The Centre for Internet and Society, (CIS) Bangalore (not to be confused with the CIS at Stanford Law School) has released a revised version of its privacy bill. I had blogged about the earlier version of CIS’s draft bill over here. While the new revised version takes care of some of the flaws that I had pointed out in my last post, the revised version is hardly satisfactory.
But before I go ahead to critique the bill, I do want to make it a point to commend CIS, especially its Director, Sunil Abraham on two points: (i) For taking on the task of drafting this bill and getting a debate going on the ground – privacy is becoming increasing important issue in India and it is good to see somebody leading the debate on this issue; & (ii) For being open to constructive criticism and correcting previous flaws.
Moving on to the issue raised in the title of this post, let me first provide our readers with the context of the bill and the stakes involved for India.
(i) The context of the Privacy Bill and the implications for Indian industry: Over the last year, privacy has become an increasing important talking point in the Indian press. For most part, the concerns seems to be targeted at the plans by the Central Government to implement sweeping surveillance measures over all electronic communications used by Indians. These concerns against the Government’s plans are similar to those voiced in the West, especially after the Snowden affair. While government surveillance is definitely an issue, an equally pressing issue is how companies like Google, Facebook (collectively referred to as ‘Big Data’) collect, use and sell user data. In the context of the Indian debate there is an added issue of the commercial interests of Indian companies which handle foreign data by virtue of outsourcing contracts. Sunil Abraham explains the importance of this bill for Indian industry, in his Forbes article:
“In a multi-stakeholder-based parallel process, the Centre for Internet and Society (where I work), along with FICCI and DSCI, is holding seven round tables on a civil society draft of the privacy bill and the industry-led efforts on co-regulation. The Indian ITES, KPO and BPO sector should be particularly pleased with this development. As should any other Indian enterprise that holds personal information of EU and US nationals. This is because the EU, after the enactment of the law, will consider data protection in India adequate as per the requirements of its Data Protection Directive. This would mean that these enterprises would not have to spend twice the time and resources ensuring compliance with two different regulatory regimes.”
In other words a Privacy Bill in India means more business and profits for Indian companies, which is why NASSCOM and its sub-agency, the Data Security Council of India (DSCI) is so interested in having Parliament enact such a bill. At the same time NASSCOM like any other industry is averse to government regulation and for good reason, government regulation in India can kill an industry. At the same time, we can hardly depend on industry to regulate itself – history has shown time and again that self-regulation for any private enterprise is a myth. At least in the case of the U.S., there is a strong system of tort law, which is enforced, often punishingly by American courts and juries. In India we hardly have a functioning judiciary, which makes it all the more important to have a strong administrative regulatory framework. Thus the challenge in drafting a privacy law lies in drawing a balance between privacy concerns of citizens and the need for the industry to innovate and grow. Unfortunately, the CIS version of a privacy bill accepts the industry’s version of regulation – hook, line and sinker.
(ii) The version put forth by industry & CIS for co-regulation of the private sector: The original version of the CIS Bill, which I had blogged about over here, was extremely weak in the sense that there was little regulation of personal information held by private actors. At the most, the CIS Bill had laid down some basic principles to be followed in collection and use of personal information. The actual enforcement of those principles is contingent on the contracts between the internet data company and the user, like me. Given the level of consumer ignorance about such contracts, until it is too late, it is important for the law to empower the privacy regulator to set binding minimum standards on the nature of the information that can be shared by private data companies with third parties.
The revised version of the Bill, (available over here) which was presumably revised after CIS co-hosted a conference with FICCI and NASSCOM on the first version of the bill, proposes the following incredible regulatory model: As per Clause 30 of the proposed bill, the Privacy Commission which is now renamed as the Data Protection Authority cannot formulate any code of conduct without the approval of the director or authorised signatory of the data controller. I extract the text of the clause below:
“30. Co-regulation by Data Controllers and the Data Protection Authority. – (1) The Data
Protection Authority may, in consultation with data controllers, formulate codes of conduct for the
collection, storage, processing, disclosure or other handling of any personal data.
