Ensuring eSignature Lawfulness for Personal Leave Policy in India

How to eSign a document: e-signature lawfulness for Personal Leave Policy in India

all right uh good evening everybody and joining orf for this discussion on india's proposed data protection law and a u.s india executive agreement under the cloud act now what does that title mean to set the context cyber crimes and other offenses in cyberspace may be borderless but the realities of borders do remain and we see this for example in the fact that multinational tech giants that house vast robes of data are headquartered in and therefore answerable to particular jurisdictions now currently law enforcement agencies in india rely on mutual legal assistant treaties or mlats which many describe as unwieldy and slow which are two adjectives generally undesirable when it comes to investigating cyber crimes the indian government has sought to correct this issue through various measures including data localization proposals uh money displeasure of businesses that cite the need for data to roam free what are the alternatives that's where the cloud act comes in it offers a path for foreign governments to access data stored by u.s service providers can we make the cloud act work for india will data protection legislation be enough given india's myriad of interception description and sectoral data frameworks we are joined this evening by sri srinivasan who is a partner at high law she has co-authored a report using the us's negotiations with the uk as a president for how india could meet the requirements of the cloud act we're also joined by experts who will attempt to resolve some of these intractable challenges on data privacy innovation and regulation in the span of an arb uh so we'll turn to you uh sri nadi please provide some highlights from the report what are the key recommendations following which we will turn to the other panelists for their inputs as well sure thank you thank you so much trisha and the orf team for for having me here um very good evening everyone um i'll perhaps start with setting a little more context just building on what trisha had talked about just setting up the context for the paper our approach and then the big themes the big takeaways um so at the time of writing this paper it sort of predated the withdrawal of the data protection bill from parliament which to my mind makes this conversation all the more relevant as the government now looks finalize its approach to data governance generally and and specifically themes like data localization um so the origin of of this paper uh like trisha sort of pointed out is challenges that investigative authorities in india and in several other countries in the world often often face uh in accessing data from other foreign service providers um u.s service providers especially i think despite an investigation sort of being entirely indian if say you know victim perpetrator location incidence of the crime is entirely domestic indian uh if say emails are stored with a u.s service provider the service provider is also bound by and answerable to these companies from sharing data for enforcement purposes unless you follow a certain kind of legal process um us law requires what is called a probable cause warrant to share emails or other communications content and and these warrants are of course issued by courts in the u.s so there's some judicial authorization built in there naturally courts in india can't issue these um so what is required to make this sort of you know cross-border data sharing for law enforcement purposes work is is is pursuing what what trisha referred to uh what's called the mutual legal assistance treaty route where which are bilateral arrangements between different countries uh say india us in this case where requests will be routed through um the home ministry the mha in india courts in india may also have to issue something called uh letters derogatory pass it through certain channels approach the usdoj naturally this is a cumbersome an antics process peter can speak to this a little more on just how long this takes to execute a certain kind of request in anywhere from 10 months to 3 years um so for the government localization seems then like an alternative way perhaps to be able to access data but localization and local storage obligations around data come with their own set of issues um critics have pointed out you know questions around whether this is um placing borders for data whether it's the most technically efficient way of uh just processing data in any way how local storage obligations would be unworkable or infeasible in certain kinds of say cloud computing or other scenarios um whether this can impose a trade blocker and and so on um at the same time i think we're all cognizant of legitimate law enforcement concerns um and and you know measures to speed up investigations as well so against that backdrop one potential pathway was the u.s cloud act which was enacted around four years back which provides an alternative sort of removes them in u.s law and allows foreign law enforcement to directly seek access to data stored with a u.s service provider when this law was enacted a lot of the commentary initial commentary did suggest that it might be difficult for countries like say india to conclude an agreement with the u.s there are some checks within the cloud act where the u.s government uh different administrative and sort of wings of the of the government will evaluate the partner countries domestic laws around surveillance government taxes and a host of other requirements around say free speech civil liberties etc uh in in our paper we focused on two key requirements which we thought were relevant as india also finalizes its its data protection law one was just having clear mandates for government oversight and government access to data and the commitment to free flow of information and an open internet um our approach here was to look at past negotiations uh so far the use has concluded agreements with two countries the uk and australia we looked at documents around the u.s uk negotiations what were the sticky issues bottlenecks compromises made um and we offered four key takeaways which were which we thought were relevant as india looks to finalize its law the first related to whether you need to overhaul the laws entirely second was on the us approach to substantive prospect protections third was on india's data protection proposal on on its law how it could bolster some of these and fourth was on local storage i'll spend a minute just on on each of these um takeaways and and themes um so the first one was i think one key theme that emerged from the uk us negotiation was that um you know an overhaul of the foreign country's law may not always be required when you are entering into an executive agreement or