We recently attended Securing Cyber Space 2018, a conference jointly organized by Policy Perspectives Foundation (PPF) and CPF on September 07, 2018, at India International Centre, New Delhi. This post presents some interesting insights gathered by us during the conference.
A total of five sessions were organized discussing various issues related to the Personal Data Protection Bill, 2018. A detailed layout of these sessions and their respective panel members are given below. All these sessions were broadcasted live on CPF’s Facebook Page. The discussion in each session was followed by a Question & Answer (Q&A) round for the attendees to ask their questions and queries to the panellists of their respective sessions.
|Discussion on Srikrishna Committee Report and draft of Data Protection Bill – what it says, what it misses out and implications thereof
|Dr Divya Bansal, Neha Chaudhari, Rahul Sharma, Nitish Chandan
|Strategic Dimensions of the Information Age and the way forward for India
|PC Haldar, Satish Jha, Pavithran Rajan, Dominic Karunesudas, Shilohu Rao
|Cyber Security through Data Privacy
|Dr S Govind, Advocate Nappinai NS, Venkatesh Krishnamoorthy, Smita Krishna Prasad
|Data Storage & Related Challenges
|Dr Shubho Ray, Nikhil Pahwa, SK Bhalla, Pavithran Rajan
|Dr Tabrez Ahmad, Gopalakrishnan S, Vijayshankar Naavi, Jayalakshmi Chittoor
[* This session was organized behind the closed doors and it was not broadcasted live, considering the sensitive nature of issues being discussed.]
[Name of the panellists highlighted in bold were the moderators for their respective session.]
Mr PC Haldar, Ex-director, Intelligence Bureau, started the first session of the day by delivering a welcome note for all the attendees. He stressed the fact that the discussion on data protection should not be limited to the experts only, it must include the public at large.
Session – 1: Discussion on Srikrishna Committee Report and draft of Data Protection Bill – what is says, what it misses out and implications thereof
Mr Nitish initiated the discussion by presenting certain key features of the bill and highlighting some of the shortcomings. Dr Divya Bansal talked about issues such as disadvantages of data localisation, purpose limitation of the consent given to data fiduciary, and retrospective aspect of the bill on the data which has been collected before its enactment. According to her, there shall be a separate legislation dealing with data surveillance and national security. Further, Ms Neha Chaudhary appreciated the reorganization of notice and consent framework while Mr Rahul Sharma considered that forcing the Indian companies to restrict the flow of their data will significantly affect innovation in the country.
Session – 2: Cyber Security through Data Privacy
The second session of the day was moderated by Dr S Govind. Advocate Nappinai pondered over a number of points on whether data privacy will be an active enabler for cyber security. Mr Krishnamoorthy expressed his concerns over possible catastrophic effects due to attacks if data localisation leads to storage of data in a limited geographical area. While according to Ms Smita, in order to successfully implement a data localisation policy, the government should also prescribe appropriate technical standards along with the bill. The session concluded with a thorough discussion on the implementation of technical standards throughout the corporate processes to enable and enhance cyber security in the Indian ecosystem.
Special Session: Strategic Dimensions of the Information Age and the way forward for India
This session was going on parallel with the second session. Mr PC Haldar, the moderator of the session started the session by inviting Mr Shilohu Rao for presenting his views. He specifically made a point that the existing Indian legal regime is absolutely incompetent with the technical advancements. He also discussed how Article 32B of Budapest Convention overrides the sovereignty of a state. He concluded by giving the formula of 4 Rs for cyber security – Recognise, Redesign, Resist and Rebuild. Following him, Mr Rajan emphasised that it is the high time for us as a country to deal with the overall picture along with various theories related to national security and their relevancy in the cyber space.
Mr Karnesudas took the discussion forward by presenting the applications of Artificial Intelligence to protect the nation’s critical infrastructure. He insisted that our country lacks applied researches being conducted or funded by the state organizations. Mr Satish had a similar opinion and he added that technological developments could not be avoided, the stakeholders have to find ways to enhance the overall security posture. According to him, the commercialisation of quantum computing technology also poses a significant challenge for the policymakers.
Session – 3: Data Storage & Related Challenges
After Dr Roy, the moderator started the session for the panel members to share their views, Mr SK Bhalla asserted that data localisation is a quantum jump in personal data privacy which requires a well-structured and organized policy framework dealing with important issues such as DPIA, enforcement of liability between a data fiduciary and a data principle, data stored in legacy systems, etc. Mr Rajan, on the other hand, argued that data localisation must be considered an opportunity, not as a challenge. He referred to data as oil and reiterated that in order to enforce one’s right to privacy as a fundamental right, the data must be stored within the Indian jurisdiction.
The discussion moved forwarded with Mr Nikhil contradicting data is oil statement. According to him, if data is considered as oil, then we are only looking at data from an economic perspective, not from the rights perspective. He contended that localisation is severely going to affect small and medium-sized businesses as they would not be able to afford the prices. This will lead to centralization of the internet to certain MNCs which is certainly against the sole idea of decentralization of the Internet and democratic powers of the netizens.
Session – 4: Way Forward
Since data localisation was discussed in each of the sessions held so far, Mr Naavi affirmed that compliance costs are going to be there. Earlier, there were no compliance requirements, but with developments in the country’s legal regime, compliance costs are bound to increase as well as vary. On the similar lines, Mr Bareja advanced his viewpoint that when we are talking about security, we can not use the word absolute. Absolute security is a myth, and absolute privacy may directly affect the national security. There is no harm in recognising privacy as a right, but it should be subject to certain reasonable restrictions, just like other fundamental rights.
Ms Chittor insisted that an ideal law should be clear, precise, and implementable. It must be accepted in its true essence by individuals as well as the commercial entities. However, that is not true in today’s sense as people are only trying to find loopholes to exploit them. Summarizing the views of other panel members, Dr Tabrez, the moderator arrived at a conclusion that we, as individuals, still need time to understand what privacy actually is and its applications as well as implications. This view was supported by Advocate Duggal who expressed that there is no need to hurry this bill. If we are going to have a legislation, we must have a comprehensive legislation covering all the aspects with the minimum number of possible loopholes.
Events and discussions like these are indeed valuable to direct the existing Indian legal regime in the right direction so that it remains on par with the technological advancements. We applaud the efforts put in by PPF and CPF in order to make this a successful event. As a team of budding cyber law and policy enthusiasts, we would definitely like to see more such events being organized by prominent stakeholders or the subject-matter experts.