The Programme for Legal Education and Awareness (PLEA) had organised a session on Data Privacy Laws in Mumbai a few months back. Lawyer Akash Karmakar of Veritas Legal was invited to speak. This in-depth interview with him follows the session.
Data Privacy is an urgent issue of our times and in our immediate context, Aadhaar has especially stoked the debate. Yet with or without Aadhaar, we have had to contend with the vexing issues of data protection and privacy in an age where data storage is a foregone conclusion. If anything the technology that enables data creation and storage is only set to become more sophisticated with AI. It’s a pact that we have willfully made with the machine but it need not be the devil.
How and what we do to ensure that our data is protected and that our privacy is respected, is what is essentially at the heart of this ponderous yet challenging, and even exciting discussion.
As we enter into a new age of the Internet with Distributed Ledger Technology (DLT) we realise that we have a lot of catching up to do, not least in the legal field. As we try to grapple with this new technology and as its forthcoming avatars explode fast and quick, there is more than ever an acute need to attempt for more wholesome discussions in civil society and in the legal field.
Some of these critical questions, especially in the light of the draft Bill on Data Protection, are tackled below.
Deepa Punjani: What is the present situation in India as far as data privacy and data protection laws are concerned?
Akash Karmakar: Currently, India has a patchwork of data privacy regulations, which are fragmented between the Information Technology Act 2000, associated rules and guidelines issued by the TRAI, and common law principles of privacy, some of which have been laid down or expressly acknowledged by various judgments.
Sensitive personal data is dealt with by the Information Technology (Reasonable security practices and procedures and Sensitive Personal Data or Information) Rules, 2011. This legislation oversimplified some key concepts and did not contemplate practical challenges arising out of the collection and dissemination of personal data through app-based platforms and issues with “anonymisation” and de-identification. Moreover, in the wake of recent events, the law that prescribed a reporting requirement only for cyber security incidents was grossly inadequate.
Therefore, there was a burning need for a data privacy law, which contemplates current issues such as the right to be forgotten, the permitted end use of data collected, distribution to third parties, and the manner of obtaining informed consent from the persons providing the data.
Our dependence on technology and our diminishing ability to withhold consent when threatened with being deprived of the services we have grown so reliant on has triggered the requirement for legislative intervention to prevent overreaching demands for our personal data.
The Personal Data Protection Bill 2018 addresses some of these concerns. Some significant concepts introduced include the right to be forgotten, data portability, restrictions on cross-border data transmission, carve outs for anonymised data and journalistic purposes, and reporting requirements for personal data breaches. With the exception of data localisation, which is difficult to rationalise, the introduction of these concepts now bring Indian data privacy laws at par with contemporary requirements and introduce a compliance regime for data privacy in India. There are a fair number of lacunae but with the amount of public interest that has been generated, I am sure another round of consultations would help plug the loopholes and cover the concepts that have not been addressed in the current draft.
DP: What are your thoughts about redressing the lacunae in the Personal Data Protection Bill 2018?
AK: Earlier this year the Standing Committee on Information Technology, had invited suggestions from the public and from experts and other stakeholders. I would expect that these suggestions on redressing the lacunae in the Bill would be considered and incorporated in the final legislation promulgated by Parliament.
The discussion paper that preceded the Bill sought the views of the public, albeit through a painfully convoluted submission process on concepts, which would be contemplated by the committee. The final Bill appears to have selected some of the concepts but would need further alignment to have an effective enforcement framework, prevent abuse of delegated authority, and also to be fully aligned in spirit with the judgment in Justice K.S Puttaswamy v. Union of India and Others.
A public consultation on the Bill would help plug unaddressed concerns. While I am cognizant that this would further delay the process, it would ensure that the Bill does not have loopholes which can be exploited, or which would draw challenges the way Section 66A of the IT Act did, and which was finally struck down as un-constitutional.
