Digital Personal Data Protection Bill Industry-Friendly: IAMAI

The Internet and Mobile Association of India (IAMAI, www.iamai.in) in a statement issued today has lauded the Digital Personal Data Protection Bill (DPDP) as industry-friendly. It has struck the right balance between protecting the interests of the data principals while leaving enough room for tech start-ups to innovate and grow.

According to the feedback received from the majority of IAMAI members, the reconceptualization of the data protection framework in the DPDP to balance innovation and economic growth with the interests of users will go a long way to assuage concerns of digital businesses and help make India a trillion-dollar digital economy by 2025. In particular, IAMAI appreciates the more liberalized framework for cross-border data flows and the exclusion of non-personal data from the ambit of the DPDP Bill. IAMAI also appreciates that the Bill imposes only financial penalties for non-compliance as opposed to both financial and criminal penalties.

Commenting on the Bill, Dr. Subho Ray, president, IAMAI stated, “By following a deep and wide process of consultation including that of a joint parliamentary committee, excluding non-essential provisions, by making a clear commitment that no Rules exceeding the provisions of the Act would be made, and yet protecting the interests of the state, citizens and the digital economy, this Bill has possibly set up new standards of law-making”.

On behalf of its members, the association has requested the government to provide clarifications regarding the DPDP so that once it is passed into an Act, there is better compliance by IAMAI members. In particular, there remain ambiguities surrounding the timelines for implementing the various provisions of the Bill and mechanisms for obtaining verifiable parental consent to process the personal data of children. As the inclusion of specific timelines will provide a roadmap for the industry to better comply with the Bill, IAMAI has requested the government to clearly indicate reasonable timelines by which the various provisions of the DPDP will be implemented and to adopt a graded approach to prescribing such timelines. IAMAI has also urged the government to consider a flexible approach to obtaining parental consent, as prescriptive mandates may have an adverse cascading impact on sectors that provide services to younger individuals.

IAMAI is confident that through consultation and collaboration, the final version of the law will help stakeholders who are invested in and committed to the digital ecosystem of India.

About Internet and Mobile Association of India

Established in 2004, Internet and Mobile Association of India (IAMAI) is a not-for-profit industry body and the country's only organization representing the digital services industry with over 400 Indian and multinational corporations as its members, which include established companies in diverse sectors of the digital ecosystem as well as start-ups. Its mandate is to expand and enhance the online and mobile value-added services sectors. It is dedicated to presenting a unified voice of the businesses it represents to the government, investors, consumers and other stakeholders. IAMAI represents varied sectors such as digital advertising, digital entertainment, traveltech, online gaming, digital payments, fintech, digital commerce, edtech, healthtech, agritech, big data, ML, AI & IoT, AR/ VR, logisticstech and so on

Govt working towards Tabling Data Protection Bill in Winter Session, says Official

Bengaluru, Aug 22 (PTI) The government is working towardstabling the data protection bill in the winter session of Parliament, Secretary in the Ministry of Electronics and Information Technology Ajay Prakash Sawhney said on Thursday.

"Yes. Keep watching for that space. We are working towards that," he said when asked whether the data protection bill could be tabled in the winter session. He was speaking to reporters on the sidelines of the two-day event IoT India Congress-2019 here.

Terming it a seminal legislation, Sawhney said the government wants to get the law right because it needs to balance the imperative of data privacy and data protection as laid down by the Supreme Court. The emphasis is also on creating an ecosystem where innovation gets a boost, he added.

"So, how to, sort of, create a balance? How do we move forward with confidence? Which is why, I mentioned, apart from the legal framework, I alluded to the concept of public digital platforms. Public digital platforms play a huge role in creating trust," Sawhney said.

Compared to some huge economies where the digital payment system is controlled by a handful of companies, India preferred the UPI route allowing every company to participate based on the rules of engagement, according tohim.

"It's a public digital ecosystem, so anyone can join in. Anyone who thinks can do it better than these giants is freeto join in. How do you create an ecosystem which remains openfor newcomers, open for innovation? We need to replicatethat," Sawhney said.

To a question, he said the government never termed data protection as localisation of data but it preferred the responsible handling of data by adopting best practices adopted everywhere.

In this context, he said the guidelines laid down by theSupreme Court were the guiding force for the government.

