Data protection is a complex issue intertwined with privacy, public trust and transparency as some of its challenging aspects. Over the past few months, New Delhi has shown keen interest in addressing these challenges with several initiatives addressing the concerns around use and collection of data, such as the NITI Aayog policy think tank’s proposed framework for Data Empowerment and Protection Architecture (DEPA) to enable consent-based sharing of financial data with and between various sectoral players; and the revised report submitted by the Committee of Experts on Non-Personal Data. Various government departments, including the Ministry of Electronics and Information Technology (MeitY) and the Ministry of Home Affairs (MHA), have taken unprecedented steps to protect data.
It is no surprise, therefore, that there have been demands from many quarters for enactment of the much-awaited Personal Data Protection Bill, 2019 (PDP). While it is uncertain whether the PDP Bill will be enacted in its present form or redrawn by the Joint Parliamentary Committee, a comprehensive overhaul of data-protection framework in India is likely.
Sandboxing: What it means
The impending massive reforms have kickstarted a debate that heavy cost of compliance with the PDP Bill could kill innovation and distance information-dependent start-ups from their true potential. This argument, however, overlooks relatively unique elements of the bill, one such element being Clause 40, which provides for sandboxing. Simply put, this clause is a gateway to constructive collaboration between the data protection authority (DPA) and businesses, promoting innovation on one hand and effective regulation on the other.
“Sandbox” is used to denote a “testing field” for innovative products in a controlled environment. Initially proposed by Singapore’s Personal Data Protection Commission in 2017, and later implemented by the U.K.’s Information Commissioner’s Office (ICO) in 2019, a sandbox in the field of data protection allows a business to work with the DPA to test innovative products/services and their compliance with data protection laws.
As technology and businesses develop and transform at an unprecedented pace, regulators struggle to keep up. Zealous regulation often leads to regulatory uncertainty and non-compliance risks which could have a chilling effect on innovation and new business models/products/services. Addressing these concerns is regulatory sandboxing, which has been receiving interest from various sectoral regulators and promises the following benefits:
1. Benefits for businesses:
- Understanding of the DPA’s stand on compliance and reduced risk of future enforcement actions.
- Reduced potential costs of withdrawing/modifying the product/service after full-fledged launch if it does not meet data protection requirements.
- Enhanced consumer trust.
- Direct line of communication with the DPA, constructive representations regarding compliance.
2. Benefits for the DPA:
- Enhanced chances of compliance by participants after exiting the sandbox.
- Provides an industry perspective and assists in identifying challenges of compliance and regulation.
- Knowledge of upcoming technologies, enabling timely regulatory modifications.
Sandboxing and the PDP: India’s unique proposal
While the Centre for Information Policy Leadership’s (CIPL) 2019 white paper Regulatory Sandboxes in Data Protection: Constructive Engagement and Innovative Regulation in Practice put forward a strong case for use of sandboxes by DPAs, it noted several challenges, including lack of statutory recognition of sandboxes and limited leeway to regulators to implement a sandbox. The white paper also noted that most DPAs considering sandboxes did not have the authority to provide exemptions, waivers, comfort letters, etc., which was a challenge for businesses implementing new technologies, who may be wary of entering the sandbox.
In this context, India’s PDP Bill is unique as it proposes to statutorily allow the DPA to set up sandboxes. Clause 40 of the PDP Bill sets forward a scheme through which a data fiduciary may enter the sandbox and thereby be exempt, wholly or with modifications, from the obligations to:
- Specify clear and specific purposes for use of data as per Clauses 4 and 5;
- Limit collection of personal data under Clause 6; and
- Follow the restrictions on retention of personal data under Clause 9.
Since the above clauses contain some of the core obligations under the PDP Bill, being in the sandbox provides palpable benefits of reduced compliance costs and more flexibility in dealing with data. For inclusion in a sandbox, however, an applicant must prove the purpose of “encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest.” Clause 40(3)(b) makes it mandatory for the applicant to share information with the DPA regarding proposed innovative use of technology and likely benefits to public and the idea of fostering innovation.
While entering the sandbox is likely to lead to several crucial exemptions to the data fiduciary concerned, it does not come at the cost of the data principle as the PDP expressly provides that:
- Only data fiduciaries with privacy by design policy certified by the DPA may apply;
- The DPA may lay down terms and conditions, including requirement of consent and compensation to the data principal, and penalties to ensure safeguards are not breached; and
- An application to enter the sandbox cannot be for a period longer than 12 months, and the term is extendable to a maximum period of 36 months.
Thus, a sandbox is not meant to be a trove of exemptions. It rather is a targeted tool to foster development of innovative technologies and lead the way toward pro-active and collaborative regulation of personal data in India.
With this bill, India looks at constructive collaboration between the regulator and those regulated to foster innovation, ensure privacy and achieve public trust and transparency.