Incorrect to Say No Safeguards in Data Privacy Act: Rajeev Chandrasekhar | Interview
Incorrect to Say No Safeguards in Data Privacy Act: Rajeev Chandrasekhar | Interview
Union Minister Rajeev Chandrasekhar spoke to Network18 Group Consulting Editor Nalin Mehta on the implications of the Digital Personal Data Protection Act, India’s emerging Techade, challenges and questions over state over-reach in the privacy law and the recently announced restrictions on import laptops and computers

Today is the sixth anniversary of the Supreme Court’s historic Puttaswamy judgment which made privacy a fundamental right under the Indian Constitution through a unanimous verdict by a 9-member bench. Rajeev Chandrasekhar, Union Minister of State for Skill Development and Entrepreneurship and Electronics, was one of the petitioners in that historic judgment, as also in the previous Aadhaar judgment of the Supreme Court which upheld the legality of the Aadhaar Act in 2016.

These judgments ultimately led to the Digital Personal Data Protection Act, which was shepherded by his ministry and passed by both houses of Parliament earlier this month. Chandrasekhar spoke to Network18 Group Consulting Editor Nalin Mehta on the implications of this legislation, India’s emerging Techade, challenges and questions over state over-reach in the privacy law and the recently announced restrictions on import laptops and computers.

Edited excerpts:

From where you sit in the ministry when we, say, talk about India’s Techade, that is a catch-all kind of phrase. What does that mean to you? And how real is that?

India’s Techade, the phrase that was in a sense coined by our honourable Prime Minister almost two years ago, is a very powerful phrase or slogan in many ways because it is signalling the way we see the opposition ideas around technology over the next decade.

And to say that the next decade will be a decade full of technology opportunities for India and for young Indians is really what that phrase means. It is an absolute, very simple, yet clear way of describing our ambitions and goals as a country and as hundreds and thousands of young startups all over the country. For me, in particular, as I see it, this is the vision around which the Honorable Prime Minister launched Digital India in 2015, which is that technology must empower and transform the lives of all Indian citizens.

That is one pole. And the second is that technology must represent opportunities and innovation and entrepreneurship and therefore expansion of our economy. We started with these two pillars – and we have seen use cases like DBT (Direct Benefit Transfers) an UPI UPI, which really has transformed the whole narrative of dysfunctional governance that have plagued India for several decades.

And now we are at an inflection point where we are looking to the future of innovation and expanding the digital economy from being 4% of our GDP in 2014 to 20% by 2026, and then 25% in three, four years down the road. So, it is a very, very powerful idea in terms of opportunities, economic growth and the maximum governance that our democracy has begun to represent. This is important in the backdrop of several decades of people saying democracies don’t work and don’t deliver. So I think in a lot of ways, India’s Techade is a decade full of technology opportunities for India and for young Indians.

So we are talking at a time when the Digital Personal Data Protection Act has just been passed. You have been very involved in that particular issue, from the time of Puttaswamy judgment, when the Supreme Court made privacy a fundamental right six years ago, and now in your role as a minister. When do we see the rules around this being framed and when do we see this being activated? Because that’s when the rubber will really hit the road, right?

One of the defining differences between Prime Minister Narendra Modi ji as a leader and every other leader who was fascinated with technology before him is that he is not just fascinated with technology. He puts tyres to the ground and effort in creating a framework of laws, of policies, of finances and resources to ensure that this vision is not just a vision, but translates into real opportunities for our young Indians.

So, one of the big important elements is that we must create a global standard, modern, future-ready legislative framework laws. The principal law, that, in a sense, regulates or governs the tech ecosystem today is a 22-year-old law called the IT Act. And so, therefore, there are two pieces of this framework that the honourable Prime Minister has emphasised.

One is, of course, is the DPDP Act, which, as you correctly said, defines data protection and clearly lays out the defined rules for all of these start-ups that deal with data. On the other hand, there will be a new law to replace and succeed the IT Act, which will be the Digital India Act.

