Not everyone is lauding the Srikrishna panel’s recommendations for data localisation and criminal provisions for violations of privacy. In a conversation with Mayank Jain, CEO, Data Security Council of India, Rama Vedashree and a member of the panel, spoke about her contentions with the report and expanded on her dissent note, which was included in the report. Edited excerpts:
What are the major points of dissent that you have shared with the Srikrishna Panel?
One is the broad localisation of all personal data, which I feel is something that is not really required. Second is categorising financial data and passwords as sensitive personal data is not done by any country at a broad national data privacy law level. Another problem is the enabling provision is that the government can declare at any point of time this data as critical and ask for exclusive data localisation in India. Third, there are strong provisions and penalties for violations but adding criminal prosecution is something I feel is very stringent.
What are your thoughts on data localisation from an industry perspective?
There is no evidence that data localisation guarantees data protection and privacy. Data protection should be done through a combination of processes, technology, capacity building and strong enforcement. We, as the Information Technology industry, have grown to become a global hub because of the basic tenet of cross-border data transfer. Indian industry does even very advanced analytics on healthcare, insurance and financial data out of India. We cannot suddenly take a stand that our data is sensitive, so it won’t go out of the country.
But isn’t there an exception in case of health data, which can be transferred outside the country?
That’s based on consent. Broadly categorising health data as sensitive and in the future, declare it as critical, could place restrictions on cross-border transfer. Of course, an individual may be able to transfer data outside the country based on consent. For instance, the use case of gene profiling to be done outside the country.
Apart from your dissenting views, what are your thoughts on the larger privacy law draft?
I think it’s a good draft. Any entity that is handling personal data is made accountable. Currently, the provisions of the IT Act apply for only body corporates but the government agencies are not covered. Maximum personal data is collected by the government agencies in most countries, including India. Equal obligation on all entities collecting data, whether government or corporate, is a great step forward.
Second, the concept of data protection authority is a good one. Third, the privacy by design principle is very well articulated. In the long term, the success depends on best practices that we can adopt and drive in the country.
What happens to your dissent note as well as the criticisms of the draft law given by civil society?
Now the committee has submitted its report. The minister stated in the media briefing that they conduct wide consultations. I do hope that there will be consultations with the civil society, industry and political stakeholders because at the end of the day, the bill has to be taken to the Parliament. I have confidence that the government will do consultations and be receptive to concrete feedback.
There’s a section where data processing exceptions are given to the state where consent is not required to collect or process data?
I think states will always need some have enabling provisions for situations such as health emergencies or natural disasters, etc. There are enough checks and balances that the government cannot just flout the law. In case of emergency situations, we can’t expect the consent of all people is obtained before relief can be provided to them.
But credit scoring is also listed as a possible use case of this provision...
I agree [it’s not an emergency].
You said that the criminal prosecution provision is too harsh. Why do you feel so?
The enforcement mechanism and recommended penalties are quite adequate. As privacy awareness is becoming very strong in the country, in the long run, any entity that is collecting and processing personal data, they need to win the trust of the consumer. Unless it’s a very fraud company, they will all care about the trust of the consumer. I am confident that the industry will become very mature with the privacy awareness and enforcement. Already, several enterprises have implemented privacy programmes and best practices. Plus, there are now penalties and nobody wants to be hauled up for violating privacy when you are a b2c company. Imagine the nightmare for a business when it’s immediately a criminal and non-bailable offence.