🔒 Steps forward for India's Data Protection Law

Hi everyone, and happy Data Privacy Day. And thank you so much for taking the time to join us today to talk about India's developing privacy landscape. My name is Tilly Lang and I am the Senior Privacy Counsel here at Cloudflare. And I'm very pleased to introduce my guest for today, Srinjoy. And may I pass over to you to introduce yourself? Sure, sure Tilly. So nice speaking to you again, and happy Data Privacy Day to you as well as the entire audience listening in. It's a day wherein we celebrate so much of what we do as a business, as an entity. So just to introduce myself, I have been in the space for, I have been in the legal space for about 21 years. And I have been in this space for a substantial amount of that time, when I was looking at the GenPACS, data privacy and intellectual property for a period of time before I went on to setting up my own organization. And now I'm working also, I'm working with the organization who's into the pharmaceutical side of things. And the idea is to kind of build and rebuild and take the maturity of the organization to the next level. Nice. And just because it is Data Privacy Day, I mean, one question that I've been asking everyone, and I personally always find interesting, is how did you start your career in privacy? And most of all, do you enjoy it? Yeah, absolutely. In fact, privacy is such a dynamic subject. I have been amazed right from the time I started, in fact, even before GenPACS, I was looking at the information security and information technology of the law firm that I was working with. And the aspect of privacy, information security, technology, and driving them all together is so mind -boggling and dynamic. The beauty of it is that every day we learn something new, or some new technology comes in, or some new aspect that you have to analyze. In the words of one of my seniors, you look at data privacy, and the way that you would have interpreted data privacy yesterday is not the same as what you will interpret it as today. And tomorrow it can be something very, very different. So it's such a pleasure to be in this space. Yeah, if I've said it once, I've said it a hundred times, there's never like a dull moment in privacy, that's for sure. Well, perfect. And kind of on the same theme as well, I was just wondering if you'd be able to sort of share the best piece of career advice that you've ever been given. So I guess one of the major ones that I can think of is when I made the progression from a core intellectual property professional to the privacy professional, my mentors had told me that, look, it's just an extension of what you are already doing. And the beauty of it is that even with the space that we are in, the intellectual property side of things has such a dynamic input into the privacy space, and as we go along, we'll be talking about it, because we are talking about not only personal data, but non -personal data also, and that means patents, trademarks, copyright, the works. Exactly. So I think that's a very good segue into like, if you could just basically give us a bit of background into sort of the privacy space at the moment in India, and also the recent developments. I know we're kind of all at the edge of our seats regarding when the personal data act is going to come into force, but if you'd be able to give us a bit sort of a summary of the background and also where we are today, that would be absolutely fantastic. Thank you. Perfect, perfect. That will be interesting. So this entire journey of data privacy, in fact, started with what is called as the Puttaswamy judgment way back in, I think it was 2016 or so, 2016 -17, and wherein we as a country got the right to privacy. We were already, we had as a constitutional right, we had the right to life. The right to privacy got read into it by way of the Puttaswamy judgment, and thereafter, the judgment also said that within a period of time, there has to be an act which takes care of the data protection or obligations for the country. So given that, there was a committee that was set up, Shri Krishna Committee, which looked into how to build up the data protection law in India, and that was the first data protection bill that came in, personal data protection bill that came in, in 2018, which when they placed it in the parliament, met with a lot of resistance, and therefore, they went into another loop, and they went into some amendments, they proposed some amendments, and in 2019, we had a second draft coming out, pursuant to which, again, the same, they met with same kind of resistance from the members of the parliament, and they went into yet another huddle. And now, after many extensions taken by the JPC, that is the Joint Parliamentary Committee that was looking into it, on the 16th of December 21, we have the new draft that has been placed in the parliament. Just to give you a fair warning, this does not mean that the bill is placed in parliament, it just means that the recommendations of the committee have been placed in the parliament. And out of the recommendations, one of the first and most telling recommendation that has come about is the fact that they have moved away from defining it as personal data. And they have removed the word personal to make it data protection. What does that mean? That means that it will now not only be personal data that they will be tracking, but also non personal