(2) No code of conduct formulated under sub-section (1) shall be binding on a data controller
unless –
(a) it has received the written approval of the Data Protection Authority; and
(b) it has received the approval, by signature of a director or authorised signatory, of the
data controller.”
A data controller is defined by the Bill as a person who controls the manner in which personal data is processed & used and I presume that every company handling data will be a data controller.
In effect, Clause 30 forbid any regulation from being imposed on a company until such time that a data controller agrees to the privacy regulations sought to be imposed on the data controller by the Data Protection Authority. I cannot remember of the last time a legislation disallowed the statutory regulator from regulating an industry without the prior permission of the industry which is the target of the regulation. Can you imagine a similar model for the pharmaceutical industry where the pharma industry refuses to agree to regulation unless the industry first approves of the legislation? Does CIS really think an industry will agree to regulation which strengthens consumer rights vis-à-vis the rights of the industry?
As far as I’m aware, this mythical model of co-regulation espoused originally by NASSCOM and now by CIS does not exist in any other jurisdiction in the world. I would be open to a correction by our better informed readers.
In my opinion, this clause is a complete sell out to industry interests – I understand CIS is trying to formulate a consensus but Clause 30 is not a consensus – it basically gives the industry exactly what it wants while doing nothing to protect the interests of the consumer.
(iii) The ‘Data Protection Authority’ is toothless against the private industry: As per Clause 20, the Data Protection Authority may “may inquire, suo moto or on a petition presented to it by any person or by someone acting on his behalf, in respect of any matter connected with the collection, storage, processing, disclosure or other handling of any personal data and give such directions or pass such orders as are necessary for reasons to be recorded in writing.”
Given that the private data industry cannot be held liable for breach of any regulation which it has not agreed to there is almost no law which can be enforced against the private industry. Therefore at the most an aggrieved citizen can try to complain to the DPA about violation of some of the statutory safeguards regarding data collection, data processing and sharing but even this remedy is limited by the fact that a person’s relationship with a private data company is defined by a contract which can be changed by the company in question at any time. And let’s not forget, the fact that Google contracts can be arbitrated only in Santa Clara county, California. Moreover, it is doubtful whether this privacy law, in its present form will even be enforceable against foreign companies like Google and Facebook which consider themselves to be governed by American law.
So what is an Indian citizen supposed to do if he or she is aggrieved with a foreign data company? Not very much!
(iv) The penalties that can be imposed against private companies: Given that hardly any laws can be applied against private data companies, it may be a little pointless to even examine any fines that can be imposed on such companies but let’s have a cursory look at the penalties that can be imposed under the draft bill. Chapter VI, unfortunately leaves blank all the clauses on penalties – as of now the law appears to propose a term of imprisonment or a monetary fine. Going by the language of this section, the monetary fines are proposed in terms of fixed sums as opposed to linking the penalty to the turnover or revenue of a company. Fixed fines of a few thousands of even a few crores of rupees are of little use against multi-national company with hundreds of billions of dollars of revenue. Without an effective deterrent a private data company has nothing to fear of the law.
Conclusion: As obvious from this post, the Revised Draft of the Privacy Bill drafted by CIS does little to protect consumer interests while giving the industry exactly what it wants. It is perhaps time for CIS to keep a safe distance from NASSCOM and DSCI while drafting this bill. Co-hosting and jointly drafting a bill with the industry is impossible unless CIS is ready to agree to industry interests. A public debate would be best served by industry and civil society preparing their own drafts – it is the government which has to take the final call and forge a middle path.
There are a few more problematic issues with the CIS bill which I will cover in the next post.
Pingback: The Revised CIS Privacy Bill: Violation of privacy shouldn’t be a strict liability offence | Spicy IP