when you're negotiating an agreement under the u.s cloud act so one sticky issue that comes up often is u.s law requires prior judicial oversight over government requests so many argued that countries that don't require that for government access like the uk and india might not meet the mark then uh but but the approach in the uk was slightly different um i think instead of amending the entire schema of laws the uk enacted one law um the crime overseas production orders act which to give effect to this agreement and and also sort of propose the requirement of judicial oversight for only the subset of requests uh where say uk courts could then request directly uh accessed by u.s service providers rather than going through the mlat route uh similarly you know free speech was a sticky issue in the u.s uk negotiations um where certain uk laws were seen as problematic and not meeting u.s free speech protections so the agreement that was negotiated provided for an additional layer of review so for cases that involved free speech offenses in the uk there was an additional review before direct requests could be made for evidence the second takeaway was just on overall approach when the us um attorney general who's evaluating the partner countries home laws uh sorry domestic laws uh looks at is our sense was that in the substantive assessment the government may take a more lenient approach um for example the uk law did not require prior judicial authorization for issuing interception warrants uh but the doj still the government actually still found the uk to have sufficiently clear mandates for access and oversight uh a double sort of dual lock-in mechanism uh through different layers of of review even though those were not always courts that were sitting at the top reviewing these these requests um the third big theme that we looked at was what could india's data protection law do um just to bolster protections could we offer certain additional protection to make this case uh stronger that india does offer uber's protections for privacy and you know has clear mandates for oversight uh and and we thought this was not just relevant for the you know in a potential india u.s conversation but also if india were to potentially seek adequacy from the eu or continue to make a case for data flowing in from the eu or actually anywhere else into india building that sort of trust so adding say the data protection regulator as an additional layer of oversight the proposed data protection um a regulator under the under the law um who could also evaluate say law enforcement request as a as an arbiter there or requiring um these you know even for investigation purposes uh instituting at least a basic set of privacy norms while notice consent might not make sense at all in investigations uh perhaps requiring them to abide by security safeguards or even just data minimization or having some kind of retention policies those principles might still make sense um and and you know having blanket exemptions might take us farther away from being able to negotiate such agreements um and the final theme was just on local data storage obligations um i think as as you would all know our financial sector regulator rbi already has implemented uh local storage requirements for payments data so subset of payments data payments instruction must be stored on servers in india we're also seeing a trend in in say other sectors health etc where uh where we might see local storage obligations coming in um the version of the law that was being discussed the 2019 version also had local storage requirements for certain kinds of data sensitive data which includes financial health data um and and our sort of takeaway there was if it's a mirroring requirement where you are requiring a copy of that data to be mirrored in india while also providing some channels to be able to you know share data across borders under mechanisms um like contracts or or or you know other other measures certifications and and so on um there may still be some room to negotiate um um an agreement under the claim that because if you allow that sort of labeling framework uh if it's mirroring as opposed to a very exclusive data storage requirement in in india so those were sort of a key uh takeaways i'll i'll pause there and and perhaps happy to answer any questions um thanks sriniv for condensing uh your report into those crispy quiz we'll now turn to the discussion portion of the session uh so we're joined by asta kapoor who's the co-founder of apti institute aaron gupta who's the head and co-founder of the digital india foundation peter swire research director with the cross-border data forum and finally ashish agarwal who's vice president of public policy at nascom uh peter i'll turn to you first as shinny we mentioned you have written uh on how the and this has often been an impediment to india u.s law enforcement cooperation and how the cloud act could greatly simplify that process uh what is your assessment of shinri's recommendations and uh does the uk case study provide an adequate precedent given that the us and you can have a very different relationship and intelligence sharing for example historically has always been a part of that hello and welcome welcome to trinity here um i'm background as a as a us lab an official who's worked on a lot of these done mutual legal assistance and i lead the cross working exactly on these issues um how do you get legitimate how do you also protect privacy and the governments are seeking these data make it workable so the company is trying to apply and how do we do internet that meets many values it looks like i might be frozen or is it just because yes peter your audio is cutting off a little in the middle huh oh i can change that i apologize for criminal procedures that it did in order to to me instead they created us special for the times uh there's this international data order so you could imagine for in india investigation peter really sorry to interrupt but we're hardly able to hear what you're saying uh yeah it was good for 45 minutes and i often come back all right so we'll we'll get back to peter in a minute once he's able to change connections but meanwhile we can uh move on to some of the other speakers and get their views as well i'll turn to you ashish the indian government's aspirations to transform india into a trillion dollar digital economy ride on uh the reality of interoperable data ecosystems but at the same time a la say fair approach will do more harm than good so how do we reconcile these realities uh and is there an ideal balance that can be struck yeah thanks trisha and i hope you can hear me all right perfect so uh what you described risha is actually an interesting problem to navigate right so uh and that's what nations are trying to do today and and before that i think