind of got to this point in time.

Totally. Let me give you the really quick trip around Indian data law. I think, and contrary to what other countries experience, Indian data law was actually a reaction to European Union data legislation in the 90s, which kind of looked at Indian law and said this is inadequate so we can't transfer data to India, unless you have some kind of proper law which kind of takes care of the basic, you know, basic things that it needs to be taken care of.

So to a large extent, Indian law is an enabling, I mean, Indian law as it is now is an enabling legislation which basically says, as long as you take consent and you use a fairly reasonably secure data protocol, you're complying with Indian data protection law.

The rule was set out in 2011.

And then, nothing much happened over the years, until the Indian government sometime around 2016, 2015, I don't forget the year, introduced a digital ID for, for the lack of a better word let's call it financial and public services called Aadhaar.

And a lot of the data that was in Aadhaar.

So while Aadhaar was well conceived, data security wasn't well thought out.

And so a lot of data that was in Aadhaar was easily available in the public domain with different illegal hawkers hacking into the system, taking it out and selling it.

Therefore, a lot of public pressure and a lot of public consciousness around data protection and privacy of those.

And just to give you a background again, we've got a constitutional law, which, to my mind, when I was studying in law school, they taught us that included a fundamental guarantee of a right to privacy.

Thereafter, courts disagreed. Thereafter, courts agreed and then disagreed again.

And until this whole Aadhaar-driven consciousness encouraged the courts to finally rather unequivocally say, hey, there is a constitutional right to privacy.

And then ask the government, what are you doing about protecting privacy slash data?

This was in 2018, by which time, you know, we were already grappling with the GDPR and the changes that it was brought out.

And similarly, the government was on the way to forming an Indian data law.

And so we've got a new law. We've got some sectoral laws. We've got a little bit of a debate around non-personal data that I think is ridiculous, but it's out there.

There is now a constitutional guarantee of privacy.

There is a very clear, tortuous...

There is a tortuous right to privacy. And there is the possibility that you could complain to a regulator for breaches of data protection law.

So those are the multiple things that have come up.

And now, of course, we've got a GDPR -esque, a mishmash of the GDPR and what the Singapore PDPC does, and a little bit of India's nationalistic hue over these years.

So we've got an Indianized GDPR called the Personal Data Protection Bill.

Hopefully, it will be made law in the next few months, or at least over the course of the year.

That's a quick trip around Indian data law.

No, that's absolutely fantastic. And I think as well, a lot of people that are in the data protection profession have sort of heard and been keeping an eye on the Personal Data Protection Bill in India, but still sort of have a lot of understanding to do in terms of the implications that may have sort of on their industry, so tech companies, or sort of day-to-day sort of doing business.

And so, Sunjoy, I was just wondering if you'd be able just to provide an overview of the Personal Data Protection Bill and potential...

the good, the bad and the ugly, I think is a good way of putting it.

Fantastic, fantastic. Yeah.

And while I just, to complete Matthew's thoughts, I guess the whole right to privacy, which was earlier supposed to be, which is considered a right, an extension of the right to life, was given, granted in 2017-18 times.

And we have had two drafts of the bill already, and the third draft is awaited.

But I guess one thing, I'll just give you a synoptic view of the bill.

And while I do that, I would like to say that the whole dynamics of how the West looks at privacy and data protection, and whereas how we look at data privacy and data protection, is diagrammatically different in the sense that over in the West, because of the Holocaust, data protection had a very, very huge impact.

In fact, over here in India, data protection was not so much vibrant.

In fact, till recently, data privacy was not really considered something very, very important.

But as Matthew said, over the last three years, there has been a change, and there has been a turn wherein the data protection has become important.

Now, the concept of the draft bill has been that they have tried to categorize the categories of personal data, one being the general kind of personal data, which is the identifier, the overall superset, if I may put it that way.

Then we have the sensitive data, which is the financial information, the healthcare information, and other aspects of this nature, genetic information, biometric information, which comprises of what is called the sensitive personal data.

Then they have a third category, which is like the nucleus of the atom, in the sense that it is called the critical personal data, but till now, the definition of that has been left to the authority to build up.

