The Data Diva E164 - Vikram Koppikar and Debbie Reynolds

Show Notes

Debbie Reynolds, “The Data Diva” talks to Vikram Koppikar, Senior Manager, Privacy - South Asia and Metropolitan Asia,  Kenvue  - Formally Johnson Consumer Health (Mumbai). We discuss challenges faced by multinational corporations in terms of privacy laws and the differences between GDPR and APAC laws. Vikram expresses concern about the contradiction between the express consent and legitimate use provisions in the recent Indian Data Protection Act and suggests that the provision needs to be clarified or made more similar to the legitimate interest concept in GDPR to address these concerns. We discuss fines and penalties for companies that violate privacy regulations, the rights of Indian citizens to sue, and the importance of privacy as a fundamental right.

The conversation touches on data localization requirements, limited data transfer mechanisms, and criminal penalties for data protection infractions in Asia, with a suggestion that monetary penalties on corporates may be more effective than criminal punishment. Debbie and Vikram stress the importance of ethical and legal processing and utilization of personal information for both individual and corporate benefit. They agree that companies must understand that data belongs to people and that privacy is a fundamental right.

Vikram shares his hope for a society that realizes the power of personal information and the benefits it can bring to citizens, and Debbie highlights the importance of empowering people to understand their rights. They also discuss the impact of data protection regulations on companies, emphasizing the need for a roadmap to know what is expected of them when doing business in different regions.

Support the Show.

Transcript

31:22

SUMMARY KEYWORDS

data, privacy, india, localization, data protection, indian, personal, corporates, government, law, requirements, legitimate, consent, country, people, flow, rights, data protection regulations, citizen, understand

SPEAKERS

Vikram Koppikar, Debbie Reynolds

Debbie Reynolds  00:00

Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds; they call me "The Data Diva". This is "The Data Diva" Talks Privacy podcast, where we discuss Data Privacy issues for industry leaders around the world with information the business needs to know now. I have a very special guest all the way from Mumbai, India. This is Vikram Koppikar. He is a Senior Manager of Privacy, South Asia, and Metropolitan Asia for Kenvue, which was formerly the Johnson Consumer Health Organization. Welcome.

Vikram Koppikar  00:56

Thank you, Debbie; it's very exciting for me to be part of this podcast, where, in all honesty, your podcast and content is what has kept me motivated in my initial pursuit of privacy as a profession. What I specifically like about your content is not only do you cover trending topics in the area of privacy, but you also look at the interviewed privacy professional from a more humane perspective, you know, the various trials and tribulations that they might go through. And, of course, your continuing pursuit of privacy is being recognized as a global human right. So for all of this, it's really fascinating, really great for me to be here. Thank you.

Debbie Reynolds  01:49

Oh, my goodness, thank you so much. Thank you so much. You know, I feel like privacy and data protection is a human issue. So I think bringing in that human element is very important and that we're all humans, right? So we need to, not just people in the US, not just people in the EU. So, being able to talk about it from a global perspective is very important. So, I think I've been trying to get you on the show for quite some time. So I'm glad we were able to connect and be able to get you on the show. Why don't you tell me a little bit about your background and your trajectory? How did you get into privacy? What was your interest? What was your background your career path to get you to where you are in your career today?

Vikram Koppikar  02:36

Thank you. I am a lawyer by qualification. And I practiced law for several years. During the time I started getting interested in privacy per se was around the time we were first made aware of GDPR. I was part of a leading Indian IT conglomerate. As you are aware, the conglomerate is required to enforce contractually or practice contractually certain flow-downs from its European customers. And I always liken the advent of GDPR to perhaps a scene from Jurassic Park, wherein you know, the child is eating jello in the spoon, and then the jello starts to shake, and then the spoon starts to shake, and then you know something tremendous is oncoming. So, GDPR for the Indian IT industry was no less. The impact that it had on the business space was something that got me interested in privacy. I qualified for my IPP certification and took on the role of a Data Privacy officer within my then organization. And thereafter, I had the opportunity to look at a more privacy-specific role with Johnson & Johnson across various divisions, which were for its surgical tools, its pharma business, as well as its consumer goods. I currently work with Canvio, which is its consumer business having hived off, and I'm happy to have the opportunity to work across the South Asia space for that distinct privacy compliance. Thank you.

