Jan 30, 2018

ITI Comments on White Paper of the Committee of Experts on Data Protection Framework for India The Information Technology Industry Council (ITI) welcomes the Government of India (GOI) Committee of Experts’ and the Ministry of Electronics and Information Technology (MEITY)’s initiative in preparing this comprehensive white paper on a data protection framework for India. ITI is the premier advocate and thought leader around the world for the global information and communications technology (ICT) industry. ITI’s membership is comprised of the world’s leading innovative technology companies from all corners of the ICT sector, including hardware, software, digital services, semiconductor, network equipment, cybersecurity, and Internet companies. Our members are global companies, headquartered around the world with business in every major market and deep investments in India. Privacy, security and trust are central to our companies’ continued success and we take seriously our obligation to protect and responsibly use the personal information of our customers, consumers, users, and employees. Because of our diverse membership and widespread business presence, our companies have extensive on site, practical experience with the privacy and data protection regimes of nearly every country. Informed by our global perspective and broad expertise, ITI encourages governments, as they consider developing or updating their privacy frameworks, to do so in a way that promotes the responsible use of personal information, encourages domestic innovation, attracts foreign investment, promotes the growth of trade and facilitates the free flow of information. We are aware that each of the countries in which our members operate present a unique combination of challenges and opportunities in developing sustainable data protection policies. We welcome the Supreme Court of India’s recent ruling that privacy is “intrinsic to life and liberty” and is inherently protected under the fundamental freedoms enshrined in the Indian Constitution, as well as the formation of the Expert Committee on Data Protection, under the Chairmanship of Justice B. N. Srikrishna, by India’s Ministry of Electronics and Information Technology (MEITY). These events signal the beginning of a new stage in India’s advancement on the world stage and we hope to be a resource during upcoming discussions to support the development of robust, globally interoperable data protection policy in India. We respectfully offer the following recommendations to GOI’s White Paper consultation questions and look forward to discussing these and other ideas in more detail as this dialogue progresses. While the exact meanings of these terms depend on the country and idiosyncrasies of the languages in which they are communicated, as used in this document, privacy and data protection both refer to the rules and practices regarding the handling of personal information or personal data (such as the concepts of notice, consent, choice, purpose, security, etc.). Jan 30, 2018

SCOPE AND EXEMPTIONS

Policymakers often ignore international law obligations and principles to protect their citizens’ data, particularly when data leaves their national jurisdictions. Privacy laws asserting extraterritorial applicability – for instance by proclaiming they apply to any entity providing a service that is accessible by citizens or persons located within that country – are incongruous in the online environment, where users can access almost any service from anywhere in the world. Such laws in turn create difficult conflicts of laws issues, not just for multinational corporations but for any data controller that wishes to use technologies involving cross-border data transfers, such as cloud computing. Similarly, obligations to host data domestically and restrict data transfer beyond national borders hamper innovation, productivity, and growth, for both local companies and companies with global operations. In short, the extraterritoriality of privacy rules , cross-border personal data transfer restrictions and data lo calization requirements create challenges for compliance and enforcement, work against efforts to establish global norms of privacy protection, limit opportunities for innovation, and distort the global marketplace. An effective privacy and data protection regime should attempt to reconcile the equally important goals of ensuring both global data flows and a high standard of privacy and protection for personal data, regardless of its location. Policymakers attempting to create such a regime should forgo data localization measures and should establish laws with a sensible territorial scope applying only to organizations established in or targeting data subjects residing in a certain country.

ITI cautions that retrospective application of the legislation could create huge burdens on businesses – both Indian and international – as it would impact the countless contracts already entered into by companies in addition to any new ones. GOI should keep this in mind and provide reasonable timeframes for organizations to prioritize achieving compliance with the new law in all aspects of their business. We also recognize that governments all over the world investigating criminal activities increasingly require extraterritorial access to electronic evidence. To increase public safety and security and make investigations and prosecutions more efficient, India should expand investment in cross-border data request mechanisms for law enforcement and counterterrorism purposes, including making Mutual Legal Assistance Treaties (MLATs) more effective tools for cross-border investigations, and leverage existing multilateral agreements, such as the Budapest Convention on Cybercrime. We support a call to action to all governments to prioritize global law enforcement coordination to better address these issues.

