Anirudh Burman and Srinath Raghavan discuss the implications of India's draft personal data protection bill.
Anirudh Burman and Srinath Raghavan discuss the implications of India's draft personal data protection bill.
(Intro) Srinath Raghavan: Hello and welcome to Interpreting India! I’m Srinath Raghavan and this is a podcast presented by Carnegie India. Every two weeks, we bring to you voices from India and around the world as we unpack the role of technology, the economy and foreign policy in shaping India’s relationship with the world.
The Indian parliament is soon going to discuss the personal data protection bill. While the public debate around the right to privacy is still very sharp, this bill has expanded the controversies of the discussion by bringing into focus the mechanisms through which the government aims to protect the personal data of individuals. There are also several unanswered questions that center on the bill. How effectively can the government enforce data protection? If the bill does get passed, what impact will it have on the Indian economy? To unpack some of these questions around the data prediction bill, we have with us today Anirudh Burman. Anirudh is an associate fellow at Carnegie India's Political Economy program where he works on issues relating to public institutions, public administration, and the administrative and regulatory state as well as its capacity. Most recently he has authored a soon-to-be-published paper analyzing the privacy bill and its impact on India's political economy.
Anirudh, Welcome to interpreting India!
Anirudh Burman: Hi Srinath, thank you for having me over.
Srinath: I want to start by asking you a little bit about the context and the background, that this particular draft bill that is now being tabled in parliament. What exactly is the legal, jurisprudential and public policy debate surrounding privacy and data, which is really important for us to understand and in which in some ways might be framing this particular piece of legislation itself.
Anirudh: So Srinath, we've had a jurisprudence on privacy that's gone back since almost to independence, since the 1950s. But this debate's become really important in the last 10 years or so since Aadhaar came into existence. And so it would be helpful to think about how it's evolved since Aadhar was first conceptualized and implemented in India. The idea initially behind Aadhar was to use it mainly for social welfare programs to identify leakages, to identify ghost beneficiaries and to weed them out and to make social welfare schemes more efficient.
Over time, what happened was that its use was expanded to other purposes which are not social welfare purposes, such as, say doing your customer norms for telephones, for linking your PAN numbers to your bank accounts and so on. And as this started happening, it became contentious because people started talking about the use of Aadhar being all encompassing, being mandatory - it was even used for school admissions. Right. And this created a debate around what should be the uses of Aadhar, whether it leads to exclusions and to the degree to which it actually curbs individual privacy. And what was happening parallely was we had a, in the US we had a massive leak by Edward Snowden who revealed that the US NSA was actually looking at a huge, amount of information, even foreign government information. And parallely in the European union, we had the introduction of a draft privacy law that would affect the entire European union. This was the general data protection regulations or the GDPR and all of that also fed into the debate around Aadhar and privacy that was taking place in India.
Srinath: And this issue came up before the Supreme Court?
Anirudh: Yes. This issue came up before the Supreme Court. People challenged the constitutionality of Aadhar and the Supreme Court said, look, we can't decide the constitutionality of Aadhar unless we are completely unambiguous as to whether there's a right to privacy under the constitution. So they created a larger bench ofthe Supreme Court to go into that issue, and that bench fairly clearly said that there's a right to privacy under the constitution and that informational privacy is a part of that. Right. So a lot of the data protection legislation would actually get some kind of a constitutional support from that ruling of the Supreme Court.
Srinath: So can we just talk a little bit more about that particular ruling, that is the Puttaswamy v. The Union of India judgment, which was given by the Supreme Court, which defined, as you said, privacy as a fundamental right. But did it go into anything more about what modes of privacy? What exactly was privacy supposed to protect? Or was it more at the level of saying, listen, this is established as a fundamental it right, now it is more about dealing with broader issues of constitutionality and what the government's actions are in any particular instance?
Anirudh: Well, the judgement is interesting because most of the previous cases before the Supreme Court, there's been a specific fact that has been in dispute. So for example, the earliest case before the Supreme Court on privacy was about whether the police can actually go into a known or a suspected criminals house at night to check on whether they are at home and privacy was being discussed in that context. In this nine-judge bench - the Puttaswamy Judgment, there was no specific fact around which the Supreme Court was trying to examine the right to privacy. It was more of a philosophical, or a doctrinal examination of what should a right to privacy actually include.
Srinath: And the Court itself said that they were trying to come up with some kind of doctrine?