Debbie Reynolds  04:20

That's quite a career trajectory. I agree. I've not seen Jurassic Park, but I understand the analogy they're making there. I thought it was funny because when GDPR first came out, I was very familiar with the Data Director, right. So I worked with multinational companies that were doing data moves, and no one really cared about it, right? On a grand scale. And when GDPR, when I saw that the EU was trying to update their Data Director, I thought, okay, this is going to be big, right? And so when the GDPR actually passed into law, I thought we are going to wake up on May 25th of 2016, everyone's going to care about privacy, and in the US, nothing like nobody's saying anything. No. Oh, right. Oh my god, this is such a major thing. So, thankfully, the world caught up with us a couple of years later and understood why it's really important, and we're still talking about it. One thing I'd love to talk about privacy in India has been of interest to me for many, many years, for a lot of reasons. I had teams in India for many years. Very familiar with data protection, especially as it relates to financial data. I want to touch on that a little bit as well. But one thing that happened a few years ago, and I thought was amazing. And I want your thoughts on this. And so this is something I wish we had in the US, which is India, as part of their Constitution several years ago, made privacy a fundamental human right. And I feel like that is probably the best foundation that a country can have, especially when they go toward more data protection and Data Privacy framework; what are your thoughts?

Vikram Koppikar  06:10

I very much agree. So, as you very rightly mentioned, privacy is a very new concept for India; in 2017, the Supreme Court of India granted privacy the status of a fundamental right. As you mentioned, that is very critical for ensuring that Indian citizens are provided privacy on par with the other rights that they are granted under the Constitution; this enables privacy to be incorporated into other rights or legislations that may be created around the citizen. And I think that was, as you said, probably the best way to initiate it, although the law that followed subsequently did take its time to come around. We've only seen it enacted this year. But hopefully, businesses and corporations will adapt. And more importantly, we will see the citizens of India being given the benefit of having their personal information prevented from being misused, which I think was a long time coming.

Debbie Reynolds  07:22

I think so, too. I definitely want to cover the Digital Personal Data Protection Act to pass and 2024 in India. So, first of all, India is the largest democracy in the world; there are more people in India than in Europe and the US combined. India has a lot of interest from a lot of corporations who want to see it go further towards a lot of digital transformation. So I saw a couple of months ago, Tim Cook did this whole India tour because a lot of mobile phone makers and people who are in that space want to make sure that they're getting people into digital systems, and India, you all have Aadhar system, probably one of the first countries that have gone really deep into biometrics, right, before other people. But then also, and this is from my experience in working with data in India for decades. Still, you have very stringent data localization laws around certain types of data, like financial data and things like that. So a lot of people who weren't in privacy before probably don't know that about India. But let's talk a little bit about data localization. Because data localization for me tends to come up a lot in Asia, a lot of laws have data localization features, and I want your thoughts about what are the benefits and the downsides of approaching data in that way, in terms of localization?

