On 25th May 2018, the General Data Protection Regulation, or GDPR as it's commonly known went into effect and was heralded as a game changing legislation having global impact. The GDPR is a regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA), and also addresses the export of personal data outside the EU and EEA areas.
For data privacy advocates worldwide, and especially in Europe, this has been a watershed moment in history having far reaching implications for organizations that deal with EU citizens' data, and creating a ripple effect globally. A report by DLA Piper on 6 February 2019 states "In the 8 months since GDPR has applied across Europe, there have been more than 59,000 personal data breaches notified to regulators", with the maximum number of reports coming from the Netherlands, followed closely by Germany and the UK. With most regional Data Protection Authorities (DPA's) now stepping up enforcement of the GDPR, investigations and subsequently issuing hefty fines to entities found in breach of the legislation, business all over the world are taking Data Protection and Privacy as serious practices to implement rather than footnotes in marketing spiels.
It is no wonder that based on the effectiveness of the GDPR in the EU, countries globally are introducing their own Data Privacy and Data Protection regulations.
Australia, Singapore, Philippines, Japan, Malaysia, South Korea, New Zealand already have Data Protection and/or Privacy legislation in place for several years prior to the advent of GDPR.
Furthermore, most of the countries mentioned have updated, or are in the process of updating the current legislation to include mandatory conditions around 'Data Breach Notifications'. China also has introduced and implemented the CSL (Cyber Security Law), sometimes referred to as CCSL, which is far reaching in it's coverage and subsequent enforcement while being fairly vague and ambiguous at the same time.
In terms of the GDPR, there's also a fair amount of latitude given to the people interpreting what constitutes 'transmission and/or transfer of data', with the differentiating characteristics being nebulous at best and open for discussion, but that's a portion best left to be covered some other day.
India's Data Protection legislation (proposed) and the opportunity
The opportunities at hand with respect to India's proposed Data Protection legislation are plenty to begin with. A large number of provisions are GDPR styled, and will become the law once this legislation/ regulation is passed by the Indian Parliament in the next few months.
- For multi-national corporations (MNCs), International or Indian that deal with PII and PHI as part of their business, the legislation will result in changing their way of doing business and around transparency, and informing end users about 'How' their data is being processed; 'Where' it is being stored; 'Who' has access to it, and 'What' protections the data collector/ processor have in place to prevent data leakages.
- The Personal Data Protection Bill in it's current form is vague and non-prescriptive about breach notification timelines. We feel this is a good opportunity for MNCs to advocate for, and maybe even unilaterally self-implement a '72 hour breach notification' standard, along the lines of the NY DFS Cybersecurity Regulation Section 500.17, due to the following reasons:
- Organizations preempt any later mandate to potentially introduce a higher (and possibly untenable) reporting threshold (<72 hours) via any ancillary regulations that may be formulated by other government agencies later.
- Based on our personal experience, it takes at minimum 48 hours to identify if a potentially flagged data breach is indeed a valid one, and not a false-positive or false-negative given the vast amount of data that needs to be sifted through to arrive at a conclusion.
- Once a Data Breach has indeed been flagged as valid, it is again our experience that 'Containment and Remedial Actions' get top-most priority, while informing the Regulatory bodies concerned as equal partners is a good to do activity, instead of an 'after-the fact thing to do'.
Hence a self-imposed 72 hour incident notification reporting threshold which is already achievable for the service providers makes sense to implement.
The scope of Data Localization needs to be addressed
- For the bill to be enacted effectively, the scope and extent of Data localization needs to be addressed, which is lacking at present.
- Data sovereignty can be achieved without the need for total data localization or residency, of which the policies of Singapore are a great example.
- In its current form, the legislation mandates data-fiduciaries to store at least 'one serving copy' of personal data on a server or a datacenter within the territorial boundaries of India. There is a school of thought which advocates the notion that 'One cannot have data sovereignty without absolute data residency', which in our opinion is not the right approach.
This has been evidenced by recent news that the Indonesian Government is rethinking their requirement of Data localization for PII/ PHI as mandated by Government Regulation No. 82 of 2012 for the Electronic Information & Transactions Law (EIT Law), which directed that
"electronic system providers store ‘strategic’ data in Indonesia" by building datacenters/ storage facilities locally, with no specificity as to what type of data would fall under this category. Such requirements, in our opinion, end up imposing unnecessary impediments towards cross-border data flows.
A caveat to this from the point of view of a Cloud Service Provider (CSP), would be that this requirement works in their favor from a business perspective. The added requirement to store data locally, would lead to exponential growth in the storage business for the CSP, and though it may drive a jump in CAPEX/ investments needed to build additional storage and processing facilities, the long term benefits of a captive customer base would negate the arguments against localization, albeit this needs to be closely studied and implemented in such a way that a data localization requirement, does not impede transparent cross-border data flows as required by businesses. - Insofar that data is Encrypted at Rest (E@R) and Encrypted in Transit (EIT) by the customers through data protection solutions provided to them by the service provider(s), data localization in these narrow terms could potentially be viable.
- In addition to this, we need to ensure that reciprocity in terms of lawful access to data when required for purposes of National Security or Law Enforcement investigations, is not made an absolute must for cross-border data flows.
We advocate negotiating data-sharing agreements at the Federal/ Central Government levels internationally to alleviate any concerns arising out of such asks.
That said, an open, pragmatic and realistic policy approach towards data localization would be one that
- Takes into consideration the ease of doing business for corporations and individuals,
- Transparent sharing of information between law enforcement agencies and global/ regional regulatory bodies,
- Enables transparent cross-border data flows without impeding business, will lead to growing and scaling the information technology and data processing industries.
Data borders are the new trade and global political boundaries, especially as trade wars between countries get more complex. A recent example can be seen with the US withdrawing GSP benefits to India.
It is proven time and again that countries which exhibit good governance & enforcement towards data protection laws tend to have some of the most successful digital economies and lead in digital transformation. This is an opportunity ripe for organizations, to have a measurable impact on defining the future of digital transformation and data governance in the sub-continent.