Our guess is that the definition is going to become a subset of the sensitive personal data, which is the core personal data, maybe the biometrics and the genetics.

Then from a GDPR perspective, you will see the privacy by design, and the privacy by design policy has been put into the act, which is a good thing, but privacy by design policy, as you know, is not only going to be the policy itself, but the whole privacy by design philosophy that is behind it.

We have something called the data fiduciary, which is equivalent to the data controller in Europe, and we have got something called the significant data fiduciary, which is a high risk category data fiduciary.

We have other categorizations also in the act called the social media intermediary, which is basically for the social media companies, such as the Facebooks and the WhatsApps and the others.

Data subject rights are more or less the same.

The age of the child in terms of a European perspective, it was 13 to 16 in Europe, but it is 18 over here.

That equates to the contract law that we have, which puts the age of majority as the age when a person can consent to it.

We have other nuances also, nuanced ones like data trust score, which will be given by the data auditor, a person who will audit the significant data fiduciary's workings.

These are nuances, and I can go on and on, but I guess we have a lack of time, so I will stop here.

Perfect. Thank you so much. Matthew, I have got a question for you, because I know in practice you do a lot of business with international companies and clients.

I am wondering what are the thoughts and concerns or the planning that international companies need to do to be prepared or be in compliance with the new bill that comes in, when it comes in.

I know that we had a discussion as well on the side around the impact of the Schrems 2 judgment, which came out in the summer of 2020 from Europe and impacted international transfers to third countries, which India is one of them, as well as the US.

I was just wondering if you could give me a flavor of questions and workarounds that international companies are discussing and thinking about at the moment with data privacy, especially doing business in India.

Historically, we have had two approaches taken by large international companies.

The first is to just apply GDPR standards to India, even if it is not applicable.

Let's take the highest threshold, and then we will have derogations if required.

That is traditionally a high-cost approach.

Typically, you would have expected the large international companies to take that.

What we have actually found is that we have seen the smaller and medium-sized international companies take that approach because it is easier for smaller legal teams or compliance teams or privacy teams to deal with one regime.

Whereas, where you have got larger companies, you have had them making divergences or setting up India-specific plans.

Name the large company, they have thought about this, and they have probably come up with a strategy for the country and the law as it stands.

As I mentioned, the law as it stands right now is very enabling.

As long as you take consent, you can do whatever you want. That is going to change.

We have seen a shift. Of course, the large international companies already are GDPR-esque.

They have got compliance standards in India comparable to what they do in Europe.

There is a lot of hesitancy in evolving an India standard.

I am guessing that is because that means there are legal and regulatory costs.

More importantly, there are IT costs. There are infrastructure costs.

There are organization costs, all tied up with this compliance. Think of India as Europe 2017.

You know it is coming. You know it is expensive. You know you have got to do 10 things.

You do not know if, in addition to that, you have got to do another 10 things.

The Data Protection Authority is going to come up with guidances on even very simple things like what is consent, what is explicit consent, what is layered approaches, and all of that.

What is, like Srinjoy said, privacy by design.

All of that is going to come up. We have got companies gearing up to finally say, okay, let me talk to the lawyers.

Let me talk to the techies. Let me talk to the regtech people to see if there are solutions we can structure around this bill.

While there are areas of uncertainty at the edges, the core is very certain.

Consent, legitimate expectations, all of those are going to be mirrored.

That is one set of companies. There are other companies who have said we have had an India-specific data strategy.

They are going to have to overhaul their architecture exactly like they did in Europe in 2016 to 2018.

That is going to be expensive. There is going to be a lot of investment of time.

I think as a community and as a culture, as a data culture, as a data ecosystem, I think it is going to be beneficial.

It is also going to throw up market opportunities for techies.

We are going to solve the data questions that are going to arise.

Like Srinjoy said, there are three drafts of the bill.

Two drafts out and a third draft expected very soon. All three drafts, the first draft was exactly like you described, the laws of another country on the sides.

Very similar to the European Union laws. The second draft had certain divergences.

The third draft, I am advised, is significantly different in certain parts.

You cannot have the global approach anymore. You have got to have an India-specific approach.

You have got to get in. Therefore, there will be India -specific privacy tech solutions that will pop up.

