Rajnish: Anindya welcome to the podcast and thanks for coming over.

Anindya: Thanks Rajnish and greetings to you and your listeners on world Energy Environment Week. I'm delighted to share my thoughts on the subject, but I would like to just place a key caveat that this should not be construed to be the views of Shell. Thank you.

Rajnish: My first question to you Anindya. How do you think a carbon price can help abate emissions?

Anindya: Yeah, that's a great question Rajneesh and there is a short answer and a slightly more evolved answer, so let me attempt both. The short answer is that greenhouse gas emissions carbon emissions have an externality, and the cost is borne by the society, and not necessarily by the emitter. Carbon pricing strives to place a cost on the emitter and thereby putting the sort of cost where the burden is. But if you sort of dig up a little deeper, the whole carbon pricing policy intervention is a clear nudge that Governments can give to various players across the economy on what they need to do. And there's various aspects that we should explore in this context, first is the competitive disadvantage of the first movers. There are companies right now who are contemplating climate action, but they find that such action involves costs which brings in a competitive disadvantage to them vis a vis with their competitors and therefore they do think twice before implementing major programs. A carbon pricing across a sector will ensure that all sector players are having the same level playing field and start taking the same steps and ideally this moves into an economy wide coverage, so I think that's very important to make sure that the early movers don't get disadvantaged. Secondly, there is a policy outlook signalling that this is very important. Companies right now are struggling to see what the pricing, carbon pricing or any compliance framework will look like in the coming years and decades. So, if the government can clearly indicate that this is going to be the carbon pricing methodology that the government will adopt and how it will progressively change over time, companies will be in a position to make the right technology choices back to green technology and make their investments that are well tested against such a carbon pricing regime. On the case on this case, also another aspect we need to talk about is resource mobilization. So carbon pricing of course also yields resources for the government whether it's a carbon tax or a market based mechanism like the ETS and the government, then can direct some of this to supporting new technologies. Green technologies that are not proven, for example, if it wants to support offshore wind or biofuels but also maybe use it to address the needs of just transition, so there are going to be sections of society which will be burdened by higher cost of the energy transition and some of this will be available for that. Another aspect I think we should also consider when talking about carbon pricing is globally various countries are adopting carbon pricing where there's tax or emissions traded systems and to make sure that there are no carbon leakages these countries are likely to impose a border adjustment mechanism as Europe is considering. So, if Indian companies have to operate or export into these markets then they'll have to demonstrate that they have carbon pricing domestically. So that's very important for Indian companies to achieve, I mean India has a huge trade with Europe for example of 36 or $37 billion and the part of that will get impacted by this. And the other advantage of integrating to global markets is that Indian players will have access to much deeper and wider markets for carbon offsets. For example, they are on the buy side or sell side.

Rajnish: So Anindya I agree with you, I think carbon prices are the talk of the day. Now the big question basically, which is there when you look in the case of India is should India go for a carbon tax or should it go for an emission based or a market based trading mechanism? What do you think are the pros and cons to the two and you refer to that while you're answering the earlier question?

Anindya: Yes, indeed, these are the two popular models which various countries have experimented with over the last several years. So, the advantage for India is that India can certainly benefit from the experiences of these countries and get sort of rich learnings out of it. Carbon tax in terms of implementation is perhaps much less complex, though politically less acceptable because it's it will be very transparently seen to be adding to the cost to the customers or taxpayers, as the case may be also, it needs to sit within the existing taxation framework and jurisdictional sensitivities, and I know Ernst & Young has already presented an analysis on how this can be done. As for emissions trading, there is a possibility that the existing market-based mechanisms for energy efficiency, which is the path scheme and the eCerts and the renewable energy, which is the RPO and RECs, could be brought under a carbon framework which could then be expanded to a functional emissions trading scheme. However, the complexities of the market design that address the needs of a progressive decarbonization without causing market failure needs to be carefully considered.

Rajnish: I agree with you Anindya, I think carbon taxes are easier and as you gave there are pros and cons to each of the approach. Now, given that we have a blank piece of paper in India as of this point of time, what would be your advice to our clients as to how they should think about this and go ahead?

Anindya: Indeed, that's a very important I think question to consider for countries so companies at this point in time as various regulatory changes are likely to happen in the coming future. Well, one can never be certain as to when a compliance framework for carbon will emerge in India, but we have seen a compliance framework in energy efficiency and renewable energy that was successfully implemented. We are also hearing of an RPO type framework for green hydrogen progressive Indian companies are already beginning their decarbonization journeys by implementing internal carbon pricing. CDP's annual report mentions 31 companies already having an internal common price or companies are signing up to the SBTI's or making commitments under RE 100 EP 100 EV 100 type commitments. But to ensure a sustainable future and a social license to operate, companies will need to transparently share their plans to adhere to carbon budgets available so as to achieve the climate action goals agreed by the international community such companies will withstand any shocks that could credibly arise from external carbon pricing, whether through taxes or market-based mechanism.

