Rajnish: Anindya welcome to the podcast and thanks for coming over.

Anindya: Thanks Rajnish and greetings to you and your listeners on world Energy Environment Week. I'm delighted to share my thoughts on the subject, but I would like to just place a key caveat that this should not be construed to be the views of Shell. Thank you.

Rajnish: My first question to you Anindya. How do you think a carbon price can help abate emissions?

Anindya: Yeah, that's a great question Rajneesh and there is a short answer and a slightly more evolved answer, so let me attempt both. The short answer is that greenhouse gas emissions carbon emissions have an externality, and the cost is borne by the society, and not necessarily by the emitter. Carbon pricing strives to place a cost on the emitter and thereby putting the sort of cost where the burden is. But if you sort of dig up a little deeper, the whole carbon pricing policy intervention is a clear nudge that Governments can give to various players across the economy on what they need to do. And there's various aspects that we should explore in this context, first is the competitive disadvantage of the first movers. There are companies right now who are contemplating climate action, but they find that such action involves costs which brings in a competitive disadvantage to them vis a vis with their competitors and therefore they do think twice before implementing major programs. A carbon pricing across a sector will ensure that all sector players are having the same level playing field and start taking the same steps and ideally this moves into an economy wide coverage, so I think that's very important to make sure that the early movers don't get disadvantaged. Secondly, there is a policy outlook signalling that this is very important. Companies right now are struggling to see what the pricing, carbon pricing or any compliance framework will look like in the coming years and decades. So, if the government can clearly indicate that this is going to be the carbon pricing methodology that the government will adopt and how it will progressively change over time, companies will be in a position to make the right technology choices back to green technology and make their investments that are well tested against such a carbon pricing regime. On the case on this case, also another aspect we need to talk about is resource mobilization. So carbon pricing of course also yields resources for the government whether it's a carbon tax or a market based mechanism like the ETS and the government, then can direct some of this to supporting new technologies. Green technologies that are not proven, for example, if it wants to support offshore wind or biofuels but also maybe use it to address the needs of just transition, so there are going to be sections of society which will be burdened by higher cost of the energy transition and some of this will be available for that. Another aspect I think we should also consider when talking about carbon pricing is globally various countries are adopting carbon pricing where there's tax or emissions traded systems and to make sure that there are no carbon leakages these countries are likely to impose a border adjustment mechanism as Europe is considering. So, if Indian companies have to operate or export into these markets then they'll have to demonstrate that they have carbon pricing domestically. So that's very important for Indian companies to achieve, I mean India has a huge trade with Europe for example of 36 or $37 billion and the part of that will get impacted by this. And the other advantage of integrating to global markets is that Indian players will have access to much deeper and wider markets for carbon offsets. For example, they are on the buy side or sell side.

Rajnish: So Anindya I agree with you, I think carbon prices are the talk of the day. Now the big question basically, which is there when you look in the case of India is should India go for a carbon tax or should it go for an emission based or a market based trading mechanism? What do you think are the pros and cons to the two and you refer to that while you're answering the earlier question?

Anindya: Yes, indeed, these are the two popular models which various countries have experimented with over the last several years. So, the advantage for India is that India can certainly benefit from the experiences of these countries and get sort of rich learnings out of it. Carbon tax in terms of implementation is perhaps much less complex, though politically less acceptable because it's it will be very transparently seen to be adding to the cost to the customers or taxpayers, as the case may be also, it needs to sit within the existing taxation framework and jurisdictional sensitivities, and I know Ernst & Young has already presented an analysis on how this can be done. As for emissions trading, there is a possibility that the existing market-based mechanisms for energy efficiency, which is the path scheme and the eCerts and the renewable energy, which is the RPO and RECs, could be brought under a carbon framework which could then be expanded to a functional emissions trading scheme. However, the complexities of the market design that address the needs of a progressive decarbonization without causing market failure needs to be carefully considered.

Rajnish: I agree with you Anindya, I think carbon taxes are easier and as you gave there are pros and cons to each of the approach. Now, given that we have a blank piece of paper in India as of this point of time, what would be your advice to our clients as to how they should think about this and go ahead?

Anindya: Indeed, that's a very important I think question to consider for countries so companies at this point in time as various regulatory changes are likely to happen in the coming future. Well, one can never be certain as to when a compliance framework for carbon will emerge in India, but we have seen a compliance framework in energy efficiency and renewable energy that was successfully implemented. We are also hearing of an RPO type framework for green hydrogen progressive Indian companies are already beginning their decarbonization journeys by implementing internal carbon pricing. CDP's annual report mentions 31 companies already having an internal common price or companies are signing up to the SBTI's or making commitments under RE 100 EP 100 EV 100 type commitments. But to ensure a sustainable future and a social license to operate, companies will need to transparently share their plans to adhere to carbon budgets available so as to achieve the climate action goals agreed by the international community such companies will withstand any shocks that could credibly arise from external carbon pricing, whether through taxes or market-based mechanism.