So, we believe we will have one of the most contemporary future-ready legislations to deal with the technology ecosystem at large and the growing world of innovation and emerging technologies like artificial intelligence, Web 3.0 and so on and so forth. The Prime Minister doesn’t just talk about India’s Techade. He’s putting all of the building blocks that are required to make this India’s Techade a reality.

So one of the critiques of the Privacy Act now that it’s been passed by both houses of Parliament is that there aren’t enough safeguards for the role of the state or the language is up there for debate. Your response to that?

I think there will always be debates. Data protection and privacy is such a contentious area. But, in general, there will be 100% consensus that is approved by everybody. There are always people who are absolutists, who say protection should be so absolute that there cannot be an exemption for anybody in India. And unfortunately for them, we need to understand that the Supreme Court has ruled this is a fundamental right.

And fundamental right means reasonable restrictions. Therefore, what this bill does is that it seemingly achieves three very contradictory objectives. One is to protect the citizen’s rights without any dilution, without any compromise. It defines the obligations of the start-up and the innovation economy and the companies and the participant there in a manner that is not going to compliance-intensive but still with obligations. And it carves out the emergency requirements of the government to access personal data in the event of a national security incident, in the event of an earthquake or a pandemic situation or something like that.

Now, there is no differential standards as far as the responsibility and obligation of the government to manage the personal data vis-a-vis the private sector. If the government-linked entity or private sector-linked entity breaches data, they are both going to be dragged to the Data Protection Board and that dispute will be adjudicated by the Data Protection Board. The jurisprudence of the DPDP Bill will evolve. They will set some basic guidelines, regardless of company A or company B, big or small, foreign or Indian. There will be certain thresholds of punitive consequences that will emerge over time that cannot be shortchanged or second-guessed by anybody.

So, I would respectfully say to people who say there are no safeguards, that is not correct. Everything is built with a great deal of clarity and accountability. Accountability and citizen’s rights are essentially the guiding principles of all of the legislation that we build, all of the rules of what we are delivering for the digital ecosystem.

And when the rules are actually activated and put out, the Data Protection Board (DPB) will consist of…?

The Data Protection Board will be an independent body and we don’t have any preconceived idea that it should consist of say a judge or a retired judge. I actually think of these as modern institutions that need to be very nimble, very digital, very digitised. They are not the conventional bureaucratic kind of institutions. So, we would like to have people who come from different backgrounds. I don’t see why a young lawyer should not be in the DPB. I don’t see why a young serial entrepreneur should not be in the DPB.

So, I think we have not gone by the same more straitjacketed mode which says that there will be a retired bureaucrat or that there will be a retired judge. We don’t see the Data Protection Board as a place for retired people. The institutions in the tech ecosystem that we intend to design and build have to be highly responsive.

They have to be nimble, they have to be smart, they’re intelligent, and they are in a lot of ways like Christopher Columbus – setting out in creating the jurisprudence for the future Techade. They have to be very, very capable people, and that’s the only criteria that we will use.

On data localization, we seem to have slightly easier rules now as compared to those proposed earlier. What’s been the reaction to that?

Let me tell you in the draft that we put out for consultation, our approach initially was that we would do a whitelisting, that the government would determine all of these trusted jurisdictions where data can be stored in the cloud or data can be stored in a datacentre for processing.

But during consultation, what came about very quickly was that government’s ability to respond quickly would be limited. Say when a startup says, look, I want to use a cloud in the US or I want to use a cloud in Germany or in Japan, the process of making that happen and then notifying it would be coming in the way of this nimble technology ecosystem and the startup’s requirements of speed.

So, let us turn it around and say we will allow data processing or use of the cloud or use of infrastructure to process data in any country. Progressively the government has a right to notify some areas and geographies as untrusted and blacklist them.

For example, if there is a particular jurisdiction where we find that that jurisdiction is causing a lot of breaches or in that jurisdiction the law does not reach and our citizen’s rights are compromised, or that jurisdiction is not trusted enough in terms of either the law or the safety of the personal data – we will certainly blacklist it. The government has the power under the law to say this that this in jurisdiction no personal data of an Indian citizen should ever be processed.

And what about people who have published their personal data online voluntarily? Why does the law exempt them from protection?

