
Would be difficult for businesses to operate: Legal expert Rahul Matthan on data protection Bill
Rahul Matthan, a partner-lawyer in technology and media practice at the law firm Trilegal and author of Privacy 3.0, spoke to Hindustan Times about his understanding of the draft Personal Data Protection Bill, what works and what doesn’t, and the way ahead. The proposed law drafted by a committee headed by former Supreme Court judge BN Srikrishna was submitted to the government on Friday. Edited excerpts:
After having taken a closer look, what are your thoughts on the draft Bill and the committee’s report?
When you read the Bill and the report together, you realise there is a lot in the report that fleshes out some of the concepts in the Bill. There is a significant discussion around the concept of significant data fiduciary. This is a category of data fiduciaries which, on the basis of large volume of personal data processed or turnover, is subject to a higher standard of privacy. For these fiduciaries, there are additional obligations that would apply, such as doing a Data Protection Impact Assessment. They are quite significant obligations. It would apply to a certain class of fiduciaries, such as hospitals, which possess a lot of medical data.
Could the law have been retrospective?
I don’t think so. It is terribly complicated as it is. The law says that anything going forward from the day the law takes effect needs to comply with the law. Even that is really complicated, because it’s not like everyone is going to stop processing data, wait for the law to come into effect, and start again.
The draft Bill says it aims at combining user data with common good for citizens. Do you think this draft Bill has achieved that?
That’s a really difficult question. One of my concerns with the Bill is I think it’s going to become very difficult for businesses, the data fiduciaries, to operate. Companies are not used to this level of collecting or processing personal data. That would be a huge shock to the system. The Bill talks more about direct data collection, such as data collected from a person to open a bank account. It doesn’t say much about the data collected, say for example, by Netflix to target better movies at you. When it comes to this, it is going to be much more challenging for both businesses as well as users.
Also read: How India’s proposed data privacy bill compares with protection laws across the world
What will this mean for Aadhaar? Has the committee underestimated the concerns on Aadhaar or is it right?
Aadhaar will be subordinate to the data protection framework under this law. The Aadhaar Act may have certain provisions that talk about how you need to protect information under it. But Aadhaar will be used outside this construct as well. Now those uses will need to come under the larger data protection law. There is a recommendation that says the Aadhaar authentication services must be used only by the government. It is not the place of the committee to look into that as it is a matter currently before the Supreme Court. So it’s unfortunate that recommendations on sub-judice matters have been made.
Is the draft tilted towards government regulation?
In only one case. The whole penalty regime is meaningless to the government because they don’t have a turnover. Paying a penalty is not an issue for them. This is a serious gap in the way the framework is structured. There is a section for offences which applies to both people as well as the government. But the government has several exceptions. So how are we going to hold them accountable?
How will data localisation impact businesses?
I think this is a very serious concern. There are many views on it and it’s a polarizing topic. I don’t think we should have data localisation. I think it’s not good for business. The recommendation to have a mirror server in India is also a bit of a problem. Start-ups can easily open an Amazon cloud server and just start without any expenditure. Once you start this data mirroring, it’s going to be very difficult. I have a feeling this is going to have a chilling effect on innovation.
What does this mean for Facebook and WhatsApp as well as their users?
Both Facebook and WhatsApp comply with Europe’s General Data Protection Regulations (GDPR), so they will already have similar kinds of provisions in place. So they can modify their privacy slightly, at least for the plain vanilla clauses, to comply with the Indian law. But it does affect them in the case of data localization. They may have to look at how their costs are going to be affected.
Users get the ‘Right to Data Portability.’ It’s there in GDPR as well. You can ask Facebook to give you a copy of all the data on you, it’ll be given to you. Can you port data such that your likes and profiles on Facebook can be shared with, say, Google? That is special media graph portability, which is something that all the social media giants have been resisting. I don’t know if that is the extent to which data portability will go.
What are some of the recommendations you would keep, and three you would modify or discard from this draft?
A lot of the general obligations are all fine. I like the data portability framework. It is very powerful for users to move data from say one person to another. And you can do it through a consent dashboard. In my mind, I think they have gone overboard with notices, obligations to maintain a record of consent. I am very keen to remove data localisation provisions. As much as we say we must do Artificial Intelligence and big data, this Bill can even harm them due to the purpose and use limitation. Big data works on a lot of data. Only de-identified data that can’t be traced to an individual should have been allowed for data fiduciaries to use for big data. This would have been a forward-thinking way.

Stage set for mega tractor rally; Parliament march on Feb 1
- The police say about 30,000 tractors are likely to participate in the rally, but farm leaders said the number of vehicles will be closer to 200,000.

Republic Day 2021: List of police personnel who received gallantry medals
- The break-up of 946 police personnel who have been awarded medals on the occasion of the Republic Day, 2021.

'Change lifestyle to adapt to climate change': PM Modi
- "We have promised ourselves that we will not just meet our Paris Agreement targets but exceed them...” PM Modi said.

Willing to resign, Nagaland Lokayukta tells SC, seeks protection from state
- The Nagaland government had come to the Supreme Court in exceptional circumstances for orders to restrain the sitting Lokayukta from hearing any case or exercising his powers or functions under the Nagaland Lokayukta Act, 2017.

He deserved top medal: Col Santosh Babu's kin disappointed with Maha Vir Chakra
- His mother said she was not at all happy to receive the news that her son was conferred Maha Vir Chakra. “I expected the top medal, not this,” she said.

Republic Day 2021: Govt announces gallantry award winners. Full list here

'India foiled expansionist move in Ladakh': President's veiled dig at China

President Kovind says Indian armed forces 'adequately mobilised'

Attending Republic Day ceremony in Delhi compulsory, Govt tells officers
- In a letter sent to all government ministries and departments Cabinet Secretary Rajiv Gauba warned "that serious view would be taken" against those who fail to attend the ceremony despite invitations

Odisha meets over 92% of Covid-19 vaccination target, leads among all states
- Of the 1.92 lakh beneficiaries that were to be vaccinated till January 25, the state has covered 1.77 lakh.

Republic Day 2021: Tarun Gogoi, Ram Vilas Paswan among 10 Padma Bhushan awardees

Senior officers must attend R-Day event at Rajpath or face action: Govt

Full text: President Ram Nath Kovind’s speech on eve of 72nd Republic Day

Rahul Gandhi wraps up Tamil Nadu campaign; attacks AIADMK, BJP
- “The chief minister is corrupt so he’s being controlled by the prime minister,” said Gandhi during his roadshow in Karur district.