data. Critics, criticism apart, non personal data is defined as something that is not personal. So which is, which is a fairly wide definition. But the point is that they, they are looking at it from that point of view, they are also thinking about data as a whole, and bringing in the concepts of non personal data, non personal data breach into the into the segment of into the law itself. They are the other thing that they are looking at is, they are looking at a kind of like what is there in GDPR, they are trying to build, they are telling the data fiduciary or the data controller to have logs of all data. In terms of what is harm, they have defined it as psychological manipulation, which impairs the autonomy of an individual, which means that they are not only thinking about, they're thinking about something like what happened in the US, or what happened in Brexit, wherein the polls were rigged because of psychological manipulation of people that has that supposedly have has taken place. So the, the, the other, the other aspect is, and this will be very important for your listeners. The social media intermediary has been defined as social media platform, which basically, there is a definition for that which says, the platform which primarily or solely enables online interactions between two or more users, and allow them to create, upload, share, disseminate, modify or access information with its services. So, and all the social media platform, and what is called as significant data fiduciary. There is a term called significant data fiduciary, which primarily is bringing in the concept that the significant data fiduciary will have to have a higher threshold. So that means that the significant data fiduciary will have to maintain a DPO, will have to maintain records, will have to do a data protection impact assessment, build out privacy by design policies. So this kind of broad framework is there, I can go on to say that, yeah, there is a two year period of time that will be that will be defined that will be given to the companies to comply with the dynamics of the law. Also, something similar like GDPR, there is a 72 hour breach notification window that is there. So these are broad points that are there. Obviously, there are lots more, but I can, in fact, I can keep on going on. But there are nuances that have been brought in. That's the crux of it. Yeah. So, and thank you for that. I think that's a great sort of overview, and sort of laying the scene in terms of where we are today. But I've got a particular question about the role of the DPO, because you mentioned, and for those that don't know, DPO stands for Data Protection Officer. And so you mentioned that there's sort of will be a requirement for organizations to have a Data Protection Officer, a DPO, once the law is enacted. And I was wondering if you'd just be able to touch upon if there are sort of any differences between the DPO role in proposed Indian Bill, and the GDPR. And also, if I'm not mistaken, there's a requirement at the moment to have a Grievance Officer under current legislation. So will that role develop into the role of the DPO? Or how will those two roles coexist amongst each other? Just sort of if you be able to elaborate on those sort of two scenarios there, that would be great. Sure. Yeah. So from a... Yes, I should have defined the DPO, Data Protection Officer. Now, from the aspect of a DPO, unlike the GDPR, what they have proposed right now, it was earlier, it was a situation of having a DPO who could be an internal or external person. But now what they have done is that they have mandated significant data fiduciaries to have a DPO. And that DPO is a person who is either, who is a senior member of the organization. That means that this person plays a very vital role and can be the chief executive officer, chief executive officer, or company secretary, or whole-time director. So that means the whole viewpoint is that they are having somebody who is a senior officer in default, as it's called in the Companies Act, to be that person. And this is very vital for significant data fiduciaries, data fiduciaries who have a threshold of higher requirements under law, that will be decided by the data protection authorities. And they will define that if you are a significant data fiduciary, you have to have a DPO in-house. Even for other companies, it will be an officer in default, a person whom the authorities can contact at any point of time when there is a data protection issue. Now, coming to your second question today, and this is a very interesting one, because as of now, we have a strange situation wherein there is the IT Act, which guides the data protection in courts, I would say, to the extent that it is there. But that IT Act only talks about sensitive personal data or information, SPDI, as we call it. So now when it talks about SPDI, the grievance officer that is defined in that only is responsible for the SPDI aspect, and is going to be the officer, the grievance officer who will be named on websites. In terms of the data protection officer that is defined in the data protection bill, so to speak, it will be a bit different. It will be wider. They have all the authorities that are there in GDPR, for example, advisory role. They will be in charge of talking about the data protection impact assessment. They will be guiding the data controller or the data fiduciary, as it's called. So what I feel is