HT interview: Data bill in line with global practices, says Vaishnaw
Union minister says carve-outs in India’s new privacy bill are consistent with Constitution provisions
The new draft of the data protection bill was released on November 18, and has attracted both praise and criticism, the first for its light-touch and technology agnostic approach to regulating a dynamic space, and the second for the significant exemptions it grants to governments and government agencies when it comes to using the data of individuals. IT minister Ashwini Vaishnaw discussed these in an hour-long interview with HT.
One of the things that a lot of people have remarked on is the simplicity of the bill, including the drafting technique giving illustrations on how clauses have to be interpreted, so we want to start off by asking you about the philosophy behind the bill. What did you want to achieve when you set out to draft the bill? Even at the time when you withdrew the old bill, you must have had some perspective on what structure the new legislation should have.
Fundamentally, the PM has given us the clear mandate that all the laws that we make should have the SARAL (simple) framework. What does “saral” mean? It means that the bill should written in simple English and not legalese. It should be understandable by a common citizen, and not just lawyers. The whole conundrum of cross connections, provisions, notwithstanding … all of the stuff that makes it difficult for people to interpret should not be included. And we should include things like the explanatory note and make it part of the parliamentary papers so that people understand what is the intent behind the Bill and not get lost in the way laws have been drafted for many decades now. If you see from the Telecom Bill, this bill, many of the new bills you see will have this structure.
There are two camps — one that says that this a bill that looks at outcomes, interests, what the underlying issue is and therefore, doesn’t focus on the small print, which is great because technology is evolving and in a space like that it doesn’t make sense to get down to details. And these people think it’s a great bill. Then there’s another school of thought that says the rules have not been made, there are a lot things left for subsidiary rules and there are a lot of gaps and unanswered questions. That is the critical group -- the people who think it’s not a great bill. How do you respond to this?
Our parliamentary structure has laid out the system and hierarchy between legislation and subordinate legislation in a very neat way. No subordinate legislation can go beyond the boundary of the main legislation. So, anybody who says that we are intending something beyond what we have established in the bill must understand that no subordinate legislation can go beyond the main legislation. That is the first. Second, the details in a bill should be proportionate to the complexity of that particular topic. For example, notice that we have gone in very good detail on consent. So, every principle of privacy that needs to be enunciated has been enunciated in full detail. What are the things we haven’t gone into detail? Things like appointment of the Digital Data Protection Board members. Why do you need to write what will be the qualification of the member? In the bill we say it will be an independent body, now the independence is derived from the law, rest of the procedural matters should be kept in the rules. For example, in the TRAI Act, there is a provision that a member of TRAI can only be a person who has worked as an additional secretary-rank officer for a particular number of years. Why do you need to hard-code such things in the Act? The Act should lay the rails of the particular sector, whether we drive one engine or two engines on it should be left to the executive. At the end of the day, who is the most accountable entity in the entire system? The government. And the government is accountable to the people through the Parliament and governments are tested every five years. So why should anybody be so worried that government is taking away the rule making power. I’m putting the whole thing into three different contexts. First, the structure, we can’t go beyond the law passed by the Parliament so there is no big question mark that we are trying to do something outside the ambit of this bill. Second, the government is accountable. Third, we should hardcode only those things that are fundamental to the subject.
One of the main criticisms of the bill is related to exemptions, sub-section 6 and 9, which provides significant exemptions to the government. There are fears that this could result in some sort of overreach or make people’s data more vulnerable.
See, if we see the GDPR, the basic principles on which the exemptions have been made in GDPR, they are far wider than the principles we have laid out here. So it’s not that the exemptions have been given in India, exemptions have been given in all countries where privacy bills have been made. Now, we have limited the exemptions to specific things…particular sections, particular sub-sections and everywhere we have provided clear reasons why such an exemption is being given. The country has to be run, it’s government’s duty to run the country, implement laws of the land and make sure that the law enforcement agencies and courts are able to do what they are supposed to. It should not be that the court says that it has to send a warrant to the person and to send it, first you go and take consent of the person. We have to strike that balance between the requirement of privacy, the requirement of running the country.
For instance, one of the earlier versions of the bill said that data would be deleted once the use for which it was collected has been completed. Whereas, this doesn’t say that…
It is there. Right to erasure and correction of personal data, section 13. In case of government, there will be certain cases where you have to keep the data for a longer period. For example, let’s say, PM AWAAS Yojana house. If a house has been given to a particular person, then after five years when CAG has to audit, that data will be required. So till that data is required, any organisation having that personal data will have to retain as per requirement. So yes, as much as possible we have tried to minimalise, that minimal data should be collected and it should be retained only for the limited time for it should retained.