Back to podcast

Podcast transcript: Digital Personal Data Protection Act: Impact on supply chain and logistics

18 min | 06 September 2023

In conversation with:

Mini Gupta
EY India Cybersecurity Consulting Partner

Pallavi: Welcome to the latest episode of ‘Gateway to data privacy and protection’ special series by EY India Insights Podcast. I am your host Pallavi, and today we have an intriguing topic in focus – the impact of the Digital Personal Data Protection Act 2023 on the supply chain industry. To gain deeper insights into this matter, we are joined by an esteemed guest, Mini Gupta.

Mini is a Cybersecurity Consulting Partner at EY India. With over an impressive two-decade-long career in risk management, her expertise spans diverse sectors, including Technology, Media & Entertainment, and Telecommunications (TMT), Manufacturing, and Financial Services. Currently, she leads cyber transformation in Africa, India, and the Middle East, providing specialized consulting services in cybersecurity, data privacy, and technology risk services to our top clients. Over the past 10 years, she has worked closely on the agenda of data privacy in India and globally. Mini, welcome to our podcast.

Mini: Thanks, Pallavi. Pleasure to be here.

Pallavi: Going by the newly released Digital Personal and Data Protection Act 2023, who would be the data fiduciary in the logistics sector, especially in cases where there is more than one transportation company involved for moving goods from start to the destination?

Mini: From a data fiduciary point of view, any entity that determines the means and purpose for processing personal data is the data fiduciary. In case of the logistics sector, the entity engaging with the consumer to collect any personal information and then deciding who should this information be shared with, is the data fiduciary. This could be the logistics service provider who will engage multiple transportation companies based on what the mode of full movement is.

If a transportation company is engaged by a logistics provider to move the goods, then the transportation company doing so on behalf of the logistics service provider becomes a data processor. The fiduciary is still the entity that has collected the consumer's data or the personal data involved in this process and is sharing it then with multiple partners or transportation companies.

There might be cases where the entity (logistics provider) itself is responsible for processing the order and for moving it through its in-house transportation divisions, but the same principle applies – whoever collects and determines the purpose of personal data remains the data fiduciary, and everybody else in the chain enabling the movement on behalf of the first entity, are data processors.

Pallavi: We see that the logistics sector has both organized players who have strong digital systems as well as smaller outfits with little in terms of data protection. How will the latter be monitored to ensure that they are following the proper protocols prescribed in the Act?

Mini: The organized players should ideally take on the onus to train, educate and sensitize the smaller outfits on the obligations of the Act, and more importantly, the need to protect personal data.

The personal data that may be shared with the smaller outfit should ideally be limited. Only the minimum data required by the smaller outfits should be shared with them. One should also explore avenues of technology to be able to share such data and look for a secure digital way. This could be through tablets, a mobile app such that they (smaller outfits) are exposed only to what is required and only for the period for which they need the information.

Technology definitely will play a key role when it comes to sharing of data, making the data accessible in a secure manner, because it may actually be difficult for smaller outfits to invest in security or technology themselves.

The other aspect that companies need to look at is to see if there can be contracts that can be signed. When it comes to a smaller outfit, they may not have the capacity to sign onerous contracts or data protection agreements for processing the data that they are in custody of or have access to. Hence, it may be required that as part of their work orders or delivery contracts, there is sensitization and there are clauses included on their obligations to keep the data secure. But most importantly, the training and awareness and implication of what could really go wrong if data is not dealt with securely is something that the larger outfits will have to take charge of and sensitize the smaller players around. Technology measures will go a long way to secure this entire value chain as information is shared across the board.

Pallavi: There is a growing breed of aggregators in logistics who essentially provide the platform through which the individual transportation operators do business with customers. Who would become the data fiduciary in such cases?

Mini: If these are aggregators who are providing purely the platform to individual logistics companies or transportation operators, then they are only a tech layer, then the tech platform aggregator is a data processor. It is (data fiduciary) really the logistics companies and the transportation operators who are using this platform for performing their operations to collect the data that is required to be processed in turn and probably share the data across the value chain. The entity that is the first point of collection and deciding the purpose and means of processing the data becomes the data fiduciary.

The aggregator layer, which is purely providing the platform, will become a data processor. There is no direct obligation on a data processor under the latest data Digital Personal Data Protection Act in India. However, it is the onus of the data fiduciary to ensure there are no non-compliances in the process and hence, while the aggregators really become the data processor, the data fiduciary, which is the entity that is using the platform and having the data loaded on these platforms, has to ensure that the right means and measures and security controls are in place when it comes to these aggregator platforms.

Essentially, the logistics service providers and the transportation companies that are collecting the data and deciding the means and purposes are the fiduciaries. The aggregators that are only providing technology platforms become the processors and will be governed by the contractual clauses that they will sign with the data fiduciaries in turn.

Pallavi: Thank you, Mini for those valuable insights. Our next question focusses on the data principals, consent and their control over the data. The Act allows the data principal to withdraw consent to the data fiduciary through the consent manager. How will this work in the logistics industry?