For example, on the one hand, the Bill provides that processing of personal data in the interests of the security of India shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law. It delegates upon the Central Government the power to issue to the central authority such directions as it may think necessary in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order. This certainly does not set out any procedure and raises doubts over its potential misuse.
Given that every situation cannot be legislated for, what various regulators could do is to release overarching sector specific data protection guidelines that could be tailored to the concerns prevalent in a particular sector. Law will inevitably trail behind technology. However when key principles are set out, along with penalties for noncompliance, it will ensure that a breach of these principles will not just be an ethical violation, but a regulatory breach as well.
DP: How does our version compare to the GDPR?
AK: The Bill clearly borrows concepts from the European Union General Data Protection Regulation (GDPR). The concepts of a “data controller” and “data subject” have been substituted with adapted concepts of a data “fiduciary”, which determine the purpose and means of processing of personal data, and data “principal”, being the individual who provides personal data.
The Bill has also adopted the principle of extraterritorial applicability and introduces turnover-based penalties for certain contraventions that can extend up to 4% of the total worldwide turnover of the entity in breach, much like the GDPR. This is intended to serve as a deterrent penalty, but would not be adaptable to operate against functionaries of the state and non-profit organizations. Now such lacunae can be caught out if the Bill is open to a round of public comments.
DP: Privacy has been at the heart of data protection but there are equal concerns about data theft, misuse and abuse. Besides we live in a time where algorithms are getting smarter day by day. Do you see data privacy law as the beginning of something that will keep getting updated and refined?
AK: With advancements in artificial intelligence and machine learning in particular, the analysis developed from segments of data (such as partially redacted or fully anonymized data, which may appear meaningless when viewed by a person), when processed using artificial intelligence could provide inferences discernible from such data, which are in excess of the data intended to be disclosed.
Therefore, the ability to decipher personally identifiable data from anonymized or de-identified data would need to be regulated. The use of artificial intelligence to deliberately deconstruct anonymised data and trawl for personal data to identify individuals should be prohibited. How the enforcement mechanism is worked out, will need to be streamlined.
Inevitably as technology evolves, data privacy laws will keep getting refined. What we would need is a proactive legislator who can act or react fast enough to prevent the abuse of personal data. The Bill thankfully does address this issue to some extent as it prohibits the reverse engineering of de-identified data to decipher the identity of the person without the person’s consent.
DP: As we gravitate towards new technologies like Distributed Ledger Technology (DLT), what possibilities do you envisage as far as the legal field goes? Will lawyers be diminished as in the case of smart contracts that technologies like DLT make possible?
AK: One of the key features of transacting using distributed ledger technology is pseudonymisation of each user. Customer anonymity is likely to assume centrestage with the adoption of blockchain technology, since it would simultaneously prevent aliasing and duplication of a customer without the need to personally identify the person. Customers will consequently gravitate towards blockchain technology due to the ability to transact without providing personal information to the counterparty, even for financial transactions.
Pseudonymisation however is not bereft of its own set of concerns. For example, implementing anti-money laundering measures such as “know your customer” checks become a challenge when individuals transact through a pseudonym. Now with advancements in technology, there is an increased risk of identity leakage by algorithmic re-identification through de-identified data.
Depending on how cross-jurisdictional enforcement occurs, I would be cautiously optimistic about the adoption of smart contracts. Given that this will take a while to be widely adopted, these would not diminish the role of lawyers, or so one hopes, but if adopted widely, mayre-cast their role.
As for the classification of blockchain and distributed ledger technology as a practice area, this has already become a specialisation, and is usually categorized as a subset of technology law. Depending on how widely the technology is adopted, it could potentially become widespread enough to be considered as an entirely separate domain of expertise.
[Editor’s note: Akash Karmakar is a data privacy and fintech lawyer at Veritas Legal. He assists fintech companies structure products, and navigate regulatory challenges. He has assisted various banks, financial institutions and technology companies launch digital and app-based products in India.]