"We have a broad guideline coming all the way from Supreme Court, which has considered data privacy as emanating from the fundamental rights in the country. So that is the law. Data privacy is the fundamental right," Sawhney explained. PTI GMS RS SS

Amazon India Leaks Competitive Business Data of 400K Sellers; No Compensation to Sellers

Amazon India had left exposed the tax reports of some sellers to others on its platform and although the company had rectified a technical glitch which caused it, it had exposed a lot of information to others on platform.

Sellers downloading their monthly financial reports (data of their sales through Amazon.in) were served with those of other vendors, leading to a breach of competitive businesses data.

On Wednesday, Amazon India said the glitch affected a “minuscule number” of the 4,00,000 sellers on its platform had been rectified soon after sellers flagged it.

According to Economic Times, in an incidence happened last Sunday, a merchant who sells smartphone accessories on Amazon logged onto the platform to download his tax report for December, and found that the inventory reflected in it did not tally with what he had sold. Upon closer inspection, he realised that the GST number on the report was not his.

All this while, the unsolicited exposure of a Amazon India's data has almost frightened its users. The merchant tax reports, that were accidently passed on business data of sellers/merchants to other unintended merchants/seller which are in fact competitors. The leaked data included sales, category-wise split and inventory data. If found by rival seller, this could prove to be of material value to them and detrimental to the merchant/seller whose data was outed, experts said.

No "Data Privacy" Rule for Compensation

Of late, it was reported that food startup FreshMenu had also faced a data breach that left exposed the personal details of 110,000 users and top of it the company stubbornly admitted to the breach only after two years.

At the moment, India do not have a provision for a user, whose data has been exposed, to recover damages from companies responsible for this. A section in the draft Data Protection Bill, which is undergoing consultations and pruning, however, lays down directives for early disclosure of leaks and a mechanism to try cases pertaining to such lapses.

In the proposed Data Protection Bill, which is likely to be moved in Parliament in June, it has been proposed that if a company's customer data is breached, it is liable to a penalty of 4 per cent of its global revenues. Criminal liability has been proposed too.

Source - Economic Times, AFAQS

Ola, Zomato, Practo, Ibibo and others Share Best Practices Ahead of the Data Protection law

In its first Indian edition of the ‘Privacy Matters’ roundtable, Mozilla brought together the brightest minds from India’s leading and upcoming online businesses to discuss practical issues surrounding data privacy. Held recently in New Delhi, the aim of the session was to drive the conversation on how businesses can make decisions about personal data more thoughtfully. This closed-door intensive meeting saw participation from a variety of companies - ranging from SMEs to large conglomerates, including Aditya Birla Group, Dunzo, Ibibo, Practo, Ola, Zeotap, Zomato, among others.

The 5-hour long session was conducted using Mozilla’s Lean Data Practices framework, that puts forth privacy principles and practical steps to implement them. With a mix of engineering, C-level, product and legal folks driving the discussions, the workshop focussed on the incentives for companies to stay “lean”, and minimize the personal data they collect and store; ways to build-in security features; and finally, effective ways to communicate with users and offer them more meaningful choices vis-à-vis their data.

[caption id="attachment_127512" align="aligncenter" width="800"] Privacy matters_first session[/caption]

Urmika Shah, lead product and data counsel at Mozilla, Mountain View, led the discussion and shared, “It was great to see that many of the larger Indian SMEs have taken proactive measures to build in privacy and security features into their services, even prior to the enactment of India’ data protection law. For some, the incentive seems to come from the possibility of security breaches and reputational risks, and for others it’s their global presence or foreign investors.”

The discussions were divided into three segments as per the framework, covering key topics: “Engage users”, “Stay Lean” and “Build-in Security”.

[caption id="attachment_127513" align="aligncenter" width="600"] (Left-Right ) Urmika Shah, and Amba Kak[/caption]

The first segment of the discussions focussed on how companies can better engage different audiences (such as end users, business clients, employees and investors) on issues of privacy. The observations reinforced the importance of providing more meaningful choices to users about their personal data at the time they are using the service, and making privacy notices more visible and easily comprehensible. In addition, companies expressed the need to better engage investors and boards on privacy issues to gain their support for implementing reforms.