that this being a special act over a general act like the IT Act, the special act will override the general act, and they will have to come to a situation wherein the IT rules, where this is defined as grievance officer, kind of subsumes into the data protection office itself. I would say that going forward that will happen, but right now we have a situation wherein both officers are there. Perfect. Thank you so much for that. And I think it sounds like there's a lot of sort of proposals and change, especially sort of on the horizon, sort of when the data protection bill is indeed enacted. So, I mean, what strategic advice would you provide to organizations that are currently operating in India or looking to move into the market? Yeah. So, in fact, there is a lot of changes that the organizations will have to go through, will have to undergo. And because even at the time of GDPR, GDPR was a gold standard at that point of time, but it took two years for organizations to get into the understanding of the nuances of GDPR. Similarly, we cannot really rely on GDPR anymore, because it's gone a bit past GDPR, because you are talking about not only personal data, but non-personal data as well. And therefore, the dynamics of it has shifted slightly. And as the listeners are mainly from the technology space, they will understand that there are going to be compliance requirements, especially since the technology companies are, in fact, supposed to be in India, kind of build out the investment plans in India and things like that. So, the advice that I would give them is one, that please don't rely just on the foreign laws, but if you are coming to India or you are setting up anything in India or building out products in India for the Indian consumers, then you have to do a proper assessment, go for privacy by design. There are nuances of privacy by design policy that are there. Really understand the scope. And this is one thing that I, as part of even my training, I do trainings for these IAPP certifications. And one of the things that I would always tell my participants and my clients, that look, there is there is no way in which you can just rely on whatever has been done and said before. You have to really analyze the bill and the act when it comes in and get your local compliances set up because there is a huge thrust on localization over here. And that's something that we will have to look at. So, statistically, you have to work on all those aspects. Yeah. And so, as you mentioned, sort of the localization aspect, I was wondering if you'd be able just to expand on that a bit and just tell us kind of what that means for organizations sort of working in India and also sort of what the regulatory landscape is because of that. Sure. Sure. See, I'll just answer the first question first to say that I would define there are three segmentations of personal data. One would be what is called the general personal data. That is, it is defined as personal data, but it is the overarching information that is, for example, your name, email, things like that. The second categorization would be sensitive personal data, which talks about health care information. It talks about a whole lot of whole variety, like passwords were there in the first first draft and and other biometric genetic kind of information that is there, financial information that is there. So this is the second categorization and third categorization, which is a bit of a black box right now because we don't know what that would mean. But the but there will be a definition given to that and that personal data is called the critical personal data. So general personal data, sensitive personal data and critical personal data. Why I define this is to say that in terms of the general personal data, the the idea is that no restriction per se will be there. But in terms of the sensitive and critical personal data, the restriction that is going to be there is that you will have to have a mirror copy. So there are two types of localization. One is called the hard localization, which means that you cannot take out the information at all. India has gone the second route, which is called the soft localization, which means that, yes, you have have the data set here, but have the data set in abroad also. So but since the critical personal data has not been defined, we are in a bit of in a gray area for the critical personal data. But in terms of the sensitive personal data, the idea will be there will be mirroring. Also, the the the the draft talks about a situation where in the companies will have to set up shop in India, where and whenever there are significant data fiduciaries, they will have to come to India, they will have to have a server based out of India so that they can mirror it. So that entire space is something that is that the draft is trying to head towards the the regulatory in terms of the regulatory landscape. I would say that for for most companies, it is the there are various reference points in the draft and in the recommendations that have been given in terms of foreign companies being mandated to set up shop in India if they have access to SPD and CPD, as I just now talked about. They also have a situation wherein hardware manufacturers. So it's not only the software or the Android or the social media players that are involved, but even the hardware manufacturers like an Apple device or a Samsung device. India has gone into