Reliance Jio bats for localisation at IT ministry’s data protection consultation

Reliance Jio backed the reintroduction of data localisation in the draft Digital Personal Data Protection (DPDP) Rules during a consultation convened by the information technology ministry in New Delhi, people aware of the matter said.

The draft DPDP Rules, released for public consultation on January 3, are crucial for implementing the DPDP Act, which was notified in August 2023 but remains to be enforced.

During a consultation held on Tuesday, the telco’s executive voiced the company’s support for the creation of a committee that can make recommendations to the Centre on what kinds of personal data should not be transferred outside India and recommended that the names of the committee members should be made public, people aware of the matter said.

At least one lawyer present in the consultation on Tuesday said that the localisation mandate is ultra vires (exceeds the scope) of the parent act. The DPDP Act allows the Centre to blacklist territories outside India where personal data cannot be transferred.

This aligns with the Reliance Jio chairperson Akash Ambani’s statement at the inauguration of the India Mobile Congress in October, when he asked the Centre to update the draft of the National Data Centre Policy so that Indian data remains in Indian centres. In January, Ambani had said that the company was setting up AI infrastructure in Jamnagar. The data centre planned for Jamnagar is reportedly going to be the largest in the country by capacity.

Tuesday’s consultation was the sixth on the draft rules held by MeitY following consultations in Delhi (January 14), Mumbai (January 20), Bangalore (January 25), Hyderabad (February 13), and Chennai (February 17). At least two more consultations – in Kolkata and Guwahati – are in the pipeline.

The meeting, that lasted more than three hours, was initially chaired by minister of state for IT, Jitin Prasada, and then by IT secretary S Krishnan. They were accompanied by additional secretary and UIDAI CEO Bhuvnesh Kumar and MeitY’s cyber laws group coordinator Deepak Goel. Stakeholders in attendance included executives from Meta, Google, Amazon, Infosys, Jio, industry bodies Nasscom and DSCI (Data Security Council of India), law firms Trilegal and Ikigai, and consulting firms The Quantum Hub and The Dialogue.

Issues pertaining to children’s data and verifiable parental consent (VPC) were discussed at length, as MeitY officials told stakeholders that they recognised mandatory identity verification could lead to exclusion of individuals from online spaces and data maximisation. They said that they had left it up to the industry to figure out how to implement it.

Kumar, as per the people cited above, said the draft rules rely on self-declaration of minority/majority by the user and there is no need to establish the relationship between an adult and a child; for an adult to consent on behalf of a child, only the adult’s majority needs to be established, not their identity.

The UIDAI CEO also told the stakeholders that the government is working on tokenising parental consent through Meity’s DigiLocker, which can be used as an option by data fiduciaries. He said that an Aadhaar-based or a digital public infrastructure (DPI) solution to perform VPC at scale might be possible in the next two years. At least one stakeholder said that issues with tokenisation have persisted in the fintech space and verifiable parental consent is much harder. Another suggested a sandbox approach to VPC through tokenisation.

The Meta executive said that verifiability of government IDs is a vexed issue, as evidenced by the staggering number of KYC-based cybercrimes. He said that if the Indian government could not reliably verify government IDs, then how could private companies, one of the people cited above said.

Companies also asked for relaxation in reporting requirements for personal data breach, saying that intimation to users should be done only for breaches that are high-risk or cause material harm to users. They also asked the government to consider whether the intimation about the breach could be sent to users after remedial measures had been taken. Companies said that since the definition of a personal data breach is so broad, technically, if an employee of a data fiduciary loses their laptop, that would also amount to a breach and would require intimation to the users and a report to the Data Protection Board.

Stakeholders also asked for scope of rule 22, which prohibits the data fiduciary or the intermediary from making disclosures about demands for any information from the central government, to be reduced to prevent its abuse. Officials said that the government can only ask for information that is allowed under other laws. Stakeholders asked for the other laws to be clearly defined in the rules. Global capability centres (GCCs) sought an exemption from this rule citing the fact that they process personal data of foreign citizens.

An executive from Infosys said that all uses of personal data, including “legitimate uses” by the government, should require consent from the user. Others asked for the compliance around legacy data (data collected and processed before the implementation of the act) to be eased. Instead of sending a notice with an itemised list of personal data processed and its purposes, some stakeholders asked for consolidated notices for continued processing of personal data.

Under the Act and the draft rules, primary responsibility for securely processing the users’ data lies with the data fiduciary, not the data processor. In the Bangalore consultation, stakeholders said that this assumes a relationship where the DF is always more powerful than the processor but that is not always the case. For instance, between a small D2C website and AWS, there is not much that the website can do to negotiate an agreement, and the large processor should assume greater responsibility.