Definitions of personal data are fundamental to privacy regimes as they frame how the relevant protections and obligations apply in practice. The definition of personal data should balance protecting a data subject’s rights and enabling innovation and access to information. While some definitions of Jan 30, 2018

“personal data” often appear quite broad, regulators should avoid overly rigid or expansive applications of the definition of personal data. Instead, we encourage flexibility in applying definitions. The EU’s Article 29 Working Party guidance on the concept of personal data, for example, lays out the various contexts in which information can be considered personal data. It also notes that a mere hypothetical possibility of singling out an individual is insufficient for considering the information as “identifiable.” Instead, the guidance requires an assessment of all potential reasonable uses of data by the controller or any other person to identify an individual before deciding whether the information should be considered “identifiable” and, therefore, “personal data.” Ultimately, the Article 29 Working Party indicated that the test of whether information is personal is a dynamic one and should consider the state of the art in technology at the time of the processing. While the definition of personal data set forth in India’s IT Act (Section 43A) is similarly broad, it is important to recognize that identifiability alone may no longer meaningfully determine the scope of data protection rules. For this reason, we encourage Indian policymakers to build the concept of risk into their data protection regime, measuring the likelihood of concrete harm to individuals if their personal data is transmitted or disclosed, and thus preventing an overbroad application of data protection obligations.

Many economies, like India, have designated a special category of data called “sensitive data” that receives especially stringent protections because of the risk of inappropriate use. Others, like Singapore, Hong Kong and Canada, adopt an escalating risk management approach, which precludes the need to develop a specific category of sensitive data. The most common list of categories for sensitive data in comprehensive privacy legislation includes data about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade -union memberships, health, criminal offenses and sex life. Alternatively, sectoral approaches, such as in the United States, create targeted laws pertaining to certain types of data that are considered to need greater protection, such as financial data, Social Security Numbers (or similar identifiers), certain types of health information, children’s information, login credentials and/or full dates of birth. India’s hybrid approach combines both in its definition. Given the additional protective measures traditionally applied to sensitive data, economies that choose this path should limit the number of categories of such data and keep the list closed. This would help economies avoid overbroad or vague definitions or terms that can cause confusion or inadvertently lead to inappropriate categorization of personal information as “sensitive.” Taking an overbroad approach to sensitive data could weaken an economy’s competitiveness by limiting foreign investment, increasing the difficulty of doing business, and impeding innovation, job creation, and economic growth, particularly in India’s flourishing and critical outsourcing industry. The Indian Supreme Court’s suggestion to classify “Personal Data” as “Intimate,” “Private,” and “Public” and treat these accordingly could be a good way of doing this. This 3-tier approach will remove a lot of ambiguities surrounding Article 29 Working Party Opinion 4/2007 on the concept of personal data. Jan 30, 2018

classification of Personal Data and ensure deserving Privacy for “Intimate Data,” and to some extent to “Private Data.” Further, Indian policymakers and regulators should recognize processing of data that falls under the sensitive category can have beneficial results for the individual and for society (e.g., in the health sector ). To promote these potential benefits, lawmakers should avoid being overly prescriptive and should develop effective mechanisms and legal bases to habilitate the processing of sensitive data. For example, the Protection of Personal Information Act (POPI) in South Africa prohibits the processing of “special personal information” (religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information, and certain information relating to the criminal behavior of an individual), subject to various exceptions. These exceptions apply if the processing: (1) is carried out with the consent of a data subject; (2) is necessary for the establishment, exercise, or defense of a legal right or obligation; (3) is necessary to comply with international law; (4) is for historical, statistical or research purposes if certain criteria are met, such as the purpose serves a public interest and the processing is necessary for the purpose concerned; or (5) involves information that has deliberately been made public by the data subject. In addition to these general exemptions, the POPI devotes several sections to cases concerning the legal processing of each category of special personal information. In doing so, the law codifies that reasonable exemptions should accompany the prohibition of the processing of sensitive categories of data. Similarly, the European General Data Protection Regulation also includes exceptions such as: (1) carrying out obligations and exercising rights of the controller or the data subject in the field of employment, social security and social protection law; (2) protecting the vital interests of the data subject or of another natural person; (3) reasons of substantial public interest, including in the area of public health and or (4) preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, provision of health or social care.

Addressing the complex questions at the intersection of security, technology, privacy, and economic growth requires collaboration between a diverse set of stakeholders, including law enforcement, tech and other business sectors, academia, and privacy and civil liberties advocates. Protecting and defending against national security and terrorist threats and upholding and enforcing criminal laws are fundamental missions of governments around the world. While we recognize that t echnology and data can be a central tool in furthering these missions, we believe that the protection of individual privacy requires that governments also be held to the same standard as private actors handling personal data. We therefore suggest, that India’s data protection framework address data processing by private and public sectors wherever possible. We also support exploring the possibility of classifying processing as low risk processing, medium risk processing and high risk processing. The basis of such classification could be the volume of data, nature/quality of data and level of protection provided. Complex and expensive regulatory compliance For instance, http://www.huffingtonpost.co.uk/entry/twins-4-use-iphone-assistant-siri-to-save-unconscious- mothers- life_uk_58d5049ce4b03692bea47ac0, or http://www.vocativ.com/418862/ai-privacy-assistants- expose- sensitive-info/ Act no. 4 of 2013: Protection of Personal Information Act, 2013.