just to comment on what sriniv kind of uh summarized some of these solutions are actually worth pursuing uh and and and and this is going to take a bit of time uh also so therefore uh we can always take nuggets of you know learnings from what happens when u.s does it with the uk or for example with a few other countries where some progress has happened or agreements have happened so in that sense i guess but if you look at it from an indian perspective uh clearly uh we are uh in a in a much more uh let's say and this is what each nation needs to evaluate from its uh where its industry is what are its uh priorities in terms of you know uh how can it make uh the best outcome possible for its own economy and and and when you look at it from that perspective clearly um uh we have to first think of it that if we have to think of a executive executive agreement under the cloud act where does it sit in priority as of today and not not necessarily just from an indian perspective look at it from a u.s indian perspective so in my limited experience of having conversation on this topic clearly i don't see this right now as a top of mind agenda so one you could definitely then think about it that it is it is in the natural sequence of things that uh this shall at some point in time get to that stage where it will become a priority so that's i think one part of the conversation that we need to see it as something which would potentially be useful the other aspect is that from a government of india perspective all the big tech are operating in india they are subjected to indian jurisdiction and we have the i.t act and we have the interception rules so so when government of india wants to access information i would think that the first area where the government of india would want to focus is to try and make sure that it can get what it wants through its own domestic laws and and and then possibly reach a stage where uh there is a significant enough motivation to say that you know an alternative which can be much better must be explored so have we reached that stage where we we see this and and that's where i think from an industry perspective it is a bit of a challenge so uh uh i think peter mentioned about mlax uh briefly uh to the extent i could hear him um but i'm assuming that m lag street uh the very idea of mlx predates the the concept that a country could be asking data from b country about operators who may not be in either of these countries and uh be using data of a country so uh so i think that entire construct that the data is sitting somewhere and and the uh industry elements are subject to multiple jurisdiction and and and then data is being sought off of the home country uh if i have to call a the home country in that sense i think that entire construct wasn't uh probably the objective or the problem that mlags were initially even trying to solve so that that itself is a instrument which is outdated from from such a perspective now coming back to india i think so we we're going to see this journey and in this journey industry is faced with uncertainty so you have to comply with the indian law to be answerable to uh to the the request in india and at the same time try to reconcile with the position in the u.s domestic laws and and of course uh the cloud act uh tries to offer a solution uh but uh but uh uh it is uh uh still to be seen uh are nations willing to bite the solution or or they're going to probably react in a similar fashion to us so that you are subjected to my jurisdiction wherever the data is you give me that data and when we when we get into this position of potential conflict that there is a uh kind of a conflict with the law of the other country we will try and sort it out mutually and i think that process of sorting this out mutually has to be played out enough for it to actually result into people going back into the drawing room and saying that you know this kind of thing will work so that's i think one part of the debate and discussion that we need to really uh see the other the more positive takeaway of all this when you look at when under the cloud act what is the expectation of the us government under gdpr what is the expectation in terms of adequacy and so and so forth so i think there is a clearly now city in 2022 there is a common understanding that there are few things which are key to make a cross-border data flow happen and these are the elements which will make data protection interoperable across countries now even within this i think the alluded to to it a bit uh i think the development is that entire domestic data protection framework do not have to be compatible with the frameworks in other regimes there can be a narrower con compatibility which allows free flow of data and i think that offers much more opportunity than trying to reconcile uh all domestic laws or at least the major domestic laws across countries so i think that's very interesting and and that is where i think some of the uh developments will happen and and and on that uh the last point which i probably want to just mention is the fact that the government of india has withdrawn the uh the bill as it was proposed by the joint parliamentary committee uh i would think it's a big positive in the sense that now given all of these learnings and experiences that we are seeing it is possible for us to now come out with a law which actually uh not only addresses the key objective of ensuring uh privacy but also uh make it much more easy or at least enabling for it to be compatible with some of at least our major trading partners which is essentially if you look at from it and its industry it's 80 percent is uh us and eu so uh so that's the opportunity uh for us i'll pause it but there is a lot to discuss and happy to come back later uh thank you ashish i think you raised a very important point in that it is really the uncertainty that is perhaps affecting industry the most just not having a sense of clear standards across jurisdictions you're having to abide by one set of standards in one jurisdiction another elsewhere so important point there just quickly if anybody has any from the audience has any questions please feel free to drop them in the chat uh we'll address them during the course of the discussion as well uh peter we'll turn back to you it seems like your internet is functioning okay can you hear me okay now is this bad yes yes okay i'm sorry everybody um i'll make very brief comments i one one is that the the report shows that the uk was able to make an agreement with the u.s without changing its entire system for criminal procedure it changed its system only for the international requests and that's a much simpler less disruptive approach and so i think the report shows how that can be a possible possibility for india uh second um the uh report talks about issues