Data Protection and Business Striking a Balance

India is transforming into a digital society owing to increased internet penetration from 2015 onwards. With over 750 million active internet users as of 2020, India is one of the largest digital markets in the world, attracting global players. The rise in digital services being provided online by both the public and the private sectors has led to the generation of vast amounts of data. However, due to the unprecedented growth in internet accessibility, novel business models have sprung up that collect and analyse personal data for commercial purposes. Using personal data for commercial purposes without clear regulatory and legal frameworks poses grave risks to individual autonomy and privacy. There is a need to construct an institutional and legal framework to ensure the utmost privacy for individuals while encouraging businesses to innovate and expand. There exists a need for a more comprehensive law to address data privacy concerns. The Personal Data Protection Bill seeks to include many aspects of the European Union GDPR laws. There are several challenges in implementing an adequate data protection law, such as how to govern the use of big data by large technology corporations and how to strike a balance between National security and citizen privacy concerns. The esteemed panelists of the panel discussion organised by the SKOCH group discussed the various issues surrounding ‘Data Protection and Business Striking a Balance.’

According to Mr. Neel Ratan (Former Regional Managing Partner – North, PwC), the PDP bill is currently generating an interesting debate. If we look at it from a PDP bill perspective, it seems like the whole concept is really overdue in India. Hopefully, it’ll be a reality soon. Although the last has not been said on it, that’s a good point for the core principles around the consent of the data subject. The reason behind putting the data owner at the center is because that’s something we need. Hopefully, the legislation will provide some necessary rights, such as the right to confirmation and access, the right to correction and erasure, the right to data portability and the most important one, the right to be forgotten. But before all these rights can be exercised, a lot of innovation would be required. Mr. Neel Ratan further feels that the entire concept of data localization and some of the proposed relaxation is a never-ending debate. There is a simple example for those who talked against this. If we didn’t have any regulations in manufacturing cars in India many years ago, we would have been very similar to Sri Lanka or Bangladesh working only in second-hand vehicles. So, to develop the right ecosystem and protect privacy in India, we require this, but of course, with the proper control, which seems to be happening.

 Misconceptions arising from the bill, particularly for MSMEs

 To clarify the misconceptions arising from the bill, Mr. Shard Sharma (Co-Founder, iSPIRIT Foundation) said, “No, I think it was going to be liberating for MSMEs. First, let’s step back and look at the principle behind this, which all of us are saying maybe my data is as valuable as my money. So, some rules exist for moving money, and if you are a custodian of my data, then there should be some rules that apply. Those rules are not rules that a particular business will agree upon. But those are societal rules. Those principles will generally apply to all custodians of my data. This is the broader context within which we are coming in. If we go a little bit back to history, we will get to know that in Italy or Florence, these banks have been in continuous operation for 400 years. The bank word is the Italian word for a bench. And the model form of banking had started from there.”

He further said, “essentially, the simplest way of looking at what is happening now is that can we have the rule to stop someone from sharing our data without our consent. Unconsented flows of personal data are illegal. Now, the question is, how do we bring this to life. The fear is that in the act of bringing this to life, we will be burdened by regulations and systems that we don’t know how to follow. Here, I would like to explain what UPI is for a moment. So let us say, Neel, I owe you 100 rupees, so 100 will be sent from my UPI-linked account. Now, if I wanted to pay you 100 rupees in the pre-UPI days, I would go to Paytm, debit my Paytm Wallet and credit your Paytm Wallet. After this, you would get a notification from Paytm, so the job is done. Now in that system, you and I were dealing only with one party, and that party was paid to one party system. Then in August of 2016, we had a new system that can be explained as follows. After initiating a payment, it has to talk to my debiting system, SBI, and then it has to talk to your system. Let’s say you deal with HDFC Bank, and we are already up to four players, and the fifth player is NPCI. Now, five players interact many times a day to move money happen in a friction-free fashion. In the time I have spoken, believe it or not, 1 million transactions have been done. We are doing 110 million transactions a day and 4 billion transactions a month. So, the people who use UPI are the ones who don’t have credit cards. So essentially, the same concept is coming now: if I have to move my data, I will consent on my phone, a feature phone, or a smartphone, and boom, my data can move from place A to place B.”

Sreenidhi Srinivasan (Principal Associate, IKIGAI Law) said, “the most significant institution here will be the Data Protection Authority or the regulator that would set up. But, like many other data protection laws in the world, this one, too, is very principle-based. So, the actual implementation will come in through the regulations or the codes of practice. And suppose we focus on building this kind of institutional capacity under full authority. In that case, we will be one step closer to achieving this goal of safeguarding privacy rights while not killing businesses and MSMEs.