this situation into the idea and the framework, and which is very true in many cases, that these hardware companies are also collecting our personal data and not only personal data, data. So from to from that point of view, also, they are trying to trying to look at these kind of companies and they will have aspects to kind of look at how they can certify these companies, whether they are doing anything that is malicious or not. So from a government perspective, they are looking at this, especially they have got hurt from a certain segment of the manufacturers who followed manufacturers who have kind of used, used, for example, I would say without naming it, I would say maybe they have used similar sounding names for their programs and maliciously kind of occupied or taken out the personal data. So the the draft gives time to the foreign players to kind of have the ability to bring back the data that they have taken abroad or rather they have stored abroad. So if you have a server in EU, for example, and containing personal data or containing data that belongs to the Indian population, that kind of data you'll have to bring back and at least mirror over here. So that is one thing, even from a cross-border perspective, the cross-border ability for organizations to deal with other companies to take the data out, you will have to maintain certain standards. Obviously, consent is one thing, but beyond consent also, you will have to satisfy the authorities that you have taken the necessary steps that are there. Perfect. Thank you so much for that. And also, just on the back of that, I mean, where do you see privacy laws or regulations developing in the next sort of five to ten years in India? And also, I mean, are we are we expecting the data protection bill to be enacted in 2022? Is this the year or to just kind of it'd be great to hear your thoughts on sort of the bill's development and when you think it will actually sort of be passed by parliaments if, like I say, if this is the year and also where you see sort of trends going in the next sort of five to ten years as well. That would be great. Thank you. Interesting questions. In fact, I'll just answer the first question that you asked. Where do you see it in the next five to ten years? I would see quite like GDPR gave the time. I would see that if this is the year 2022 is a year, then till 24, we will obviously have our data protection authority that is there and the ability for organizations to comply with the law. And the next three years, I would say that exactly like GDPR, there will be a lot of jurisprudence that will be said. We start understanding the nuances of the interpretations that are there. For example, what is anonymization? Now, anonymization in terms of GDPR is completely to say that something that cannot be re-identified. But in India, that's not so. So, to settle those dynamics, those three years will go. But more important than that, there is a big Philip that is being given to innovation, sandboxing techniques, innovations that are there. And because of that, I would say, and which is something that GDPR is also heading to or that Europe is also heading towards, I would say that it will go beyond privacy. It will go beyond security. It will go beyond the risk frameworks. It will go into the space of ethical AI because the kind of industry, the way that we are moving because of COVID and because of other aspects, we are moving towards that AI kind of building out tools, innovations, are heading towards that. So, India will also head towards that. So, I see that this is just one piece of the puzzle which will fit in and we'll go towards ethics, AI, that entire landscape of how to monitor that. The governments will look at the monitoring of that area. In terms of, I think the second question that you were asking is the key question that is, is this the year? But I have been hazarding your guess on this for the last three years. But I see that there is a lot of, still there is even among the committee members who had looked at this time, the JPC or Joint Parliamentary Committee that was framed, even they have some disconnects that are there, especially in terms of there being two sections, one for the private industry, one for the public industry. So, those dynamics are surveillance and the entire slogan kind of dynamics that is there to say that governments cannot surveil me as a person. But because of that, I do see that in the budget session, it will be placed. They will try to get a draft in. I'm not sure whether it will be passed or not. But I do, in the next few sessions, it is going to be very, very important that it is passed. Also, because there is some, an issue called the Pegasus issue that is surveillance system that is happening from Israel, and which is also on the top of everybody's mind over here. And therefore, there is a push that is going towards it. But yes, I wouldn't hazard a guess. But fingers crossed, budget session. Perfect. That is starting tomorrow. Perfect, perfect. Well, as always, Ring Joi, it was lovely, lovely to speak to you. And I'm sure we've got a lot more plans for International Data Protection Day. So, as always, thank you so much for joining us. And we definitely learned a lot. And I'm sure we'll be speaking next year or definitely in between the year as well. So, thank you so much. Absolutely. Always welcome. And thanks, everyone, for joining. It was a real pleasure.