around free speech where the laws in the united states are different from england or from india and so there was a specialized system um set up so that certain kinds of crimes would get different scrutiny so crimes that are the same in india and the us would be considered very easy if there's a crime that's only on one side it's a crime for blasphemy in india but not in the u.s then there was an extra layer of scrutiny for the united kingdom approach a third point is the u.s is probably going to start talking more seriously with the european union about a cloud act approach and the european union has different kinds of human rights protections for instance in hungary and poland than it does in some of the other countries and so we'll see this these eu negotiations as a possible way to look about how the human rights issues are handled for this um and then the last piece um uh is for uh data localization uh the report talks about how many of the goals of data localization can be met if there's a copy made in the local country such as india by mirroring and that's different from hard data localization and we may come back later to some issues i've written in the economic times of india about cyber security risks from data localization but for now i think the main point is the report shows a path for negotiating something here that's much more practical than probably a lot of people thought and so i congratulate the authors on the report and orf for having the event today so i'll stop now uh thank you peter and yes we will definitely come back to the interesting point on the the relationship between localization and cyber security later in the discussion as well uh asta to return to you next so some of the trickiest issues arise from the fact that data flows have become somewhat of a battleground between national security commercial interests and individual rights and often it's the latter individual rights that get eaten away in the process will aligning with the cloud act alleviate any of these as or is this a bigger issue and this will this just be a band-aid solution to that um yeah so i mean thank you for the question and thanks for this interesting discussion i i mean like you said that in the context of india uh especially we've been seeing that individual data rights or even you know data rights of groups and communities which we've started to talk about have not necessarily taken a back seat it's just that because we've been waiting for this data protection framework for as long as we have uh understanding and and sort of claiming those rights has been complex for us and we also often find ourselves in um a conversation with the government whether it's on encryption uh where the government is seeking you know backdoors or whether it's on uh data sharing for health or for other sort of quote unquote social purposes um it just becomes like you said quite complex and in that process individual rights are are often ignored and we can see also from the way that the government is positioning itself uh uh in with regard to both data protection as well as data sharing it seems like all frameworks at the moment um will you know will place the government of india above uh what is required of other other stakeholders um so you know whether it's in in in the case of the non-personal data um framework where the government requires mandatory sharing or uh the exceptions in the the last version of the data protection uh so in this context i think that um and we'll also we're also seeing like you know as india be it gets ready to take on uh the g20 presidency there's a lot of discussion on cross-border data flows there we already refused to sign on to the you know cross-border data flows with trust stuff that japan was proposing um and we seem to be um you know while we're in principle saying like data governance is important and we should be uh putting our heft behind it whenever it comes uh the time to walk the talk uh we're sort of always found a little bit short and i appreciated that the report is able to say that like you know like the other speakers have pointed out that their uh laws of the country don't necessarily um need to to change too much to be part of the cloud act and that you know that's possible to do but i think um without a basic data protection framework um that that is very very hard to do and uh and i think that uh any kind of like i said claims against harm uh can't be can't be made it's and also sharing data for like i said um for i mean and this was a case in in kerala during the during covet where kerala had a third party to um to process its health data and give them insights and you know there was a case against the kerala government and there was an exception that was granted um so for all of these basic uh things that state governments might want to do that citizen groups might want to do as well things are becoming more and more complicated without a clear framework so i think my view is that being part of international agreements such as the cloud act um whether it's in the in in full or in the way that is suggested in the report uh will definitely give us um a sense you know we will would put make sure that the government understands that uh there's more at stake and and is able to pull the country up to certain standards and like ashi said that the withdrawal of the data protection bill comes at a good time um where we can learn from uh some of the conversations that have been happening over the last few years kobit of course uh has taught us the value of data sharing the conversation with the data governance act in the eu has uh you know taught us some more so i think that um it's a good time to go back to the drawing board and rethink some of this and yeah [Music] yes thanks sasta it would seem that the opinion is generally divided on whether the withdrawal was a good thing or not there's some who are saying that you know it's it's been an urgent requirement legal requirement for years now and this is just it's it's dragging on for too long but as some of you have mentioned hopefully going back to the drawing table we'll we'll have a better version i did before uh arvind i'll i'll turn to you next um now the draft pdp bill as i mentioned was a somewhat imperfect solution to some of the issues that we have discussed uh at the session today but largely the opinion was that it would fill a critical void when it comes to digital economy regulation so uh what are your hopes for the new draft and would you also like to weigh in on some of the comments that she made as well so number one trisha thank you uh and thank you everybody before me foreign keep educating me but uh let me let me just start by saying there is not going to be no uh bill that will come out at any point in time that will be absolutely perfect uh especially when it concerns