Anirudh: Yes, they say as much, they say that there's been a long line of cases which has talked about the right to privacy. Our endeavor here is to actually think about a doctrinal formulation of what a right to privacy should be.
Srinath: Is that quite normal in jurisprudence or would you see that as an instance of judicial activism of some kind?
Anirudh: I definitely think there's a element of activism involved. It becomes risky when judges are completely detached from a factual situation, because usually judges are supposed to interpret the law as it applies to a specific fact. Right. And here that was not the case, here they were thinking completely theoretically as to whether there should be a right to privacy under the constitution.
Srinath: And how did the Puttaswamy (Judgement) then feed back into the bigger hearing on Aadhar?
Anirudh: So what the Court said was yes there's a right to privacy, but the state has a right or the state can infringe on the right to privacy in certain circumstances and it laid down a test. It said that if there is a particular legitimate interest that the state is trying to perform, for example: national security or social welfare schemes, it can actually infringe on the right to privacy in this larger interest provided that the means it is using are actually narrowly designed to meet that objective. So you can't have mass surveillance if you are trying to catch a terrorist, but if you are specific enough in how you try to go about infringing individual privacy you can actually do that and that would in turn then be determined on a case by case basis if it comes before the courts. So that was the broad test laid down by the Court and then that test was applied by the Supreme Court in the Aadhar case. So they basically said that Aadhar is constitutional and the use of Aadhar by the state for specific purposes is constitutional, but it is not so for other cases. That's how they actually went into the Aadhar issue and decided it eventually.
Srinath: In some of your writings, which we will link to in the show notes so that our listeners can also read those pieces, you have made an argument saying that the right to privacy in some ways is a very abstract conception of the right. That in a sense how privacy operates can change from situation to situation, context to context. What say, obtains in the context of a property kind of thing, might not be in the context of another say financial piece of, you know, our privacy on another human situation which involves say issues of marital rape allegation and so on. So there are a range of social contexts within which this question of what constitutes privacy operates. Could you just elaborate a little bit on that?
Anirudh: Yeah and this also goes back to the problem with the judgment, which is that it's looking at privacy devoid of any specific context. And if you look back at the most seminal writings on privacy, the doctrines that have evolved, they all come from a discussion of what privacy means in a specific context. Right, so, probably the most famous writing on this is a paper in 1890 by, uh, justice Louis Brandies and his colleague who actually talked about a right to privacy and that then got taken up by courts and then by legislatures. But they were also talking about a situation where a person who is walking down the road gets a photograph taken without their consent. And that photograph is then published and there's some kind of a reputational harm or injury caused to that person because of it. So privacy was a means to try and protect that injury from occurring. It was not that we were trying to protect privacy in itself and that's something that this judgment and the subsequent developments seemed to be losing sight of, which is that what you're trying to protect, is more important than the notion of privacy itself. So you actually have to think of privacy very specifically in the context of, say, how you protect your emails, how you protect your online behavior, versus, how you would protect your bank information, or your financial information, or how you would protect your health records. The ideas of privacy that would apply to each of these would be slightly different depending on each context.
Srinath: But is it realistic to expect a Court to be able to go into all of those circumstances and actually come up with the jurisprudence which covers so many possible, you know, circumstances in which privacy operates?
Anirudh: Yeah, so I think it is not possible to do that, and which is the primary reason why I think the Court should not have done it. It should actually have decided privacy in the context of Aadhar. Rather than say that we'll first decide whether there's a right to privacy and what that means, and then decide Aadhar.
Srinath: Right. So the abstract doctrinal approach then in a sense, you know, takes away from the specificity of the Aadhar issue itself. So let's talk a little bit about the draft data protection bill, which is now going to be tabled in Parliament, what was the background to this? We know that this draft was prepared by a committee led by Justice Srikrishna. Could you just talk a little bit about how that committee came to be constituted and what was the process through which this draft has been arrived at?
Anirudh: So, like I said, there was an argument that we need to protect data in the context of the ubiquitous use of Aadhar that was occurring. At the same time, we also had the rapid digitization which is still occurring in India - a lot of people are coming online for the first time, people are using social media platforms, and India is getting more and more interconnected through online platforms. People who are interested in privacy were also looking at the challenges that were emanating to, say, society and to individuals from online behavior in other countries like the US, like the European Union.
