Key points to remember
- Financial data is already regulated by RBI and should not be classified as sensitive personal data in the bill
- Non-personal data should be processed separately at a later stage
- Algorithmic transparency regulations should be handled by the NITIAayog
- Remove restrictions on data transfer between companies
- Clarify the need for concurrent audits
These were among the many recommendations made by speakers at MediaNama’s Decoding India’s Data Protection Bill event held last week. The Data Protection Bill 2021 and Joint Parliamentary Committee (JPC) report was tabled in parliament on December 16, bringing us one step closer to India’s first data protection law. But many aspects of the bill need to be reconsidered.
During the session on Obligations of Data Trustees, Nehaa Chaudhari from Ikigai Law, Ulrika Dellrud, Privacy Officer at PayU, Uthara Ganesh, Public Policy Officer at Snap India, and Udbhav Tewari, Public Policy Advisor at Mozilla suggested the following recommendations. This discussion was organized with the support of Google, Flipkart, Meta and Star India, and in partnership with ADIF. To support future MediaNama discussions, please let us know here.
Financial data should not be treated as sensitive personal data by bill
Classifying financial data as sensitive personal data is unnecessary and affects the customer journey: The bill classifies financial data as sensitive data and platforms processing sensitive data have additional obligations, including restrictions on cross-border data transfer. Dellrud, recommended that financial data not be classified as personal data for the following reasons:
- The term is very broad: Dellrud explained that the term financial data is very broad and that the entire transaction chain can be considered financial data under the definition of the bill.
- We already have RBI: Further, Dellrud argued that the RBI has already prescribed safeguards to regulate financial data and protect consumer information, including data localization standards, and these industry regulators must continue to regulate these areas rather than the Data Protection Bill.
- Affects the customer journey: By bringing financial data into the scope of the bill, the customer journey will be affected due to the explicit need for consent at every stage, even if there is another legitimate legal basis for processing the data.
Recommendation: Not all financial data should be classified as sensitive personal data and data already regulated by industry regulators like RBI should not be covered by the proposed data protection law, Dellrud recommended.
What changes do you want in the draft data protection law from a business perspective? Leave a comment.
NITI Aayog Should Address Algorithmic Transparency Regulations
A clause in general terms around algorithms does not help: Under Section 23, which prescribes the steps companies must take to maintain transparency in the processing of personal data, the latest version of the bill adds that companies must be transparent about the fairness of the process. algorithm used for the processing of personal data. Ganesh criticized the provision for being “very broadly worded” and having no clarity on how it should be interpreted. Dellrud also commented on similar lines and asked if a simple description of the algorithm would even help users.
“Algorithmic accountability and transparency is absolutely a good thing. It’s a big conversation, but this particular layout makes for kind of a quick fix. – Uthara Ganesh
“This provision is a bit like passing a data protection law with a line that says you have to protect the data. Just saying your algorithm has to be right doesn’t really do anything for anyone. It is very difficult to determine what a fair algorithm is and the standards around it. – Udbhav Tewari
Recommendation: The requirement for algorithmic transparency should be more clearly defined and require companies to explain how an algorithm works and its impact on a user, Dellrud suggested.
NITI Aayog has done a better job on this issue: Ganesh explained that NITI Aayog has developed a document on the ethical use of AI after having multiple discussions with stakeholders and considering various nuances that this topic brings, as the draft data protection law simply includes a one-line layout, which does not encompass the complexity of the subject.
“I guess our general thoughts on algorithmic transparency are that there needs to be some sort of balance between regulating the deployment of AI and allowing people to take advantage of its benefits and somehow try sort of regulating risk. So there is this balance to be found. […] JUsing section 23 as a sort of airdrop into the JPC portion of the bill doesn’t do justice to something as complex as this. – Uthara Ganesh
Recommendation: Ganesh called for removing the provision in its entirety and letting NITI Aayog come up with recommendations regarding algorithmic transparency because of the extensive work the organization has already done on this front.
India not ready to regulate non-personal data
We are not prepared to process non-personal data: The latest version of the bill brings non-personal data within the scope of data protection law and the Data Protection Authority Dellrud has recommended against doing so and said it should be treated separately at a later stage because:
- Privacy laws in India are in their infancy: While in Europe privacy laws have been around for quite some time, in India we don’t have a proper privacy law, and the incorporation of non-personal data is now too early, Dellrud said.
- The provisions applicable to the NDP are not clear: Also, it is currently unclear which provisions of the bill apply to non-personal data, there is no clear demarcation, Dellrud explained. It’s best to have some sort of sandbox to figure this out, Dellrud added.
“We have the Computer Act, but there is no real privacy law. And then starting off, I shouldn’t say zero, but maybe 2 to 200, right away also putting non-personal data, I think that’s a problem. – Ulrika Dellrud
Recommendation: Non-Personal Data (NPD) should not be covered by the Data Protection Bill and should be considered separately at a later stage, Dellrud recommended. But if NPD is incorporated, the bill needs to be clearer about what provisions apply to non-personal data.
The transfer of data between companies must be facilitated
Restricting data transfers between companies is costly and unnecessary: One of the provisions of Section 8, which deals with data quality, states that “a data trustee may share, transfer or transmit personal data to any person in connection with any business transaction in the manner that may be prescribed”. Chaudhari argued that this provision is onerous and unnecessary because there are several different scenarios in which a company might want to transfer data to another company as part of a routine transaction.
“Honestly, I don’t really understand the point of adding this here. So basically in a routine business transaction if I’m a startup there are several different scenarios where I may want to transfer data to another party so am I now going to have to wait for some rules or regulations to come through there tell me what are the situations in which i should transfer data or not transfer data. And if you read the text that accompanies the release of the committee’s report, it sounds like some kind of pretty dubious business view. –Nehaa Chaudhari
Recommendation: The provision limiting data transfers in commercial transactions should be removed, Chaudhari suggested.
What is a concurrent audit and why is it recommended?
The need for a concurrent audit is not clearly explained: The bill includes a provision under section 29 that states that the DPA will specify the form and procedure for conducting audits for material data trustees and encourage the practice of appropriate concurrent auditing. Concurrent audits are common practice in the financial industry and unlike audits that take place periodically, such as at the end of a financial year, concurrent audits happen all the time, Tewari explained. However, the bill contains only one line of explanation and the CPM report does not explain why such audits are necessary.
“You would have entities like banks subject to simultaneous audits, because the intention is to make sure that you catch something that is not working quite as intended as soon as possible. You can’t wait for the end of every quarter or the end of every fiscal year or semester because the risk is so high. So I think that’s the parallel that the committee is thinking of here as well, when it comes to large data trustees, who have some kind of special place because of whatever, volume of data, the sensitivity of the data, the uses you put this data, etc. So I guess that’s the thought, but again, we don’t really know because there’s a one-line explanation in the report. – Uthara Ganesh
Recommendation: Provide more context on why concurrent auditing is encouraged and in what contexts it applies, Dellrud suggested.