First of all, you cannot protect somebody who has gone and published. If I go and put my photograph or my details out there, there is very little we can do to protect it. And in a sense, when you are putting it out in public voluntarily, you are signalling that you don’t consider that personal data to be protected.

However, I want to clarify this very clearly to you that nobody can use that personal data for any business purpose without the consent of that person. You may still put your data out there, but I as a data fiduciary or the platform will not be able to use your publicly available data for any business of mine unless I seek your consent.

In a sense, the bill is written in such a simple manner that is almost intuitive. How can you protect the data of somebody who has publicly and voluntarily put the data out there in public?

Now, I want to give you the other side of it. If your data is in public today unwittingly. And because in the pre-DPP regime there is a lot of data floating around, we have said that on Day Zero, every data fiduciary that has personal data that it has obtained without consent is obliged to go and seek consent again from the person whose personal data it is, or give the right of the person to delete the data.

So, on Day Zero, there are only two scenarios. One is all of the data with the data fiduciary of the platform is going to be with consent. And the other scenario is that if your data is publicly available, it is being made publicly available by the data principle of his own volition, but still cannot be used for processing by any platform.

So one of the other things about the Techade, of course, is manufacturing, semiconductors etc. With the ban on imports of laptops and computers – which is now deferred to November 1 – there are fears that this is the return of a ‘licence permit raj’. Your response?

I think it is very important to understand the way the Prime Minister says India’s Techade is a very, very different India’s Techade and technology ecosystem from what we saw in 2014 or what we had. If you remember in 2014, there was hardly any manufacturing.

And when we refer to the digital economy, we almost always referred to IT – which was four or five big business and then other smaller companies. So that was the technology ecosystem and digital economy in 2014. Today, our technology ecosystem and digital economy represent a whole gamut of ideas. It is deep tech, Web 3.0, AI, manufacturing semiconductor design, semiconductor manufacturing, high-performance computing, and supercomputing. So the whole spectrum of opportunities today represents the digital economy. And now within that, the electronics manufacturing piece represents a huge opportunity for India. And we have done very well in mono-tech categories like the smartphone category.

We intend similarly to become a big force in the hardware server and laptop category. The server is especially because India is becoming the fastest growing and the biggest market for IT hardware as our own codification and our own digitization progresses.

This particular incident of let us say what is seen as curbing and unfortunately got communicated as licensing is anything but that. It got communicated that way and there was obviously a quick clarification by the Commerce Ministry and our ministry that we will give three more months for this to be clarified. It is an important management system. What we want to curb imports from certain geographies.

We have no problem with imports. Our digital economy currently depends a lot on imports. We want that to be replaced slowly, gradually, with more and more domestic manufacturing.

But in the interim, what we want is not an import curb as much as import management, because we also want as we digitize.

We don’t want to look back three years down the road and say we should have curbed certain geographies in terms of imports and manufacture product from those geographies. I won’t talk about which geographies, but you certainly get the point about our dependence on certain geographies or the idea of it. So, we certainly want to change that mix with larger and larger Indian manufactured products.

But the way unfortunately this policy came, and I’m happy to take the responsibility and the blame for it, we didn’t communicate it when it came out. It came out in a little bit of a rush and was not well-prepared. It came out looking like licensing. It is anything but that. Prime Minister Narendra Modi’s government will never go anywhere near quota and licenses. We will go as far away as possible from that. That’s out of our DNA.

But we certainly have a responsibility to ensure that at this critical point, when digitization of our economy is really accelerating, we make sure that all trusted products are coming into our market

Rajeev Chandrasekhar spoke to Nalin Mehta, at the launch of his book, ‘India’s Techade: Digital Revolution and Change in the World’s Largest Democracy‘. Mehta is the Dean of School of Modern Media at UPES University in Dehradun, a Non-Resident Senior Fellow, Institute of South Asian Studies at the National University Singapore, and Group Consulting Editor, Network 18.

What's your reaction?

Comments

https://sharpss.com/assets/images/user-avatar-s.jpg

0 comment

Write the first comment for this!