And they were paying attention to the legal developments that were happening in order to try and meet these challenges. And because the European Union formulated a fairly all encompassing, overarching data protection regulation, a lot of Indians thought that we should also have something similar. And that gave rise to a demand for a data protection legislation in India. We already had the Aadhar case, which was pendingbefore the Supreme Court. So the government went out and constituted this committee headed by Justice Srikrishna. And the committee followed a fairly participatory process - they put out a initial draft, public comments are solicited on the basis of it and then they came out with a final report and a draft legislation. So the report actually gives out a lot of the underlying reasons or the rationale for why that draft legislation is the way it is - that is their draft Personal Data Protection Bill. We don't have a final government version of that bill yet, but it's been listed for introduction in Parliament.
Srinath: And what were the most important features of the draft bill drafted by the committee?
Anirudh: So it does three, four big things. One, it says that no person can collect data without an individual's consent and that consent has to be given fairly explicitly in a detailed format, laying out all the reasons for why you are collecting that data, what data you're collecting, and then you actually cannot use that data for other purposes. If you want to do that, then you have to collect consent again.
Srinath: That is the agency which is collecting has to get the consent again?
Anirudh: Right, whether it's Facebook or an auto dealership or a real estate company. If you collect data for a specific purpose and then you want to use that data for something else, you have to take consent again. Right. So that's one big thing. The other is it creates a fairly long list of obligations for companies that are going to use and process data. And this includes stuff like designing backend systems for actually collecting that consent, creating an internal categorization for different categories of data. So if it's personal data, you have to keep it in a separate bucket, if it's sensitive personal data which is defined in the bill then it has to be in a separate bucket and so on. You have to create a certain kind... amount of safeguards for how you will protect that data, how you will give access to people internally. You've to appoint a data protection officer who's actually going to monitor your firm's compliance with this entire Bill. You have to do occasional data audits. You've to actually report to the DPA (Data Protection Authority) if you have a breach in your systems and your, the personal data in your system is compromised. And then you have to give users or people who've given you their data a set of rights. You have to give them access to the data that you've collected. If they want, they can demand that you correct the data if there's some inaccuracy. And in some cases, they can ask you to delete the data that you've collected.
Srinath: And they can even migrate it to some other...
Anirudh: And they can also migrate it to others. And the bill allows you to charge a fee for doing all of this, but that fees will be specified by the Data Protection Authority. And that's the third big thing, it sets up a Data Protection Authority, which is going to actually ensure that all the stuff in this Bill is actually complied with. It's also going to write a bunch of regulations to require firms to ask for, say, consent in a particular way to define what kind of purposes are illegitimate or permissible in the Bill, and to actually adjudicate any complaints or grievances that might come up. And lastly, it can also impose fines and penalties on these firmswho actually violate this. And the penalties are fairly high - it can go up to 4% of a firm's global revenue in a year. That's a fairly significant amount.
Srinath: So let's talk a little bit more about each of these key strands in some detail. I want to unpack some things that you mentioned here. I was asking myself was what exactly is this Bill seeking to protect?
Anirudh: So it would seem that it's trying to predict privacy and an individual's data, and to protect misuse of an individuals data without their consent. The problem is that some of the frameworks that the Bill has used might not actually lead to effective privacy protection. So for example, consent is a very important part of what this bill is trying to do and regulate, and to make sure that your data cannot be used without your consent. The problem is that the entire notion of consent came about in the 1960-70s where you had a very few large companies that have held a huge amount of data. These were big banks, big health companies, credit information companies, and mostly governments. So it was easy for people to actually have an idea of where their data is at any given point of time and then to consent to the use of that data.
That entire thing has completely upended in the last 20- 25 years. Beginning in the early nineties, with the spread of the internet, people were starting to say that look, this idea that users will be able to meaningfully understand where their data is stored and to give consent, is becoming more and more questionable. And now that we are in the age of big data, artificial intelligence, it's going to become even more problematic.
Srinath: And also it seems that consent is usually bundled in, right? I mean you can't like choose to say that I will not consent to some provisions and to others.
Anirudh: It's going to be a problem to regulate consent in that sense, because, in order for it to be effective, it has to be meaningful, right? Otherwise it's just going to give users an illusion of consent and users are going to think that just because they are ticking on more boxes, their data is being protected better - that might not actually be the case. And that could actually lead users to give out more data than they would otherwise. So it could actually be counterproductive in that sense.