data or digital right so that's a it's it's it's a utopian world we imagine any law to be 100 perfect because by the time it gets passed even that six months that it passes the parliament it probably there are so many new developments and changes that happen globally that that will make some bring some goals about in in that law so having said this i mean you know this the debate on this current pdp bill that has been now withdrawn started way back in 2017. i still remember uh when i was in the government the first meeting one of the first few meetings this was this discussions was this you know roundtable and the discussion started and we were we were really hoping that this as an industry now as an outsider and as a person who follows this and does the research on this i believe that it was high time that we should have passed it but nevertheless it's been withdrawn and i think there is a silver lining to that and the silver lining is that it's instead of having multiple laws i mean maybe one for you know the pdp and the other with non-personal data we've the intent of the government is correct that let's can we combine this to a single uh data bill uh which will which will then also remove that ambiguity if at all if it exists and and you know sometimes if you put the lawmaker's head there is a there's a lot of ambiguity that exists in their minds and uh we may be very clear about personal and non-personal data so i think they have come out with a good thought that and and that is the good part that you take the the hard work that has been done which include you know whether it's nascom as industry body all civil society startups um international platforms indian indian companies uh government of india by itself multi-ministry task force so a lot of work has gone into it my my thing on the pd on the data bill the new data bill would be that number one it should be lots of data personal personal all open data everything else and it should have it should bring about authority a data protection authority which it had proposed in the past also and lastly i think um india is realizing very clearly that you know um and i think asta said this and i think the importance of citizens it comes to data very important and i think given our approach to digital public goods um and and this you know and the trust that people have in our in our systems today i think it's important to back it up with the right uh data protection and privacy bill having said this two very important things that deep up the architecture the technical digital empowerment and protection architecture that the government is going to bring along with the uh with the uh with the the proposed legislation is all ready so we're hoping for the legislation to come reality pretty soon and then you know the the enabling uh technology and architecture is going to be there three we have to recognize that and we do have our right to ask for certain things uh the way we also want it it's it's no longer just because most of the data is stored maybe elsewhere or that is the earthquake leaders and and you know whether it can be anybody but we do have a a a a disc at the high table when it comes to discussions and the last point i do want to make is that i think these are two we have to think of this as a hand world and not or or or you know uh in the sense and the brief point i want to make there is once you have the indian data protection act and the legislation and we also need to work with the beauty under the framework the cloud act framework that they have where we can do this in real time maybe also introduce our frameworks like many countries are actually implementing data framework as we speak so can this be can the data sharing and data flows be made into more real time uh one of the things you know and the report talks about it in the because of the ambiguity of discussion of certain legal uh terms freedom of speech and and the con contextual societal contextual which is different between india and u.s also um a lot of requests to get rejected or take infinite amount of time which really does of the need why we've always seen at least from the law enforcement side the home ministry side that the requirement for localization of data so so to to allay those fears i think we need to come up with a stronger um faster way of of sharing data so um i i leave i was clear i just had a comment which said that there was a some audio break but i am on a chrome browser so i hope it was clear thank you erwin your audio was breaking up a little in the middle but i think we caught most of your points uh could you also briefly just uh you mentioned deepa but for those in the audience who might not know what it is could you just briefly outline what the proposal is yeah so so along with the uh the uh the you know as an architecture as a technology we also believe that at a large scale we will need some technology uh solutions to implement all these regulation that we are going to bring about uh has been extending is called the depa architecture technology architecture which is a digital a data empowerment and protection architecture and as the name suggests it has both sides to it how do you use data for more empowerment which is the citizen empowerment the user empowerment and but also provide them the adequate protection in terms of consent access encryption who can share it you know and the um and whether it's further shareable or not so um that is what depa stands for thank you for that all right um so just a quick reminder if anybody has any questions please feel free to post them in chat in the meanwhile i'd like to talk to peter you had mentioned in your initial starting comments about how localization could weaken cyber security in the country could you elaborate on that um yes thanks for the question and this is a research project that we're doing generally about how data localization for instance in europe or in other countries can affect cyber security and so a few weeks ago i had a an op-ed piece in the economic times in india about this uh that was uh and i'll mention a few of the points i think one of the points is that um you have companies india has a very large sector and in it and it enabled services uh and and the reports that we've seen showed that it's about 40 of india's exports and a majority of it is for global clients outside of india so this is a large sector uh third-party cyber security services and third-party i.t services now in order to provide those services you often have to the company is providing the services has to gather ip addresses gather information about how the company's data flows are happening do intrusion detection and then send information back to other places about you can do this you can't do that or this is an area of risk or this is an area that's working and so the actual