Google’s chief privacy officer Keith Enright on Monday posted Google’s guidelines (pdf) for regulators to enact data protection rules. The post came a week before India’s IT ministry ends its public consultation for the Srikrishna committee’s data protection bill. “This framework helps Google evaluate legal proposals and advocate for smart, interoperable, and adaptable data protection regulations,” the document says. The document is similar to Access Now’s lengthier do’s and don’ts briefer (pdf) for lawmakers.
Here’s how Google’s recommendations match up to the Srikrishna committee’s bill.
Data collection and transparency
Google’s principles
Collect and use personal information responsibly.
Organizations must operate with respect for individuals’ interests when they process personal information. They must also take responsibility for using data in a way that provides value to individuals and society and minimizes the risk of harm based on the use of personal information (i.e., data that can be linked to a person or personal device).
Mandate transparency and help individuals be informed.
Organizations must be transparent about the types of personal information they collect, why
they collect it, and how they use or disclose it, particularly when used to make decisions about the individual. Regulators should encourage organizations to actively inform individuals about data use in the context of the services themselves, helping to make the information relevant and actionable for individuals.
The Data Protection Bill’s provisions
The Data Protection bill requires strict standards of consent for data collection.
But on transparency, the bill is less than forthcoming on data subjects’ rights. Users can’t access a copy of data stored about them, but are entitled to a summary of what data is stored, and how it is being processed, under Section 24(1).
Purpose limitation and data correction
Google’s principles
Place reasonable limitations on the manner and means of collecting, using, and disclosing personal information.
Collection and use of personal information can create beneficial and innovative services, within a framework of appropriate limits to the collection, use, and disclosure of personal information to ensure processing occurs in a manner compatible with individuals’ interests and social benefits.
Maintain the quality of personal information.
Organizations should make reasonable efforts to keep personal information accurate, complete, and up-to-date to the extent relevant for the purposes for which it is maintained. Data access and correction tools, as mentioned below, can assist organizations in meeting this obligation.
Define personal information flexibly to ensure the proper incentives and handling.
The scope of legislation should be broad enough to cover all information used to identify a specific user or personal device over time and data connected to those identifiers, while encouraging the use of less-identifying and less risky data where suitable. The law should clarify whether and how each provision should apply, including whether it applies to aggregated information, de-identified information, pseudonymous information or identified information.
Give individuals the ability to access, correct, delete and download personal information about them.
Individuals must have access to personal information they have provided to an organization, and where practical, have that information corrected, deleted, and made available for export in a machine-readable format. This not only empowers individuals, it also keeps the market innovative, competitive, and open to new entrants.
The Data Protection Bill’s provisions
Under Section 5(2), “Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.” (emphasis added)
Under Section 25, data subjects have the right to correct their data, and if data controllers have a problem with any updating requests, they must inform the subject in writing why with a reason. Personal data is very broadly defined in the bill, which is in opposition with Google’s principle. Here’s the definition: personal data is defined as any “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information”.
Right to object to processing and data security
Google’s principles
Make it practical for individuals to control the use of personal information.
Organizations must provide appropriate mechanisms for individual control, including the opportunity to object to data processing where feasible in the context of the service. This does not require a specific consent or toggle for every use of data; in many cases, the processing of personal information is necessary to simply operate a service. Similarly, requiring individuals to control every aspect of data processing can create a complex experience that diverts attention from the most important controls without corresponding benefits.
Include requirements to secure personal information.
Organizations must implement reasonable precautions to protect personal information from loss, misuse, unauthorized access, disclosure, modification, and destruction, and should expeditiously notify individuals of security breaches that create significant risk of harm. Baseline precautions should apply to any collection of personal information, and additional measures should account for and be proportionate to the risk of harm.
The Data Protection Bill’s provisions
The Data Protection Bill does not have a right to object to processing.
The bill implements data security requirements through audits conducted by mandatory data auditors and penalties on those who are not compliant with the standards set out by the Data Protection Authority of India.
Compliance and harm
Google’s principles
Hold organizations accountable for compliance.
Accountability can and should come in many forms. Lawmakers and regulators should set baseline requirements and enable flexibility in how to meet those requirements. Industry accountability programs and safe harbors can incentivize best practices, particularly in providing more flexible approaches to dealing with evolving technologies.
Focus on risk of harm to individuals and communities.