The second section was on the importance of staying “lean” with data rather than collecting, storing, and sharing indiscriminately. Most companies agreed that collecting and storing less personal data mitigates the risk of potential privacy leaks, breaches and vulnerability to broad law enforcement requests. Staying lean does come with its own challenges, given that deleting data trails often comes at a high cost, or may be technically challenging when data has changed hands across vendors. It was agreed that there is a need for more innovative techniques to help pseudo-anonymize or anonymize such data sets to reduce the risk of identification of end-users while maintaining the value of service. Despite these challenges, responsible companies should do their best to adhere to the principle of deleting data within their control, when no longer required.

The third section covered key security features that could be built-in to the services. Many companies explained that their own security practices, especially relating to employee data access controls, have evolved as they grew in size. A key observation voiced by many companies was that vendors are often not scrutinized and may not always be welcoming to rigorous reviews of their data and security practices. This remains a key challenge in protecting the privacy and security of user data.

Amba Kak, Mozilla’s public policy advisor in India said, “In the lead up to India’s first data protection law, we need more such conversations that focus on implementing these principles, and how to overcome practical challenges.”, she concluded.

Indian Startups Likely to Be Hit Hard By Data Protection Bill, Says IAMAI

After raising concerns over funding crunch for Indian startups, last year, members of the Internet and Mobile Association of India (IAMAI) raised concerns about the possible impact of the Data Protection Bill on the Tech startup sector in India. IAMAI, the not-for-profit industry body, voiced its opinion in a recently organized stakeholder’s consultation.

The first and most important concern emanates from the insurmountable difficulty of collecting and processing personal data proposed in the draft Bill. Restrictive clauses around purpose limitation, storage limitation and collection limitation will make it very difficult for startups and potential startups to get into the data business. Restrictive norms of consent including “bearing the burden of proof of consent”, being responsible for the correctness of the data collected will add to the difficulties of data fiduciaries.

In addition, poorly defined benchmark for “significant data fiduciaries” leaves the room wide open even for mid-sized data companies the onerous burden of compliance such periodic data audit, data protection impact assessments including permission from the proposed Data Protection Authority for every new technology introduced.

Finally in case of accidental or involuntary non-compliance with any of the provisions of the law invites heavy fines which most of the startups are not in a position to pay and criminal charges that are most undesirable.

IAMAI members point out that collection and processing of first hand data for monetization is the only lifeline for startups. Such data is also critical for analyzing customer preference and response, designing and fine-tuning services, identifying key revenue streams, targeted marketing and promotion.

In the new regime, the absence of avenues to collect primary data from users, startups would be forced to depend on incumbent businesses for ‘anonymized data’ that does not come within the ambit of this Bill. Incumbents may refuse to share data with potential competitors, or demand premium price for anonymized data products. Going forward, such incumbents can become the gatekeepers to the tech sector. This does not augur well for a competitive space required to promote tech startups.

Some other members of the association who are mid-sized startups with ambitions to expand in overseas market feared that their plans may be scuttled by the provisions of data localization. Other countries where they are expanding may retaliate by demanding reciprocal data localization. Data localization also forces Indian startups to look for more expensive and inefficient local solutions.

On the whole, with ease of doing business being still relatively difficult for startups; creation of an additional and complex regulator in the form of Data Protection Authority with ill defined mandate will make things much more difficult for Indian tech startups.

Last year in March, IAMAI with leading BFSI and Fintech companies have collaborated to form the largest Fintech Group to encourage collaboration, seek complementarities and build synergy between leading BFSI companies and the emerging fintech startups.

India's Cryprocurrencies' startups association Digital Asset and Blockchain Foundation of India (DABFI) had too announced its merger with IAMAI, in November 2017.

IAMAI is a young and vibrant association with ambitions of representing the entire gamut of digital businesses in India. It was established in 2004 by the leading online publishers, but in the last 14 years has come to effectively address the challenges facing the digital and online industry including mobile content and services, online publishing, mobile advertising, online advertising, e-commerce and mobile & digital payments among others.

Fourteen years after its establishment, the association is still the only professional industry body representing the online industry in India. The association is registered under the Societies Act and is a recognized charity in Maharashtra. With a membership of nearly 300 Indian and overseas companies, and with offices in Delhi, Mumbai, Bengaluru and Kolkata, the association is well placed to work towards charting a growth path for the digital industry in India.