Including around consent, which I think, unlike Europe, I expect will be one of the cornerstone concepts around which data architecture in India will be structured.

These are conversations we have had.

Nothing is written in stone. I expect the new law to have a runway of six months to a year.

Some people would say two years. I suspect that is unlikely for you to comply with it.

Therefore, you do not have to run, but it is time to start working towards greater data awareness.

Strengths 2, of course, has thrown up an entirely different bucket of issues around how do I transfer data into India.

That has a problem because on paper, if you look at the Indian legal system and if you look at Indian data law, it satisfies the conceptual requirements of European Union law.

Do we have a right to appeal if there is an intervention? Of course you do.

Do we have a constitutional right to privacy? Of course you do. Unfortunately, in India, there is a big gap between what is written in paper and what actually happens.

If you go down some of the relevant paragraphs of the Scrams 2 decision, you can see where the court is saying you have to look at how this works in practice.

That is where suddenly you are standing up and saying, hey, is there a problem?

Now, to muddy the waters further, there is not enough enforcement action in India for us to draw practical conclusions.

We are hopeful that sensible, ordered, rational, non-arbitrary lines of enforcement will emerge.

They have not yet.

Things that you see in the US often like warrant canaries, notice functions, extensive indemnification, greater emphasis on insurance, data audits with physical visits are all slowly creeping into India.

These were not there. I moved back to India four years ago after about a decade in Singapore.

I saw this happen with the PDPC in Singapore.

I was a little surprised that in 2016, I always thought India was a very mature tech ecosystem.

I was very surprised that in 2016 these had not crept into Indian practice, but it is going to.

Okay. May I just add that I think you are absolutely bang on, Matthew, when you say that there are lots of similarities with GDPR, but there are quite a few differences.

The way that I have been advising clients and I've been working on various data protection impact assessments, as well as privacy frameworks for companies.

It's actually a risk-based approach that we have to adopt, quite like the GDPR, but with the nuance.

I will take the name of your company and add it, with the spice of India added there and mix it up very nicely.

I guess from a company perspective, one of the things that international companies should do is take a privacy assessment.

Broadly, as Matthew was saying, the principles of privacy will not change much.

Whatever the draft of the bill that comes in, the principles will remain the same.

We have a fair idea as of now what exactly the act will look like.

Obviously, the changes that are there, we are guessing it will bring in the concept of non-personal data also.

That, as Matthew again said, muddies the water considerably.

Most probably, it's going to become a data protection bill rather than a personal data protection act.

Interesting.

I was just wondering, Shingjoy, if you could just expand as well on the recent discussions around data localization requirements.

I know when I think of Indian data protection law, I rightly or wrongly automatically go to data localization requirements.

I was just wondering if you could discuss that and expand on that a little bit and point me in the right direction over what the situation is and where the myths are as well.

I'll take you back to the categorizations that I had talked about in terms of sensitive personal data and critical personal data.

Now, the personal data which is general in category, there is no bar of it going out of the country.

Whether it stays in the country or not, the government is not bothered or the authority will not be bothered.

The sensitive personal data is the category in which you have to have a golden copy over here.

You have to have a copy over here, and then you can take it out on other servers also.

That is the sensitive category of data. Now, when it comes to the critical personal data, which will be the core, and when Matthew was talking about Aadhaar, the Aadhaar behind it has some core information such as the biometric and the genetic data that they collect from us, the fingerprint or the retina scan.

Those biometric data is what I feel will become the critical personal data, and that categorization is absolutely barred from going out of town, out of the country.

This, in short, is the categorization. The sensitive personal data, the view is that, obviously, there has to be an explicit consent for it to go out of India.

That explicit consent will also have other factors. There are various other factors that have been listed out, which will be combined with that explicit consent, for example, contract.

If I could just add in short, India has already got a payments data localization order, so it's not new.

What has been refreshing for me is that where there has been non -compliance or hesitance to comply, the authority hasn't gone all hammer and tongs, but has adopted a gently persuasive yet slightly tough approach.

Some of the world's largest interchanges have been the subject of these discussions, and that's heartening for me.