Three challenges large corporates would have to pick up

 In the early 90s, everyone doubted SEBI and thought capital markets would die. People questioned the feasibility of this legislation. In the last 30 years, India has become the largest country which is close to 100% demonetised with fully online trading activity and all the shortcomings. There is a need to focus on building a proper institution, not legislation alone. Legislations always help to develop more extensive and better businesses. Every regulation also drives specific actions. They are making a Passport which used to take three or four months. But now, the entire process has been made very easy with the help of technology. I think larger companies like regulations because every regulation enhances their ability to make more money. While they may creep into the public, it is true that whenever we bring in regulations, it enhances economic value for companies. Most concerns or focus must be on institution building because it’s all about enforcement.  Second, clarity doesn’t stop innovation. If you have tech legislation that helps and promotes innovation, then it is far better than keeping it open-ended. Third, businesses are inherently designed to focus on compliance unless enforced in some form and shape because there is a speed to the compliance, and later, they always exist. So, if you can breach that inner mechanism, it’s a win-win for all. Regulations protect the smaller businesses from the larger enterprises. Regulations help smaller businesses to operate so that the giant whales don’t eat small fish in an unregulated manner. Today, knowledge is derived out of the data, and data comes out of us. So, it is wealth.

Are there any countermeasures that can make us feel safe when we provide our data to the government?

Mr. Vidhur Gupta (India Data Privacy Partner, EY) attempted to explain if any countermeasures would make us safe when we share our data with the government. He said, “whenever government, state governments or the central government tries to identify beneficiaries, scheme beneficiaries, they virtually end up collecting a lot of personally identifiable information. This is done to see who those people are, their family members, age, social status, address, etc. Recently, we have seen how Aadhaar is also being linked. So, a huge amount of data is available; unfortunately, a diversity of the data might have been collected for different schemes. So, while there is a lot of digitization and collision or, in other words, a central amalgamation of the data, there are still various departments or schemes, which will end up collecting that same personally identifiable information for citizens multiple times.”

He further said, “secondly, I see a big challenge when it comes to mass consent, especially because we have a huge population. For instance, many of us would have read huge challenges and frauds, which happened with Jandhan debit cards, etc. I feel that it was a great initiative by the government. But, still, there were multiple cases where one identified person from the village would carry a bunch of debit cards and walk up to the nearest ATM with all the pins. So now, having said that, a huge amount of personally identifiable information lies with various government entities. Hence, I don’t think there’s something comforting for a citizen like us.”

Going Forward 

Mr. Ravinder Singh (Partner, Kalaari capital & Crypto Economist) said, “Until and unless we solve this particular problem, through the nature of the problem, which is tech, just creating a bill for governance will not be sufficient. Now, how do we solve that? That’s a tricky problem because the amount of data generated today is generated more by machines, and we don’t have a common language between humans and machines. Hopefully, someday it will originate. But, unfortunately, it hasn’t happened for 14 years. So I don’t have any credibility that will happen in the future, but I hope it happens in the future. But till that, there have to be architectures and perimeters. Today I see hope in quantum, but again I see quantum as a threat too.”

Mr. Sharad Sharma agreed with Ravi Singh and said, “Ravi introduced a fundamental concept that value of data is when it’s in motion. It moves because of two cycles. One is the inference cycle. For instance, I give my visa application; somebody infers whether I’m eligible for a visa. Then, again, I give my medical reports, and they infer what’s wrong with me. There are many more examples like this. So, this is the inference cycle. And that requires some movement of data. Second, more and more times, the people making this inference, the loan officer, the visa officer, and the doctor, will be assisted by machine learning systems, which will enable them to do their job better than they are doing themselves. And therefore, the other important cycle is when nonpersonal data or their data moves because it is training the machine learning cycles. So there are two reasons for data to move, i.e., the inference cycle and the training cycle. 

Mr. Sivarama Krishnan (Partner and Leader, Cyber Security, PWC India) said that the Indian ecosystem is building consent management for many banks. He further noted that “systems get no simplified. Only the usability is going to increase. The data governance and management incorporates are going to get improved. That’s a by-product, many things leading to larger business or opportunities for many technology services companies and professionals, etc. Hence, in some form or other, someday we will align.”

Recommendations

• More focus should be given to researching quantum.
• Efforts should be made to create more research courses and companies in deep learning and deep learning in cyber.
• The government needs reasonable timelines for compliance from the government’s perspective.
• Policy formulation has to consider all the recent developments in the area of commercial use of personal data so that legislation does not prove to be inadequate to handle the complex challenges in this field.
• The policy has to strike a delicate balance between necessary compliance and over-regulation.
• There has to be consultative dialogue with all the concerned stakeholders so that upcoming legislation can fulfill the tasks of protecting personal data and encouraging innovation.