Roundtable Workshop on Draft Personal Data Protection Bill

Background

Privacy and Protection is a subject that has seen massive developments in the last few years. Undoubtedly, with the advent of big data and blurring jurisdictions and processes, there have been many questions about data and its rationale in national security, rights of citizens etc. 

Cyber Security Research Centre (CSRC) at Punjab Engineering College (Deemed to be University); Chandigarh had organised the first workshop to  carry out a study of the Justice Srikrishna Committee Paper(first draft) on Data Protection from a National Security Perspective on Jan 28, 2018. The finings of the study were shared in the form of report carrying recommendations to Meity which were duly considered. 

Along the same lines, there have been multiple citizen movements centric to the idea of data privacy and rights of data principals/users. Debates about surveillance, data localisation, defining key terms and the concurrence with the GDPR have been ongoing and have slowly occupied centre stage. 

As a result of these discussions with various experts and recent developments in the domain, it was felt that a comprehensive list of comments and recommendations must be prepared after brainstorming exercises with multiple stakeholders. Data, in the long run is most likely going to drive nations, policies and international relations as well. To further this objective of understanding the draft bill and working on the issues that it has presented, it has become an urgent need to present the right problems and alternate solutions to the lawmakers. 

The  deadline for the submission has been extended to September 30, 2018, 

CSRC, PEC and Cyber Peace Foundation have come together to organise another two days long workshop and discussions on Sept 24 - 25, 2018 on the draft law. 

Major Highlights and Discussions of the Day:

Gen. D.S. Hooda

He bought out the point that there can be no privacy without security. There needs to be different laws/provisions to cover CII (Critical Info Infrastructure) where the Government and various sensitive organizations and their manpower are covered with special provisions. Indigenous Technology will be a key component in this particular data protection framework. The proposed Data Protection Authority of India should mandatorily have members who are from military background with specialization in Information Warfare.

DR. DIVYA BANSAL, PROFESSOR AND HEAD, CSRC

The Consent based framework has two be two fold. A draft personal data protection bill today proposed "explicit consent" for processing 'sensitive personal information. 'Sensitive personal data' comprises of data including passwords, financial data, genetic data, health data, sexual orientation, caste or tribe or religious or political belief.

1. Will politicians continue to target constituents by leveraging the data that the citizens unknowingly share on social media?

Should politicians also be made to notify or seek choices and declare as to how they plan to track our likes and dislikes and profile individuals for political purposes and influence minds by targeting individuals using personalised advertisements? One may also want to look into whether tailored political advertising would affect National Sovereignty.

2. Consent to be part of automated decision making

Given that our Nation is going leaps and bounds progressively towards the Technology Advancements like AI, Big Data, IoT, and Cloud. Globally, we are moving on to become a Data Driven Decision Making. Individuals are profiled based upon the data so collected and automated decision making takes place on the basis of data so collected and integrated and correlated. In the UK, automated decision making based upon data being sponsored collected from different sources including social media has evolved into credit scores and are being used to determine whether people can get a credit card or loan. It may become a nightmare if the "social credit" system as developed by Chinese, government determining the "trustworthiness" of the country's 1.4 billion citizens. This Social credit might prevent people from buying airline and train tickets and many other activities (launched in 2014 and is supposed to be nationwide by 2020)

While we are looking at explicit consent based framework in Draft Data Protection Fill, shouldn't Individuals also have the right of not to be a part of results of automated decision making and hence have right to opt out?

DR. SD PRADHAN, FORMER Dy. NSA and JIC CHAIRMAN, MEMBER, ADVISORY BOARD, CSRC

In the Round Table Workshop various aspects related to the draft Personal Data were discussed. The participants stressed that all the data aggregated and processed through advanced algorithm becomes national strategic asset and therefore it must be ensured that data is not misused for subversion of national sovereignty. The naming of Data Processing Authority was also discussed and there was a census that there should be a specialized cadre for this task. The members also pointed out that data when not needed should be deleted. They also emphasized that all personal data must be stored in servers in India. Mr. Vineet, President, Cyber peace Foundation Team

MR. RAJ PAGARIYA, MR. ABHAY SINGH and MR. NITISH CHANDAN, Cyber Peace Foundation Team

• Issues Found:
  • PDPB should also cover Anonymized data.
  • Are financial penalties only sufficient or criminal provisions be invoked for people compromising National Security?
  • Changes in Notice period: Purpose specification and predetermined time limit for data storage.
• Opinions:
  • National Security and. Economic Consideration are not independent of each other but are complimentary when a robust data protection law is bought in.
  • Definition of Critical personal data should be defined in the bill. As if now it has been left to Central Government.
  • Exemption under the bill - Addition or Removal?
  • Privacy, Audits come much later, the business model must be questioned

MS. GEETA GULATI, Lawyer, Punjab and Haryana High Court

1. The definition of data as per the Data protection bill, has words like concept, opinion and instruction, which would mean IPR can be created by the Data collected by Data fiduciary. Thus it becomes all the more important to localize data. Data is the new oil. India should not share its oil without taking advantage of its data.

Other Important Questions which were raised

• Definition of data fiduciary
• Consent is an important aspect of Data exploitation
• Safety of Data of Certain classes of society
• The importance of having qualified technical personnel for Data Protection Authority.
• Explaining the importance and impact of Data sharing to the user in a form and language that he understands.
• Data fiduciaries in certain critical sectors be categorized differently.
• Status of data after a certain time period.

The discussions and brainstorming done during the workshop was found to be very insightful. The illustrious experts represented national security experts like Gen. D.S. Hoada, Dr. S.D. Pradhan, renowned lawyers expert in the subject, academicians and researchers and representation from the industry. The workshop will conclude tomorrow in which some very important issues on Data Localization and cross border flow of data will also be discussed and the discussions and recommendations will be compiled to be sent to the Government of India. The exercise has been found to be very useful as domain experts from various fields participated in making of the very important Data Protection law of India which a historical move in itself.