day-to-day work of cyber security often includes sending detailed data across borders and if if india wants to be providing cyber security services if india country india's companies want to be receiving and sharing in cyber security services those services depend on flows of data across borders and so one possibility is if there are in the future data localization rules you could imagine for instance having exceptions for cyber security services so that the day-to-day operations of of all these it services can go forward another part is if you have companies that operate in more than one country if there's a company that is based in india that operates for instance in europe or the united states just to run the company to know what your inventory is to know what the things are that are happening in your company you need to be able to see where the threats are happening where people are escalating privileges where different problems happen and so we're doing this research partly because people hadn't looked at the harm to cyber security if you put up borders uh walls between countries and that's not saying you can have unlimited data flows everywhere for all purposes but it's saying at least don't wreck everybody's cyber security as you're thinking about having some localization rules we've written about this and if you put my name in with data localization you can find the academic research papers on it thanks right thank you peter you mentioned an important point which is that to be able to effectively respond to some of these threat actors who don't usually just operate within the borders of one country that kind of data sharing is is is quite necessary um all right so we briefly asked how you briefly mentioned um about india and the g20 as we all know india is taking on the presidency of the g20 next year uh digital economy and data is likely to be uh large on the agenda uh do you have a wish list for how india should engage with the g20 in the coming year on data issues at the particular points that you hope would be addressed uh us i don't think is here all right uh shrinky perhaps we could turn to you first and then go down the line are you able to hear us we can't hear you okay uh so while well we figure out surely this uh audio issue i thought perhaps we could turn to you first then sorry i totally missed the question because i dropped off i did cash that you wanted me to about yes just just a wish list for how you wish india would engage on some of these data issues within the g20 framework yeah i think india has a big responsibility to take on that leadership and um and and also position itself as a country that cares about data rights and is also willing to engage and you know deal with some of the big criticisms that we've had on our um questions around localization or the sovereignty position that we've taken and i think those are our issues that we need to talk about much more openly and being in the presidency of the is an opportunity to do that i think that also what i will mention um some of the stuff that we built on the digital public infrastructure side uh and depa in particular i think is something that uh offers us an interesting opportunity to also put forth um alternatives to uh to what is also being discussed in different parts of the world so i think both from uh an intellectual position on um thinking more critically about and positioning ourselves as as a country that champions data rights but then also offering technological solutions like consent managers um that rely on open protocols that rely on open networks as an alternative to some of what has been suggested is an interesting uh position for us today can we we very well can take that uh leadership position as we go forth uh thank you sriniv is your audio working yeah i'm sorry i think my browser was uh hung there for a bit um can you hear me clearly now and as my screen yeah no i i kind of echo what what asta said about just positioning india um i mean we are at a position where we're sort of you know finalizing the data protection law looking at different various aspects of uh data governance and trusted data flows and i think arduino alluded to the fact that they're sort of deliberating a modern would work best for us i think our own experiences with with data and just starting pose on privacy also maybe may be different um and and that's always sort of a starting point for for for you know when we're finalizing uh or when we're working towards um our approach to data governance and our approach to certain negotiations with other regions as well um several regions of course have gone through this learning curve of of just what sort of data protection law to build out whether the gdpr or japan south korea which have different models but are still considered adequate by by europe whether we look at sort of these cloud act or or other regimes and um maybe what helps us to green out this sort of common minimum the absolute core privacy principles that can help with say trusted data sharing which which can also facilitate trade um perhaps that's sort of a conversation at a at a you know bilateral level a multilateral level also that we continue to have what are those basic themes or or basic principles um while the way that different regions might interpret laws uh or interpret these principles may be maybe different but perhaps there is that common minimum to clean out uh which which actually should also alluded to um in in some of these conversations just um core principles like uh minimization or purpose limitation which can which can help build a framework for trusted data sharing across borders yes thanks srinath um i think a lot of g20 members are also perhaps going through the same debates that india is going through when it comes to some of these data protection frameworks and there would be an appreciation of the well the different uh frameworks of data sovereignty cyber sovereignty that's also gaining traction in a lot of countries so perhaps that we could perhaps find still some common principles within those um aishish would you like to chime in as well so i think what i understand of the g20 framework is that there are different formats of conversations in some we are trying to come to an agreement in some you are just sharing knowledge and and point of views and and assessing uh where things might be headed so if you look at from a point of view of your personal data protection kind of a law uh i think um my guess is it's too premature for us to think of having a discussion at a serious level in g20 uh uh hoping that we actually have a final round of consultation on our own bill within this calendar year uh which which would be a good early step for us to say that we are uh now in firmly on the route to have a data protection law uh i think but uh from a g20 perspective