There have been a few people who have stressed on the issue of data portability that the bill does not address…
The bill does that. It has not been written so explicitly but it does give that construct to the consent manager that, but we have got good feedback and when we place the final bill we will have the right…
Prevention and detection of fraud, credit scoring, recovery of debt, deemed consent for all of these have come under fire for providing too much leeway to the government. Some experts say many of these are beyond the purview of the state.
Absolutely not. For instance, if there is a cyber fraud. Will we wait for the fraudster to give consent for checking the identity of persons who have been contacted by him? We have to understand the realities of our society and draft our laws in tune with the requirement of protecting our citizens within those realities.
You do not believe that this is beyond the purview and can be considered unconstitutional …
Absolutely. Each one of them I can debate with anybody. Each one of them has a clear logic and a proper justification.
Some people have said that this concept of deemed consent is not very different from what other countries do. Except, other countries don’t call it deemed consent. Some of them call it legitimate interest, some call it reasonable purpose. Do you think there is a wording issue there?
I think it is a wording issue. There are many countries that call it deemed consent, others call it legitimate interest. Its a question of what language we are using right now. And I think people who understand this bill have said that this is well within the framework and provides proper protection to citizens data. But we can consider alternative formulations as well.
Do you think the exemptions given to the state agencies -- it effectively authorizes the government to exempt state agencies from several requirements – are too broad, or do you think they’re in line with international practices?
They are very much in line with international practices. In most of the places we have very clearly written why the exemptions will be given. For example, we have used the exactly same carve out in 19(1) in case of central government instrumentalities of the state — any department, particular agency, in the interest of sovereignty and security of India, friendly relations, all the carve outs are in line with constitutional provisions. Other places we have kept having regard to the volume and nature of the personal data. So, wherever the exemptions, that is of course for small data fiduciaries, the start-up ecosystem, so wherever we have kept the exemption we have a proper logic behind it, very much in line with data practices.
While speaking on exemptions, some of the earlier version of the bill had a clause that personal information can be provided in public interest. That is being deleted in this and there are fears that this can weaken the RTI Act.
We cannot have two contradictory provisions of law in the same country and if there is a government servant or a public servant, as much as a private person is a human being to whom all these laws should be applicable, a government servant should also have the same protection. Its very fair. It’s right of equality. It’s very basic.
Except that the RTI Act allows this simply because disclosing this information is in the public good. So just like you have exemptions to tackle frauds and crimes and other things, there is an argument that this should be covered in the exemptions.
Here if there is an argument, if there is a legitimate thing, then the DPB board can be authority that person goes to get information about that. Say if there is a case of embezzlement or something, then definitely there are provisions and law agencies can do it. We are concerned about some official matter in which action has been done not in public interest. Then we have the right to see what are the circumstances under which the action was taken.
Right now that is information that can be shared by the information commissioners themselves.
Even now, that is not getting affected anyway, only the personal information is all that getting covered by the DPDP bill. And it should be applicable to all citizens. Its quite logical.
Data Protection Board. Since you mentioned it. And this is something on which you must have received a lot of feedback… There are fears that it won’t be independent.
Very few people think that. Most people understand that the independence comes from the law. Independence doesn’t come from appointing a certain individual or the process of appointment. Best of the institutes in the country, which are independent…. RBI, SEBI, EC, everywhere organisations are done by the government. But they are independent institutions where they derive their independence from the law under which they are created. Same will be the case here.
But ECI is a constitutional body. So, therefore, the government can’t impeach an EC whereas the DPB head will be liable to answer to the government…
I will give you an example… TRAI… It is an independent body…
But the appointments are made by the government.
Appointments are made by the government. TRAI is as independent as any organisation could be. There is sector after sector where such organisations are independent because they were created under a law, under a statute, that’s why we call them statutory bodies. This will be a statutory body. This is not a body that will be created by the order of a minister. It will be created by a law which is passed by the Parliament of India. And Parliament reflects the entire country. It represents 132 crore people of India.
What kind of people are expected to be on the DPB?
Mostly, our thought process is that we will be looking at people who understand data and digital economy very well. People who understand what are the nuances of data protections, mostly professionals.
Is it likely that they will retired government employees?
Very unlikely. Unless they really understand the subject really well. Mostly our thought process is to have professionals who understand law, who understand digital economy.
So it could be a mix of lawyers, technology people…
It could be a mix of lawyers, technology people, who understand the legal framework.
Because this board is key to the entire architecture of the law. Because everything eventually ends up at the Board.