Vikram Koppikar  09:07

Yeah, I think that's a very interesting topic. Coincidentally, out of all the sections under the Act from its initial version to the one that has currently been enacted, the one that has gone through the most changes is the one on data localization. As you mentioned, India is obviously a country with a large populace. It has a very robust, growing consumer economy, which drives multinational corporates like Apple and stores to visit it to promote its products, and then its economy is driven onwards by consumption. With consumption obviously comes the requirement to collect aggregate consumer data to understand growing consumer demand data analytics. This obviously, again, comes to the need to have cross-border data transfer. So, the earlier versions of the Act were more stringent in terms of requiring certain kinds of data to be stored only in India if one recollects there was a classification of data. So, there was personal, sensitive, and critical data. Sensitive and critical data were stringent in terms of their local storage requirements. The current version does away with this sort of data classification, which essentially means that data can now enjoy a more free flow. However, as you said, there are existing requirements such as the ones prescribed by India's Federal Bank, which is the Reserve Bank of India, which still requires localization in respect of any payment systems and data flowing there to be stored only in India. What's also very interesting is the government has kept for itself a very wide, arbitrary right under the new law to prohibit the data transfer to any country that it may publish henceforth. So while on the one hand, corporates are happy with the more free flow of data promised, there is still that bit of ambiguity around what jurisdictions may be unfortunate to be falling into that blacklist that the government may publish. So I believe there needs to be more of an onus, which is put on corporates to allow them to build contractual clauses or other safety mechanisms that will allow them to have more of a free flow to corporations or nations globally rather than blacklist a country in its entirety. Because a nation the size of India thrives at its best when it's able to transact across the globe. That's how it manages its economy to its best.

Debbie Reynolds  12:10

I agree with that. Thank you for that dive into that topic. Let's talk more wholly about the Digital Personal Data Protection Act, DPDPA, I've got to get accustomed to saying that. What does it cover? What do people need to know? Maybe some things about this act are different maybe than other data protection laws around the world.

Vikram Koppikar  12:37

Sure, that's a great question. So, in many ways, the DPDPA finds itself similar to other leading data protection legislation, more specifically, the GDPR. However, it appears that the government has attempted to make certain requirements or changes to the Act, which are more suited to an Indian populace. Chief out of this, I would believe, is the onus which has been placed on consent, even in the earlier versions, the papers which are around the act, the draft papers emphasize the need to have expressed consent of the data subject towards the processing of his or her personal information. So, expressed consent is very strongly provided for under this legislation. However, there seems to be a contradiction, which has now come up in the latest draft, which is that while consent is obviously key to processing information, the government has also used a new concept which is legitimate use; while this sounds very similar to the legitimate interest concept, which is provided for in GDPR, it is not entirely so. What legitimate use allows for is the data controller or the fiduciary, as it is called in an Indian context, to utilize the data subject's information where it has previously collected it in a manner not specifically refused by the data subject? So, in a hypothetical situation, the controller or the fiduciary can provide a very loosely worded consent notice and try to maximize the usage of an individual's data and put that into context with a very wide Indian populace, some of whom may not be very aware of the extent of the usage of that data, especially when we look at smaller towns or smaller villages. The extent of technological user analytics may not be, and those people may not be privy to it; we end up with a scenario where the data controller can utilize it in multiple ways without the knowledge of the data subject. What is more intriguing is that notice is only required when specific consent is provided. It is not required for cases of legitimate use. So, again, as I go back to my concern, which is that there could be a widespread usage of an individual's personal information without them actually coming to know about it, the law does try to address that issue in some manner by stipulating that the controller or the fiduciary will be required to delete that information once its usage is over. But in my submission, the provision of legitimate use runs contradictory to the requirements of the expressed consent that is required at the onset of the law. So these two provisions run afoul of each other, and they need to be cleared or clarified once maybe the Data Protection Authority is set up; perhaps the legitimate use definition or the section needs to be made more similar to what is provided for in the legislative interest concept in GDPR, which allows it for very specific purposes, such as direct marketing, and not the ambiguous nature of the clause as is provided under the Indian law currently.

Debbie Reynolds  16:29

I can see there's going to be a lot of confusion, where people are going to confuse legitimate use with legitimate interests. I would say for anyone who's interested in what's happening in APEC countries they need to know there are probably less legitimate uses, right, for data. So maybe you're accustomed to the six types of ways that people can use data in the EU and less than six in APEC countries. So just think of it that way less than 6 in Europe. I want to talk a little bit about fines and if people in the EU have a right to sue. So what are the penalties for companies that run afoul of this regulation? And are Indian citizens allowed to sue?