i think to contextualize this data conversation somewhere in terms of our work on public digital uh platforms and the the technology stack that we have built and try to build a use case based intro ability around some of these areas is i think more meaningful in in some sense and that's where we have leadership we have uh we have shown success uh and across various applications so really i think that's that's really uh the the thought process as far as g20 is concerned and just to kind of comment on what peter said about the cyber security use case i think there is a lot of this understanding which we are hoping will go into the government's thinking and and and also uh what erwin mentioned in terms of the fact that uh you know you you are the technology is moving so fast that if you are going to have a very prescriptive law uh then you are going to probably bind yourself into some kind of inflexibility which is potentially undesirable so what we are hoping is a law which is a little more at a level of principles and framework and and then and gives space and flexibility for dpa to adopt an approach which is suited based on risk rather than a default uh which has to be applied across situations for example mirroring it's like a default today you may want mirroring but why do you want it to be a default right so just an example of that so i think uh some of these things are really uh that we as industry are hoping for and eventually this will uh result in more certainty lesser cost a more scalable law when you think of the context of india and i think there is a lot also to learn from industry itself so just to make the last point uh without data protection law we are processing data of over 120 countries for maybe around 30 years now and with no major significant blow-up so uh so it reflects both the contractual confidence and the fact the to the extent technology can be used to address concerns of clients and customers so i think the law should only then further strengthen this rather than make it much more complicated and i'll leave that to thanks yes you make an interesting point on use case based requirements essentially so a risk-based approach as opposed to like a blanket uh rights-based approach which is an interesting proposition uh i've been over to you yeah so um i want to do i think everybody uh ashish including srinivasa we've all spoken um on the in the g20 framework and the india stack or the other stack and how you can take leadership i think the angle that i and with it as leadership is how can we build uh there are two tracks already dedicated to the digital side one is more in the inclusion side financial inclusion and digital inclusion and the other is the data and digital economy the third third i think it brings about all these issues which even peter is mentioning is a trust in technology and i think uh with with the amount of uh checks and balances we go through from being a technology event emanating from a very uh democratic setup i think uh dpgs are a great example of that the digital public goods that india produces so i think we have to bring that trust and technology as a discussion item which will help in um solving some of the big problems and of course dpgs are part of that solution the digital public goods that india has to offer so but when you talk about trust it talks also about data data flows it also talks about you know this whole issue of how can you share technology how can you can you you know what has worked in one country can how can it work in other countries and i think that that would be my suggestion that i i would put forth uh in this forum that we should think about uh driving within the you know in the one of the parallel streams uh thanks evan you also raised an interesting point which is trust a lot of our conversations on uh data protection data legislation often just boil down to a question of trust whether it's uh trust between governments and companies or trusts between users and uh data fiduciaries so that's certainly an interesting uh theme now a final round of just like quick fire comments because i think we don't have much time left uh turning now to the next few months as the ministry of electronics and id works on the new draft of the data production legislation some of you have already laid out what you hope would come out of this uh new piece of legislation but if if those of you who haven't yet weighed in would like to come in with your comments uh shiny for example what do you hope would come out of this blank slate so to say uh one is perhaps keep it limited focus to personal data protection which which was the core idea to begin with um i think including non-personal data within the remit of the law also you know recommendations around including uh hardware software security certifications might might be adding too much and and setting this up for then we're trying to do too many things with this with this one law i i'd sort of you know uh argue that that we might be in better stead and closer to seeing your data protection or come to fruition if we do focus on personal data protection with the original objective of you know ensuring individuals privacy in in mind that's one um the second would be just focusing on building an effective robust uh regulator um i think the law is and privacy laws have to necessarily be principle based and the real meat of implementation and enforcement will come in through the regulations codes everything that this regulator does so i i do believe that it's critical to get that regulator right the sort of administrative capacity ensuring um the kind of expertise that that regulator might need what sort of resources they might need uh that and keeping the laws of principle based and the third theme would perhaps be just tying it back to our paper as well maybe extending some of those core privacy principles to um government data collection for investigative purposes and i know surveillance law is an entirely different uh ball game but perhaps um themes like security safeguards uh and and just having the requirement to have a retention policy or you know thoughts around retention maybe those not the whole gamut of course but but some of those perhaps it makes sense to include those um for for even law enforcement investigation [Music] thanks shindi i do sense some disagreement with what uh urban had laid out which was that uh the legislation should actually consolidate some of these very disparate documents like the non-personal data framework that have uh come out you also of course raised a pertinent point on government collection of data which we haven't quite uh gotten to in the course of this this discussion and whether the government even has the capacity to process and interpret so much data uh yeah so um we can turn to peter next would you would you like to