Srinath: That's right. The second thing which you mentioned is about this kind of fiduciary relationship which is sought to be created between the individual and whichever is the agency which collects the data. Could you just explain what exactly that means?
Anirudh: Well, the Srikrishna Committee Report and the Draft Bill, the both have this idea of a fiduciary, which is a concept used in some other kinds of relationships like: lawyers and clients, doctors and patients. And the idea is that the lawyer or the doctor is in a position of trust and not merely of a contract between the lawyer and the client. And therefore, because you're in a position of trust, you have a higher degree of responsibility towards your client - that concept is being imported here. And I can get the, the rationale behind it, which is because you don't have a sense of how your data is going to be used and stored, the company that's actually accessing your data should have some amount of trusteeship in how they actually manage your data. It should not be driven purely by ,say, profit motives and so on. The problem is that it might not, again, lead to effective privacy protection. The idea of trusteeship is easier said than done, because, how lawyers are actually in a position of a fiduciary relationship is something that courts have determined on very specific situations from time to time. Again, how doctors have a fiduciary relationship is something that courts have determined over a period of time, and that has then been used by legislators and parliaments to write a law. Here we are doing it the other way around - we are saying this is what a fiduciary relationship means. Right. So in that sense it's slightly different from what other fiduciary relationships are in society. So how it's actually going to be different from other relationships, is something that we are not yet clear on.
Srinath: Okay. That brings us to the third sort of part of this architecture, which is the Data Protection Authority itself. There seems to be a fairly large regulator even by those kinds of standards or regulators that we've had in India since liberalization, isn't it?
Anirudh: Yeah, it is, and the important part about this bill is it's not going to be limited to only big tech companies. If you are collecting data of more than a hundred people and your turnover for the year is 20 lakhs or more, you are going to be within the Data Protection Authority's ambit. And that means real estate companies, hospitals, banks, insurance companies. But also people who say customer onboarding, whose job primarily is to just go out into small cities on behalf of banks and companies and collect data for onboarding customers so that they can then start accessing some services like insurance and so on. It would also affect auto dealerships, marketing agents, anyone who collects data for the purposes of exploiting it. Restaurants who collect your phone numbers so that they can, you know, give you a goodie on your birthday - it would affect all of them. So it's cross-sectoral, it affects a large part of the economy and the DPA therefore is going to have a huge challenge on its hands because it's going to have to regulate uses of data across many, many, many parts of the economy. Health data, financial data, biometric data - all of these, and these will all have different applications and different implications in every sector. So for the DPA to actually be able to build that kind of expertise, it's going to be a hard talk.
Anirudh: It might be the biggest challenge and we've generally seen that India has fairly low regulatory capacity. There are indexes out there that actually compare how much regulatory capacity different governments have and compared to OECD countries which have a data production law like this, our capacity is fairly low. So we are importing a framework that countries with a high regulatory capacity use, for our own country and that is then going to make the task of regulating this entire field that much harder. Also the nature of data in itself is very hard to regulate - data increases almost exponentially every time you go online, you're creating more data. So for a DPA to come in and then be able to effectively regulate this entire field, it's going to be quite hard.
Srinath: And isn't there a more fundamental paradox at work as well, which is that in a piece of legislation, which is ostensibly about protecting something, which is a fundamental right, according to the Indian Supreme Court, we are now creating an administrative and a bureaucratic organization, with extraordinary sweeping powers or all of society for surveillance and so on.
Anirudh: Right. I mean that's the irony of it, you create a cross sectorial body, which has the powers of say, search and seizure. It can search any premises of a company that is collecting data. It can seize information, it can seize documents. By definition, that is the power to monitor the use of data. So if you bring your complaints saying, "my data was not collected properly without my consent", the DPA can go to the business and ask them to open their system and show them whatever you're collecting. So you're creating a regulatory authority that's going to be more powerful than all the businesses who are apparently violating your privacy.
Anirudh: And like you said, I mean that's the paradox that...
Srinath: And then, all offenses are not bailable, right?
Anirudh: A lot of the offenses are non-bailable, so what they've done is there is a system of fines and penalties, and then there are harms for which you can actually be criminally liable. Uh, the harms are generally occurring when you collect data without consent, and then that leads to harm. The fines and penalties are there, even when you, say, collect data with consent, but then you didn't store it properly, or you mixed personal data with sensitive personal data, or you were supposed to do a audit and you didn't do the audit for things like that.