Mini: Consent is a mechanism that exists in the global privacy and data protection regulations as well. According to the Act, one can provide consent to process data. However, the Act clearly says that while the data principal can withdraw the consent, the data fiduciaries shall ensure that within reasonable time they cease the processing of data. This means that if I as a consumer withdraw consent from a logistics service provider, then the logistics service provider, within a reasonable timeframe (although the exact time period is not defined), has to ensure that not just they (the service provider) but also all the processors, including the transportation company and other players in the value chain, cease to process the personal data of this individual.

It (the Act) also says that in case of consent withdrawal, if there is some consequence – for example, as a consumer, I have provided information for the movement of goods and hence the data processing is happening but I withdraw consent - then any impaired or hindered movement would be the data principal’s (consumer’s) responsibility. So, the consequence of the withdrawal has to be borne by the data principal.

However, as a consumer, if I have provided consent to my logistics service provider to send me some offers, schemes or discounts and that consent if I withdraw later on, then the logistics service provider has to ensure that all systems and processes or even third parties involved, who would actually be responsible to send offers and discounts to the consumer, understand that the consent has been withdrawn and hence they should no longer process the data for that purpose. Any such processing after the withdrawal of consent will actually go against the data fiduciary, even if it was done by a data processor. So yes, withdrawal of consent is a reality. And in the logistics industry, not just the main fiduciary who is the logistics service provider, but the service provider has to ensure that everybody in the chain adheres to the changes in consent and stays clear of any non-compliance.

Pallavi: Thank you, Mini. It is great to know that data principals will have control over the data. There is a provision for fines in front of a data fiduciary who fails to protect the data or misuses it. How does that help someone whose data is being misused?

Mini: While these provisions penalize the data fiduciary, there is no mention in the Act on or in any way compensating the individual who may have been impacted. The entire intent of the penalty is to act as a deterrent; it is not about making money. It is about how we ensure that the protection of personal data is upheld. And to do that, these fines have been imposed to ensure data protection.

While there is no provision for an individual to get compensated, we do have a Data Protection Board that is being formulated. This body will be responsible for evaluating any such non-compliance or breaches. While they will impose a penalty on the data fiduciary according to the gravity and the intent of the breach, it is up to this Board to decide if on a case-by-case basis if they may also want to get the data principal compensated. For now, the penalty is really to act as a deterrent to ensure that strong governance mechanisms are put in place and not as a mechanism for individuals to get compensated. But in the event of any substantial losses, those can be taken up on a case-by-case basis by the board.

Pallavi: What is the institutional capacity being built to ensure that the law is being monitored carefully in case of a data breach that harms the data principal? Will there be a separate agency to take it further, or will it go through normal police channels?

Mini: The Act talks about the Data Protection Board that will act as a nodal body such that it will evaluate the cases and in case of any harm caused, the data fiduciary will get penalized.

The Act also mentions a mechanism that will enable periodic reviews and appointment of independent data auditors in case the data fiduciary happens to be a significant one basis the volume and sensitivity of data involved, and basis other parameters such as the risks associated with the processing of data, etc. A data fiduciary like a logistics service provider may be qualified to be a significant data fiduciary, and in such cases, there are additional provisions or obligations of having an independent data auditor and periodic audits so that there is continuous monitoring of compliance with the Act.

Beyond this, we are expecting more rules to come out which will specify how these mechanisms will turn out. But the Data Protection Board definitely acts as a body that a data principal could go to in case of any breaches.

There again, while it is a nodal body, there is also a provision for grievance management. The Act clearly states that the data principal can first reach out to the fiduciary in case of a grievance, and if that is not satisfactorily addressed, then they can go to the Board. If still not satisfied, the data principal can further apply to an independent body. While these things will further pan out, there are mechanisms put in place and the intent is very clear – that the data principal will have ways and means of escalating (the issue) further so that the grievances are addressed.

Pallavi: Thank you for spending your time and breaking down those important inputs for us on how the DPDP Act will influence the supply chain and the logistics sector.

Mini: Thank you so much.

Pallavi: On that note, we come to the end of this episode. If you would like us to explore other such topics on data security and privacy, please do leave us some suggestions that you would like us to deep dive into. Thanks for listening in. Until next time, this is Pallavi, signing off.

Back to podcast

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

EY | Assurance | Consulting | Strategy and Transactions | Tax

About EY

EY is a global leader in assurance, consulting, strategy and transactions, and tax services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EYG/OC/FEA no.

ED MMYY

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

Topics

General

People

Back to podcast

Podcast transcript: Digital Personal Data Protection Act: Impact on supply chain and logistics

18 min | 06 September 2023

Back to podcast

Welcome to EY.com

Topics

General

People

Trending

Back to podcast

Podcast transcript: Digital Personal Data Protection Act: Impact on supply chain and logistics

18 min | 06 September 2023

Back to podcast