Correct. See we are today a digital economy in which we have 8.8 million people employed in just three verticals. Start-ups, electronics manufacturing, IT services. I not even adding telecom. Telecom today is another almost 6-7 lakh people. Together, this is a cohort of 8.8 million people and this is going to go to 20 million or 30 million in the coming years. In this kind of digital economy it our duty to get all the right constructs, all the right legal and regulatory frameworks so that when we grow we should have a smooth path. The PM wants a comprehensive framework to be made. He says our digital public goods have made us proud. We have created solutions that many other countries have not been able to create. Now we have to create a digital legal infrastructure which tomorrow becomes an example for the entire world. People are struggling everywhere.
Which looks at interests as opposed to technology; it has to be technology agnostic. Because the big problem with earlier technology laws is that they were too married to the technology in question so that when tech evolved, they became irrelevant…
So, for example, how do you define a significant data fiduciary. Something as fundamental as that the whole world was struggling with. And generally, the thought was you keep a certain number of subscribers or transactions. And when we have come up with this construct, everywhere people have started noticing it and a very senior lawyer said recently that section 11(1) may be copied by many countries. Because it is a very comprehensive framework. Volume, sensitivity, potential impact on the sovereignty. It is a simple, comprehensive and logical way of looking at it and each one of them is an important factor. And every country is interested in it. And why can’t we do this, when we have been able to create such technologies. Why can’t we create a legal structure that becomes the entire world’s template? So, for example, the DPB, it will be born digital. It will remove the barrier between a person who has access to justice because of the location or because of education level or financial resources and a person who doesn’t have financial resources, doesn’t have education except being able to use a smartphone and doesn’t have location advantage of a Delhi or a Bangalore or a Chennai. So, think of those things from where government is coming. Government is thinking of — can we provide equal justice to a person sitting in Bangalore and a person sitting in Chhattisgarh? Can that be same, can we create a construct (where) just by a WhatsApp message justice can be accessed.
One of the benchmarks for such a law are the European laws. And over the last several months that these laws have gone a little too far and stifle innovation. Do you think our law has achieved that balance?
Absolutely. And that was one of the fundamental objectives of this drafting exercise. We have been able to achieve the balance between innovation and privacy and that was one of the major objectives of drafting and we have a vibrant digital economy of the country. We have tried to make sure our digital economy is not constrained by the compliance burden of a complex law.
To come back to the bill. Section 43(A) of the IT ACT allowed damages for data breaches. It gave individuals the ability to seek damages. This data law seems to do away with that.
Again, I’d like to say that there are certain horizontal bills we are creating that will address certain verticals and sectoral regulations. This bill is purely laying the foundation of privacy principles. Telecom bill is laying the foundational principles of the carrier. Tomorrow there might be another foundational bill for content. All the residual things that are there being considered in the Digital India Act, which is in the advance stage of drafting. We should be able come out with a consultation paper in a couple of months. So take a look at everything in a comprehensive way. The IT Act’s replacement is the DIA.
The bill also does not address the provision barring inter-company data sharing.
The problem with that construct is that who is going to be responsible with the compliance with the law. The compliance obligation has to be very clear. The person who is collecting the data should be the one that is responsible for compliance with this Act. It cannot be 10 different people.
Will your rules prescribe a timeline for breaches. I’m asking in light of the AIIMS incident.
Depending upon the significance of the breach and the harm that the particular breach can cause there should be a nuanced way of looking at this. That’s why we didn’t hardcode a number of hours in the law. Rather than that we have said that depending upon the various factors there should be a reporting obligation. Our focus is primarily, again, creating a Bill that will be able to cater to a variety of systems. Instead of saying hard code 72 hours. Should be able to cater something where you should be able to provide information in second. An attack on a power grid, that has to be informed in minutes and rectified in seconds.
What is the next step? When will the rules be formulated?
So the PM gave use a clear mandate that the consultation process should be very very meticulous. So the target is budget session. Rules will be drafted in parallel. They will be as simple and concise as the law is.
Why did you decide to do away with categories such as sensitive, critical and personal data. These were crucial to the previous versions of the bill. For example, the PM’s data, or financial or health data were classified as sensitive, and the government stated that they be maintained only in India. But now we are talking about maintaining personal data in other countries. What was the rationale behind doing away with the differentiation?
If we hard-code what is sensitive, what is super sensitive personal data then we are creating a situation where it is tough to administer the bill and implement the provisions. It will become a super complex maze of legal challenges that most of us think will be very difficult to implement. The alternative is to create a framework and some factors that can be considered before implementing a decision. In section 25(2) and six-seven different groups of factors have been stated. These are considered before you take a final call on a particular subject. These are nature, gravity, duration, and more. We also cover types of data that is affected by non-compliance realised the situation as well as actions taken to mitigate the effect. We look at the complete picture and then take a holistic call.