Vikram Koppikar  17:20

Okay, so the fines which are provided for in the legislation run from 50 crores to 250 crores? I'm not sure what that amount would arrive at the USD value. But to answer the second question, the Indian citizen is allowed to sue under the current version of the legislation. I would, however, also like to point out that, despite the passage or the enactment of the law, for the average citizen, previously is still considered a very Western concept. I am aware that this perhaps digresses from your question, but my point being that very often, in my attempts to provide clarity or educate the customers around their rights as a consumer, I see a lot of comments on social media or otherwise around privacy being a right only for the economically beneficial, you know, the better off classes so to speak. The logic being that the more impoverished individual would not be bothered around their privacy, right? Which, in all honesty, is so very incorrect because we started off this discussion where you pointed out the importance of privacy being considered a fundamental right now; an individual, as impoverished, can use privacy to either prevent misuse around certain information or to his benefit to avail of certain government schemes that he or she may be due for. So privacy is a multifaceted tool which is to the benefit of every citizen in India. And very pertinent that the government or other Indian corporate need to create awareness programs to educate the Indian citizen about the powerful rights that they have at their disposal because privacy is amorphous in its nature; it finds itself in economic data and health data in so many other aspects of your life. So now that we have it recognized as a fundamental right, in addition to the penalties or any other levies that may be charged, it's important to create awareness about privacy as a right by the government.

Debbie Reynolds  19:57

Yeah, I agree with that. And I think that the difference that you're talking about, and this is, as you say, why it's important that India has privacy as a fundamental human right in the Constitution. In the US, we don't have that. And so there are so many gaps there in our laws as a result, where a lot of our Data Privacy and data protection rights are more consumer-based. So if you're not consuming, a lot of those rights don't belong to you, right? So that is the dichotomy. And that is the issue that we have had for a long time in the US. I want to know, as someone who works at a multinational level, where you're dealing with data from different countries, how that make your job more interesting or challenging? Because you have to keep an eye on what's happening globally in Data Privacy or data protection?

Vikram Koppikar  20:57

Thank you so much for that question. So, being given the opportunity to enforce privacy compliance across South Asia, one has to obviously keep abreast of privacy legislation in that space. And podcasts such as yourself are very helpful in understanding privacy trends. Additionally, there's obviously working with or keeping abreast of government notifications across the geography that I handle. What, more specifically, are the market-specific challenges that one comes across? To elaborate my point, say, for instance, a Singapore market may drive its data collection more through maybe social media handles such as TikTok or Instagram, and an Indian market may choose to do so more from a point of purchase through maybe a brick-and-mortar store. So, the manner of data collection differs greatly from country to country, even within the South Asia region. For that purpose, one has to work very closely with the marketing teams to devise a data collection and consent policy to meet the market requirements. So that is something that keeps my job interesting from time to time.

Debbie Reynolds  22:20

I never heard anyone say that. But that makes perfect sense, right, because different countries do different things. So, the data that's being generated is generated in different places. And that changes the way that you have to approach data protection, or you have to look at where the data flows from in those countries. I want your thoughts about just my observation, and this is my observation about data protection in Asia. So three things that I noticed in Asia. Can you tell me what I'm right or wrong about this? A lot of countries in Asia have data localization requirements, and a lot of them have more limited data transfer mechanisms that are legitimate, right? And some Asian countries have criminal penalties for certain types of infractions for data protection. What are your thoughts?

Vikram Koppikar  23:24

Sure, so I'll try to address that question sequentially. I do agree that quite a few countries within Asia have certain stringent manners of data localization; most noted, perhaps, are the sanctions or the requirements that are posed by China. So, I think given the manner of trade or the growth in the economy of that country might come about; one might see a change in data localization norms or relaxations. I refer back to the India context where we started off having very stringent requirements for data localization. But eventually, this gave way to a more relaxed flow of data; of course, with some caveats that the government wants in place, I envisage a scenario where Asian countries, having enjoyed growth in their overall market, will look towards a more relaxed data transfer approach. To address your last point, yes, there are criminal penalties around data localization breach of data localization requirements, and I think maybe we'll look at a scenario down the line where this will be replaced, perhaps with more penalties in terms of monetary amounts because on the corporates, which will maybe help so I think the penalty should be more levied into terms of monetary amounts on the corporates, rather than a criminal punishment.