My biggest fear as an Indian lawyer is that we'll have a new law, we'll have a new regulator, and then the regulator will say, everyone who's not complying is going to be fined 4% of their global revenue.

However, if I look back at how the regulators on data have dealt with issues that have crept up, I take a lot of comfort in their previous action and say, hey, they're aware that this is complicated.

This is not turning on a switch, or it's not as easy as switching from AWS Singapore to AWS Mumbai.

There's a lot of infrastructural challenges.

There's a lot of cultural challenges around data.

I think we're looking at a more mature regulatory architecture. Fingers crossed.

Thank you both. That was very, very helpful and cleared up a lot of things as well.

I'm just wondering, if you have to give three tips to tech companies that are looking at the regulatory landscape in India, and either have a presence in India or thinking about setting up a presence in India, what would be your three tips that you would advise them?

Is that for me or for Shringar? It's for both of you.

Audit. Compliance. Compliance. Yeah, I think Matthew's line may be going.

So I'll point over to you, Shringar. So, yeah, I would say, yes, there will be a lot of audit.

Can you hear me?

I can hear you. Okay, because your screen is frozen. Anyway, so I would say yes, it will be there.

But there will be other aspects, I guess, the tech will have to deal with in terms of them complying with other kind of policies and frameworks that are already there.

So the nuanced aspect is how to marry the two, the non-privacy policies and the frameworks that are there, because there are e-commerce policies, there are AI policies that are there, which will play a very significant role in how the action will be taken by the regtech companies.

And then I think sort of just wrapping up here.

I mean, it's a big question, I know. But just to sort of get your stance on it.

I mean, where do you see data protection going in the next sort of five to 10 years in India?

Which direction do you see sort of more towards heavy enforcement or sort of more on just the oversight side of things?

Yeah, I guess the first phase of this five to 10 year period, I guess we will be understanding the nuances of the Personal Data Protection Bill or the Data Protection Act that will come in.

And what will happen is that it will be quite a unique system in my view.

It'll be quite a unique system because the non-personal data aspect has not been done anywhere in the world.

India is the first one is taking its charge from there.

I would also imagine that because India is very bullish right now on innovation and the startup, the whole innovation and the startup space, I think over the period of the next five to 10 years, there will be a lot of startups and a lot of unicorns will come from here.

And therefore, the dynamics between trying to balance the privacy on one side versus the new tech and the innovations on the other side is going to be an interesting thing to watch.

And I think it is looking up.

Perfect. Absolutely. Hi, Matthew. Welcome back. Hi, guys.

Sorry about that. No, no, don't be silly. We've just got a couple minutes left, but I was just wondering if you'd be able to, in a couple sentences, just let me know where you see data protection going in India in the next five to 10 years.

Right. So I think we're going to see a sea change in cultural attitudes towards data.

I think on a monthly basis, I get approached by people who want to initiate litigation because of data breaches.

And that I think it's a sea change from even four years ago when this was used.

I think you're going to see a cultural change in the businesses.

And I think most importantly, around privacy tech, red tech, HR tech, I think we're going to see a sea change in how sophisticated systems evolve, which provide solutions to people around data.

So one of the new things that is not associated with the data protection bill is that there is a financial sector consent broker that has come in, been introduced about a year ago.

And with that consent broker, you can see that the entire tech architecture around consent has changed.

I see that going across beyond the financial sector.

And I think if we sit on International Privacy Day five years down the line and we look back at this video and say, hey, the world has just changed again.

That would probably be what we would say. Yeah. Just to add, a consent manager is a concept that even the bill has.

So just marrying what Matthew said, I think definitely.

Well, what can I say? It is a whole new world. And like I say, International Privacy Day is one day every year.

So maybe next year we can revisit and see kind of where we are.

But what can I say? Thank you both very, very much for joining.

I really enjoyed sort of having this conversation. And I know I definitely enjoy working in the privacy sector.

There's so much going on globally. It's even hard to kind of keep an overview of everything.

But like I said, thank you very much.

Thank you. And happy International Privacy Day. And we'll speak to you too.

Take care. Bye-bye. Thank you for having us and happy International Privacy Day.

Thank you. Bye-bye. Bye-bye. Bye-bye.