win with some of your thoughts uh thank you uh you know i think i'm not gonna try to comment on what india should do for its own legislation i'll point out that there are two somewhat different debates that are happening internationally one of them is the data free flow with trust especially around government access to data and there's increasing discussions for instance in the oecd and and in other forums about what the rules for government access should be which is something trinity just mentioned and um europe is requiring quite strict controls on government access as a condition of access to its own market going forward a second realm is the commercial data whether it's for personal data non-personal data and there's a great amount of disagreement about how to how to do that but i think the the rules for commercial data can be negotiated somewhat differently from the rules each government has to think about for its own access to data and will there be some assurances of limits on that for for law enforcement i think if if the cloud act comes back as a serious option with india and the united states will be the government access to data and having some safeguards there that will be the focus of the discussion thank you thank you peter i just want to raise one audience question and see if anybody has any thoughts i think we just have like a couple of minutes left but uh someone asked would it be harsh for the indian business community and state governments is to shoulder the rather heavy burden of control of data flows without the infrastructure and technological expansion potential that u.s has which kind of goes back to the point i briefly mentioned uh about capacity um would you would would anybody like to weigh in on this point ask them i mean i think that the the the the question on government capacity is a really big one and we also raised that uh as we were thinking about the government's role in making like i said npd sharing mandatory and and i think that whether it's on quality whether it's on processing storage etc um i the government of india really needs to think through its own capacity and also the frameworks for how we engage with data um whether it's and you'll see that in a lot of government documentation there's um three or four big themes as the protection staff uh there's the sharing but then there's also a more problematic monetization question so i think even in terms of the capacity to regulate uh let alone manage data i think is a big question and and i think that we do need to do much more to create that infrastructure in india to make sure that data sharing happens uh the consent manager framework is a start so you know it's been adopted in um in the financial sector has been proposed in health as well but then also other instruments that we've been researching whether it's through uh you know things like data cooperatives etc so how do we also uh expand that institutional framework not just to the government but also to other institutions that can think more critically about data but absolutely i think that the um the question of government capacity is something that we run into all the time and anybody who has tried to share uh or try to receive data from the government will realize that government data actually is of extremely abysmal quality and without any resources to bring that up to a certain standard okay thanks asa we have a run out of time but perhaps you could just do 20 seconds each uh one key take away one point you would like to raise uh we can start with arvind then ashish peter shiniky and then so thank you i think my summary would be that i think india and us have a lot of things to work together um india has its own data protection act the privacy build to be tabled and make it in a whatever the best form it can be at that point in time but also work with the us on multitude of um whether it's data sharing or within the cloud act so i think we can do both it's an end world and thirdly india and the world and everybody else has to recognize while the u.s has a lot of data centers much more data capacity india is the data capital we produce the highest amount of data that is there uh now and as a free and democratic country so i think it's a it's it's a it's a it's a partnership of equals and it's not uh something that can only be created by one country to another thank you ashish i think i'll echo what erwin just said uh just in the context of india u.s given the importance at the level of trade of this partnership i think i think it will be good if uh taking off from this report if the importance and perhaps getting on to a what could be maybe an early discussion to say that in the india u.s context what could the expectations of such an executive agreement and and and building on that conversation so that while it may uh some of it may already be uh positively reflected in the new version of the bill but then there's a lot more that will happen in terms of the rules regulation and so on and so forth so to the extent we can build the foundation which allows us to have this conversation not just with us but with other countries i think that's a track that's worth pursuing thank you i think you said my name next thank you for including me um i arvin talked about india as the data capital and my perception is that india data technology services and information technology is an absolutely enormous and growing industry in the world and so part of the solutions going forward should be what's going to work well for that important and growing aspect of india's own economy and setting up rules that work for all the different actors internationally it's going to be important to let that part of india continue to grow and be a global leader thank you yeah no i think arvind and ashley sort of covered it i think sort of exploring these different channels of conversation between um india and us and plugging in some of these thoughts um to find avenues perhaps for trusted data sharing in a way that that works for both both regions for the private organizations or when it comes to government uh data sharing and i think with the data protection law um um you know just kind of echoing what what we discussed earlier just provide us sort of a great opportunity to uh maybe rethink or solidify some of the some of the thought process around these different big themes we data sharing non-personal data governance sovereignty and and yeah perhaps just leaning from these different um takeaways and building those into and the last word is yours i mean i'm happy to forgo that space because everything has been said but thank you for a great discussion great thank you thank you everyone thank you to the audience for tuning in and for taking out some time from your evenings the mornings wherever you may be to be a part of this discussion thank you