Srinath: What do you think is going to be the broader sort of economic consequence of bringing-in such a regime, right? Even in the context of the GDPR, which is the sort of regulation which came up in the EU, there were these studies which suggested that this would have an impact, say, on small and medium enterprises.
Srinath: Even in the context of the European union, very advanced countries, uh, that even for them to be able to reach these degrees of compliance will mean significant costs have to be absorbed. There are other kinds of demands of having, you know, certain kinds of new roles created within companies, which will again impact on their uh... So, so there are broader economic impacts.
Srinath: And I'm just wondering aloud whether in the context where small and medium enterprises in India are still trying to cope with, say, GST regimes.
Srinath: You know, we know that that is where a lot of the pain has been felt it’s a new system.
Anirudh: Absolutely. Yeah.
Srinath: Is it really such a great idea to bring another such large framework, but so many compliance requirements and such stiff penalties?
Anirudh: No, absolutely. I think we have to be much more pragmatic about how we do this. Uh, and what I am trying to argue with that rather than have this broad preventive framework, which is, which a lot of people are anyway arguing, is not actually going to protect privacy. Let's focus on what are the injuries that people suffer from a lack of privacy, right? Or from people, uh, or of having their data misused. Uh, I think that's a far more modest and sensible way to do it because if you look at what's currently in the bill, uh, it's going to be a fairly humongous set of requirements imposed on small businesses, especially. Uh, for example, you will have to create like a consent architecture. You will have to know how to segregate different kinds of data. Uh, you will have to be very careful in who gets access to what data. And uh, if you look at the census as the economic censuses, uh, most firms in India are fairly small. And they are one person shops, two persons shops. So if you look, if you think about actually applying this bill to them, it's going to be a fairly significant cost. Uh, having said that, the bill does exempt, uh, some small businesses. My point is that it's not enough because as soon as you collect the data of more than a hundred people, you are basically governed by the small and then everything applies. And so it doesn't really have enough of a carve-out to exempt small businesses from actually being able to predict, privacy in a meaningful way while at the same time not being shut down due to fairly burdensome compliance.
Srinath: And do you think it'll have any kind of implications for flow of investments into India, particularly with this requirement of localization of data, which means obviously, you know, greater outlays on the part of any company which wants to set up entities here.
Anirudh: Okay. It's hard to say. The problem is that there's been, there's very little empirical work being done on this. Uh, it ICRIER come out with a report recently which puts out some figures on this and they argue that there is going to be some kind of a negative impact. Uh, but on a broader scale, if the bill affects the way small businesses grow in India and economic growth is affected by it, then yes, foreign investors will have less of an interest in coming to India. I mean it's as simple as that. Uh, and again there's been no empirical work on how much it will affect small businesses, but you just go through the list of compliances and you realize it's actually a fairly significant burden. So it might definitely have some impact on the way people think about India as a growth story and so on.
Srinath: Of course, we are recording this episode on 29th of November the bill is yet to be tabled and I'm sure there's going to be a big debate. So this is perhaps an issue that we may want to come back to you for a subsequent conversation.
Srinath: As our listeners are trying to think about this particular issue, which is going to be a fairly significant piece of legislation which is coming up, uh, is there any particular book or a report or an article that you think would be useful for them to understand the intricacies and the implications of these are frameworks which are coming in now.
Anirudh: I think that two or three good documents on this one is the justice Sri Krishna committee report in itself, which lays out why this bill is important and we've discussed problems with it, but it's still an important document to go through. The other is a very interesting book called "AI Superpowers" by someone called Kai Fu Lee, who's a Chinese venture capitalist and he basically talks about what makes the U S and China superpowers when it comes to artificial intelligence. And it gives very good insights on how both these countries have been able to take advantage of the data that they have and how they've both used different strategies. And that also tells you that it's not just about doing one thing like localization or one other thing like data protection, it depends on a host of factors on whether you can actually become the next AI superpower.
Srinath: Fascinating. And we'll link these as well in the show notes. Anirudh, thanks so much for being with us today. It's been great talking to you.
Anirudh: Thank you for having me over.
(Outro) Srinath Raghavan: Thank you for listening to this episode of interpreting India. A podcast presented every two weeks by Carnegie India. I'm Srinath Raghavan. For more information about the podcast and the production team, you can follow us on social media and visit our webpage.