This article is part 3 of a multi-part series explaining the recently issued white paper on data protection in India. The responses to the white paper will help in the formulation of India’s future data protection laws.
Data is put to multiple uses to enhance business. Particularly, today data is used extensively for research and development, identifying customer preferences, developing new products and services, improving marketing, and establishing new organizational and management approaches. While framing a law, thus, care must be taken in defining ‘processing’ to include all such uses within the scope of the new law. Facilitating cross border data flows and imposing data localization requirements for processing are other key concerns.
The present Indian approach is restrictive
The current rules in India take an extremely restrictive approach to processing and entities included in the scope of the law. The IT (Sensitive Personal Data) Rules, 2011 protect only data when collected at the first stage, i.e., when an entity collects the data from a natural person the first time. Any subsequent transfer of the data is not governed by these rules. The result is that for activities of industries like the BPO sector, which access data via contract with another organization and not from the people directly, or data brokers, who may access the data through multiple legitimate and illegitimate means, are not protected. The law will not apply to all third parties like processors providing services to the first entity. Thus, there is no recourse against, say a disclosure of personal data by such entities.
Proposed broader approach to defining ‘processing’
The White Paper, in its current form, is looking at drafting a broader definition of ‘processing’, without differentiating based on how the entity acquires the data. As a general rule, processing refers to the collection, use and disclosure of data. Given the wide new uses of data, a well drafted definition is required, which ensures that no such new use is inadvertently excluded from the ambit of the act.
Internationally, this has been attempted to be addressed using an all inclusive definition of ‘processing’. Such a definition is to be used in the EU and the UK. It includes any operation or sets of operation which are performed on personal data. This could include collecting, recording, storing, altering, transmitting or even erasing the data. Countries like Canada and Australia take a different approach, defining collection, use and disclosure separately, instead of an elaborate definition of processing.
Regulating entities in the data ecosystem
The White Paper also looks at defining a data ‘controller’, or the entity having control over the data, and third parties like data processors, who perform certain actions on behalf of the data controller. For example, when you hand your data to a company, say a bank, the bank is the data controller. When the bank hands this data to a third party, say a cloud storage provider, this is a data processor, performing storage activities on behalf of the bank.
These definitions are key to identifying and assigning responsibilities to various entities in the data ecosystem, such as the data controller, processor, and other third parties. For example, consider an employee of a data controller who has access to the data with it. What should the employee’s responsibilities be?
Internationally, the EU places direct obligations on the data processor as well as the data controller. In Australia, all entities holding data are under the ambit of the law. In Canada, in an approach being preferred in the White Paper, the data controller will continue to be responsible for the data regardless to the third parties it transfers it to.
Facilitating cross border flow of data
As discussed in Part II of this series, data processing often involves multiple entities in multiple jurisdictions. This is often the same corporate entity, with different units such as customer databases and storage facilities in other locations. The clearest example of such cross border transfer is in the BPO industry. Given the wide uses of data today, facilitating such transfers can play an important role in fostering research, development, and economic growth.
The main issue with regulating cross border data flows, is with determining the threshold test on the fulfilment of which the transfer will be permitted. In the EU and Africa, for example, transfers can only be to countries with a similar or comparative level of data protection laws, leading to arrangements such as the US-EU Privacy Shield Framework. Generally, this ensures adequate rights to the people in respect of their data, and ensures that the same or higher level of protection is accorded to the data as would be under their own laws.
Binding Corporate Rules, an internal code of conduct for organizations, and Model Contractual Clauses, model clauses to be added in contractual arrangements to safeguard the data, are other forms of regulation. In Canada and Australia, a slightly different approach is taken, where it is the responsibility of the data controller to ensure the security of the data, even if it is transferred across borders.
Data localization and its advantages for the government
Another consideration is whether data localization requirements should be imposed. This refers to the requirement that data be restricted within the country. The servers processing and storing data must thus be physically located within the borders of the country. This provision tends to be a good move from the government’s perspective, which can ensure protection of its citizens’ data, access it more easily for law enforcement, prevent foreign surveillance and maintain national security.
Local servers could certainly mean better investigations, an activity that is often delayed due to lack of cooperation from multi national corporations, and due to navigating the cumbersome Mutual Legal Assistance Treaties, the rules established for international cooperation for investigations and enforcement. For example, in the Microsoft privacy battle with the US government, Microsoft could not be compelled to produce the e-mails of a client, whose data was located in a server in Ireland, because it was held that the US’s Stored Communications Act only applied to data stored within its borders.
For the people, however, data localization could mean increased local surveillance, and increased governmental access to their data. This also removes the privacy protections often offered by multi-national corporations like Microsoft Facebook and YouTube, which can often be the only protection to people against unwarranted intrusion of privacy and large scale surveillance by the government.
The detrimental impact of data localization on industries
The industrial view is also quite the opposite, particularly in view of the huge increase in costs to establish localized servers. This was evident with the huge concerns generated over China’s new cybersecurity law, which includes data localization requirements.
Apart from the raised costs for local businesses, data localization may reduce access to global services for consumers, hampers local start-ups, and hinders access to the use of the latest technological advances. It can also affect business continuity and disaster recovery management, since an offshore location usually helps mitigate domestic disruptions. The impact on the start-up ecosystem, India’s analytics services and global in-house centers, and even the BPO sector, is a factor to be considered.
Limit data localization to sensitive sectors
Looking at international practices, there are data localization requirements in some respects, such as for sensitive personal data, medical data, or like India’s data localization requirements for the telecom sector. As a general rule, however, data localization is not mandated. The present view of the White Paper is that this may be considered for certain sensitive sectors, but may not be advisable across the board.
Key questions raised in the White Paper
In view of these issues, the White Paper has sought comments of the following key questions w.r.t processing, cross border data flows and data localization:
- What is the nature and scope of ‘data processing’? Should the definition define main activities like collection, use and disclosure or take an all-inclusive approach like the EU?
- Should both manual and automated processing be covered?
- What are the obligations to be placed on various entities in the data ecosystem?
- Should the law define ‘data controller’ and also third party entities like ‘data processors’? Should there be a distribution of responsibilities?
- What are your views on cross border transfer of data?
- What should be the threshold test (adequacy/ comparable level of protection) for cross border transfers?
- Should certain sensitive types of data be prohibited from being transferred overseas?
- Should there be a data localization mandate? What should its scope be (PD/ SPD)?
- What will the impact of a data localization mandate be on the industry and other sectors?
- Any other issues
Asheeta Regidi is a lawyer and author specializing in technology laws. She is also a certified information privacy professional.