Debbie Reynolds  25:06

Yeah, the criminal punishment does two things. One, I think it makes it not as attractive to people to want to take those roles. Especially if you work in a corporation and you're not a single person. So you may not have the authority to do certain things. But then you have a responsibility, right? So the responsibility may fall on your shoulders, even though you don't really have control over the data. And then also, I think that in these situations, people are like, well, who will be criminally charged? Is it the person who has their hands on the keyboard? Is it the manager? Or is it the CEO? So I think that all has to be sorted out. But I think having more comprehensive data protection regulations is very helpful for businesses, even though I know businesses can be annoyed. The data protection regulations are different in different places; I think it makes sense to understand cultural norms in these areas. What these countries think is important following along, but I think, at a fundamental level, companies need to understand that data of people belongs to people. So if you understand that, I think that's like halfway there, right? So I think in the past, companies thought, well, once a person gives me data, I could do whatever I want with it. And that's just not the way the future will be. What are your thoughts?

Vikram Koppikar  26:38

Oh, yeah, I'm very much aligned to that thought, as we perhaps retread ourselves in mentioning that privacy is a fundamental right. To give you context, perhaps from the Indian market scenario, before privacy law was enacted, there was hesitancy on the part of several corporates to perhaps create awareness about data consent or the uses of data. There was hesitancy by marketing teams or departments engaged in the collection of personal information to allocate budgets to ensure that data is stored in a secure manner and data lifecycles are put in place. So, for all of these reasons, it is very helpful to now have legislation which is sort of the stick that hopefully puts the errant pupil in its place. But that track of a fine or a penalty that puts corporates which were previously either lazy or misusing personal information to fall in line and to ensure that personal information is given the importance that it necessarily should.

Debbie Reynolds  27:54

I agree with that. So if it were the world, according to you, Vikram, and we did everything you said, what would be your wish for privacy or data protection anywhere in the world? Whether that be human behavior, regulation, or technology. What are your thoughts?

Vikram Koppikar  28:12

That's such a wonderful question. So, as I mentioned a little while ago, I would very much like India to be a society where there is more awareness about privacy as a right, the benefits that it can bring about to every Indian citizen, the impact that it has in allowing them to have access to certain benefits that the government can provide to them, because of their information, their ability to leverage that information while dealing maybe commercially through corporates to access health care. So privacy is hindered for those still unaware in terms of its capabilities or its empowerment, so the society that I very, very much hope for is one that people realize the power that their personal information can bring them. Yeah.

Debbie Reynolds  29:14

That's great. I think that's really important, right? Because if people don't know what rights they have, they haven't had to exercise them, it's hard for people to feel empowered. So that's what these regulations are really doing, in my view. So they are definitely empowering people so that they understand what their rights are. But I also think it's going to help companies because now they have roadmaps to know what is expected of them when they do business in these other regions.

Vikram Koppikar  29:44

Can I add to that, if I may? Okay, so yeah, I agree very much in terms of what you said. I think it's very important for companies to have a roadmap as well. As we discussed a little while ago, India is obviously the world's largest consumer-driven market. If companies have ethical access to personal information with all the necessary safeguards, we look at a scenario where they are able to address the Indian markets with needs specific to them. And then we're looking at continuous consumption and, therefore, economic growth, which obviously benefits both the individual and the corporate. So it is a win-win, where personal information is processed and utilized ethically. And legally. Thank you.

Debbie Reynolds  30:37

That's wonderful. Oh, thank you so much for staying up late to have this call with me. I really appreciate it. I know that the audience will really, really like this episode because I feel like we need to have more people in different regions being represented on these types of shows and programs. We're all on this earth together, and we need to understand what's happening in different places around the world. Well, thank you.

Vikram Koppikar  31:05

Thank you so much. It's really great to be part of the process. Thanks once again.

Debbie Reynolds  31:08

Yeah, thank you. We'll talk soon. Thank you.