Regulators should encourage the design of products to avoid harm to individuals and communities. Enforcement and remedies should be proportional to the potential harms involved in the violation. Innovative uses of data shouldn’t be presumptively unlawful just because they are unprecedented, but organizations must account for and mitigate potential harms. This includes taking particular care with sensitive information that can pose a significant risk. To enable organizations to develop effective mitigations, regulators should be clear about what constitutes a harm.
Apply the rules to all organizations that process personal information.
Data is increasingly important through all sectors of the modern economy. Aside from the context of particular relationships that have existing rules, like with one’s employer or attorney, legislation should apply to all economic sectors and all types of organizations that process personal information. While certain sectors (e.g., healthcare) may have additional rules, regulation should set a baseline for all organizations. The application of the law should also take into account the resource constraints of different organizations, encouraging new entrants and diverse and innovative approaches to compliance.
The Data Protection Bill’s provisions
Here, Google seems to be asking for flexibility that the draft bill does not seem to be encouraging. There are stiff penalties for data leaks, and the penalty is decided by the Data Protection Authority of India — even criminal penalties may apply.
The Adjudicating Officer, who represents the DPAI, will determine whether harm was caused or if a data controller violated provisions. These conditions aren’t always met simultaneously — a data breach may not rise up to legal standards of harm, though it will most likely run afoul of the draft law. So this gives DPAI the flexibility in deciding penalties, as opposed to the data controller. The law also has an exemption on some data protection requirements for small entities, which are defined as those who don’t process more than hundred users’ data each day.
Enforcement and localisation
Google’s principles
Distinguish direct consumer services from enterprise services.
Much processing of personal information is done by one company on behalf of another, where the processor lacks legal authority to make independent decisions about how to use the data or operate outside the bounds of the client’s direction. Sometimes this distinction is described as “processors” versus “controllers”, allowing for the efficient use of vetted, qualified vendors with minimal additional compliance costs, which is particularly important for smaller entities. Processors can look to the controller to meet certain obligations under the law, including transparency, control, and access, but processors must still meet basic programmatic and security responsibilities.
Design regulations to improve the ecosystem and accommodate changes in technology and norms.
The technology involved in data processing is not static, and neither are the social norms about what is private and how data should be protected. A baseline law can provide clarity, while ongoing reviews (e.g., rulemakings, codes of conduct, administrative hearings) can provide more flexible and detailed guidance that can be updated without wholesale restructuring of the legal framework. Governments can support these goals by rewarding research, best practices, and open-source frameworks. Creating incentives for organizations to advance the state of the art in privacy protection promotes responsible data collection and use.
Apply geographic scope that accords with international norms.
Data protection law should hew to established principles of territoriality, regulating businesses to the extent they are actively doing business within the jurisdiction. Extra-territorial application unnecessarily hampers the growth of new businesses and creates conflicts of law between jurisdictions. In particular, small businesses shouldn’t have to worry about running afoul of foreign regulators merely because a few people from another country navigate to their website or use their service.
Encourage global interoperability.
Mechanisms allowing for cross-border data flows are critical to the modern economy. Organizations benefit from consistent compliance programs based on widely shared principles of data protection. Countries should adopt an integrated framework of privacy regulations, avoiding overlapping or inconsistent rules whenever possible. Regulators should avoid conflicting and unpredictable requirements, which lead to inefficiency and balkanization of services and create confusion in consumer expectations. In particular, geographic restrictions on data storage undermine security, service reliability, and business efficiency. Privacy regulation should support cross-border data transfer mechanisms, industry standards, and other cross-organization cooperation mechanisms that ensure protections follow the data, not national boundaries.
The Data Protection Bill’s provisions
The data protection bill does not draw a line between enterprise and consumer services. As such, penalties remain the same, especially since the definition of personal data is still broad. The principle on designing regulations that ‘improve the ecosystem and accommodate changes in technology and norms’ is something that the bill doesn’t seem to address; it’s something that the government might proactively attempt; rewarding research and open-source frameworks is something the government has a mixed record on.
As for encouraging global interoperability, this is where Google and the Indian government’s approach diverge most significantly. The draft bill as well as the leaked e-commerce policy draft recommend different degrees of localisation of personal data. At the very least, at least one copy of data needs to be stored in India according to the Data Protection Bill. Google CEO Sundar Pichai has personally written to the IT Ministry to encourage them to allow cross-border data flows.