Does that not give you the power to define anything as sensitive personal data?
Absolutely not. Everything in this law is challengeable in courts. The structures we are creating here such as independent board, votes, review of order. These aspects can be challenged in court. Such structures serve as checks and balances in the society. Nobody can go one way.
About cross-border data transfers. First you said that certain trusted countries are allowed to store personal data. There might be a methodology to determine a trusted country. But this may open us to further harm and attack.
In the data economy, we don’t have the situation like a port or an airport where we can have a physical check. In this economy, we must look at what is the reality of this sector. Now, the whole world today has come to, more or less, an understanding that there need to be some principles that must be followed whenever we process personal data. Those are the principles we have to focus on. Let’s say you send an email to your friend or colleague in the U.S. Is there a way to check that data must go from this border to that border data has to go from one place to another place? Therefore, those constructs are understood well. The focus is more on the protection principles. We should focus on ways to implement those principles.
Would you classify financial data as personal data?
What we have kept in this bill is that the sectoral requirements of different sectors will be considered important. These will ride over these horizontal basic principles, foundational principals. Tomorrow the health sector can say that XYZ are examples of health-related data and can set conditions which they would like to impose over and above this. The financial sector can also do that. However, the bill takes precedence as the final foundation. Suppose tomorrow some sector says that I will not have a consent requirement. That cannot happen. This is where the precedence of the bill comes into play.
For example, RBI mandates that financial data only be stored in India?
That is over and above this bill. This is the foundation. You can have 10 more different things on top of it. The financial regulator will prescribe rules for financial data. Those regulations will hold. No other entity can reduce the principles that are there.
Are there other countries that have done this kind of whitelisting? What has been the experience on that?
Mostly countries have followed the principles of adequacy of protection. That is the way they generally operate. They look at the laws, see the systems as well as the principles. Today, Indian companies are processing the personal data of millions of people. So, people understand that we are a trusted country. All the credit card data of the world is processed in India. So, we see ourselves as a trusted country. We must consider many factors.
Many have also argued that this bill gives leeway to big tech. Last time, there were provisions for algorithmic fairness and psychological harm. The financial penalties were 4% of the global turnover. Whereas now, there is ambiguity if it’s 500 crore or 250 crore.
First, we are laying the foundational block of digital world in this bill. How social media should be covered is not a subject of the digital data protection bill. The subject is privacy of the citizens. As I clearly said, these two are horizontals and there would be certain other verticals that we would cover. So as and when those verticals come, we can see what is to be done. Second, the percentage of revenue as penalty is a very difficult construct. We have seen the mess created in telecom because of the misinterpretation of the word revenue. So, it’s better to learn and create a firm number rather than a percentage number. Third, the 500 number is basically the limit for subordinate legislation. The schedule of a bill can be amended by the executive decision which has to be ratified by the Parliament. How much it can be amended has to be ratified by law. The law says that this number 250 can go max up to 500. Suppose we take it to the Cabinet tomorrow and say that this item number 1 under schedule number 1 column number 3 must be amended from 250 to 500, we can do that. But we cannot go beyond 500 in this amendment.
Isn’t that too less?
Each instance it is 250 crores. You make 1000 instances, and it becomes exponential.
It is also unprecedented to have responsibilities (duties) and fines for data principles, which includes a fine up to ₹10,000. Isn’t this best left to contracts entered into between the data fiduciary and principal?
We did this in the telecom bill. I must mention the fundamental duties in the Constitution. Duties are as important as rights. If all of us do as we are supposed to then rights will be enforced. This is what the honorable Prime Minister has emphasised. Look at the duties we have put. “A data principal shall not add a false complaint’. It’s a fair duty. Shouldn’t it be there? Then, ‘a data principal shall not furnish false particulars. These are basic duties in a digital economy. Every person getting onto the digital have to follow these duties.
What has the feedback been? The earlier versions invited a lot of opposition, many of the tech companies that it would stifle innovation, cross-border interactions.
Feedback has been very good. From a cross-section of society. Certain concerns have been raised about the independence of the DPB, which we have clearly explained is enshrined in the law itself. Yes, the second thing is that people have found the exemptions and other things are limited it’s not the broad-brush exemption that was in the earlier draft. People have really appreciated the ability to understand the ability of this bill in an easy way. People are looking forward to the digital innovation.