Back to podcast

Podcast transcript: Digital Personal Data Protection Act, 2023: Impact on OTT platforms

15 min | 18 October 2023

In conversation with:

Mini Gupta
EY India Cybersecurity Consulting Partner

Pallavi: Are you curious about the impact of the Digital Personal Data Protection (DPDP) Act on Over The Top OTT platforms? Then this podcast is for you. Hi, I am Pallavi Janakiraman, your host and welcome to the final episode of ‘Gateway to data privacy and protection' special series by EY India Insights Podcast. We are joined by Mini Gupta, Cybersecurity Consulting Partner at EY India, who is currently part of the core team that is actively managing the agenda of the Digital Personal Data Protection (DPDP) Act, 2023 for EY India.

Over the last 10 years, she has been closely working on the agenda of data privacy in India and globally. Today, we will be discussing the OTT platforms’ data protection challenges, consent management, international data transfer, the role of data fiduciaries, and more. Mini, thank you for joining us for this episode.

Mini: Thanks, Pallavi. It is a pleasure to be here.

Pallavi: There are an increasing number of OTT platforms these days, particularly the smaller ones that are run by entrepreneurs who are aggregating the content. Will they have the ability to have a proper data protection officer?

Mini: Content aggregation service providers may not really deal with personal data. Their primary work is to curate and produce content and then share the same with OTT providers to show the content on their platform. If there is no involvement of personal data, then there may not be a need to have a data protection officer at all. In fact, the Act clearly says that it is in the case of significant data fiduciaries that one will need to appoint a data protection officer.

A significant data fiduciary would be notified based on certain criteria, such as volume, sensitivity of the personal data involved, the risks associated with the processing of personal data and several other conditions. If you look at it from a content aggregation point of view, it is unlikely that they (content aggregators) would fall in the category of significant data fiduciary even if there is some personal data with which they may interact with. Hence, they may not really need to officially appoint a data protection officer who is based in India.

Pallavi: How does the concept of data processor work with OTT and what would be the obligations of the data processor?

Mini: In the case of OTT companies, data processors would be the service providers who are processing personal data on behalf of the OTT service provider. For example, if an OTT service provider relies heavily on personalization, recommendations, and advertisements on other service providers, then such service providers would become the data processors. For example, to perform any data analytics, if an OTT service provider engages with another party, then that analytics services company becomes the data processor.

If you look at the Act, all the obligations are really on the data fiduciary. In this case, the obligations are on the OTT companies and not really on the data processors. Hence, the data processors will purely be governed by the contractual clauses that they sign with the OTT companies, and this is in the interest of OTT companies because they would be liable for all the penalties in case of any noncompliance. It ensures that the clauses with the data processors also cover similar obligations, such that the data processor deals with the personal data in as much seriousness and with as much diligence as a typical OTT company would have done.

So, there are no direct obligations under the Act but they will be governed by contractual clauses, which the OTT companies will have to ensure are watertight.

Pallavi: Thank you for those insights. Many OTTs operate globally and utilize the data to personalize offerings to their customers, both domestically and abroad. How will they deal with the clause prohibiting personal data from being transferred abroad, given that the analytical engines may well need the data to come up with the correct matches?

Mini: Many service providers who provide personalization services are setting up their services in local regions due to data protection regulations. While the service provider may be from the EU or the US, their services may be set up in India, where personal data is being processed to provide personalized recommendations and hence there is no personal data transfer.

But even in cases where there is persistent data transfer, the Act allows for transfer of personal data outside the territory of India, provided that country is not in the notified list of the central government, where such transfers are prohibited. In case of international service providers where processing is taking place outside India, as long as it is not situated in any country which is a part of our negative list of, transfer of data is not an issue.

Pallavi: Now, emphasizing on the data fiduciary concept, we noted that a lot of OTTs predominately rely on telcos. Who is the data fiduciary in this case and what are the relative responsibilities of each?

Mini: In this scenario, both operate as individual data fiduciaries as both process the personal data for their own purposes and both, in some cases, would be taking certain personal data elements that they would need for their services. In a way, they (telcos and OTTs) are the ones who are collecting data as well as deciding the means and purpose of the personal data that they are collecting or in some cases, they may be receiving from the other party.

There may be some personal data like mobile number or email address, which is commonly used by both OTT and telcos. In that case, they can be both data fiduciaries. Typically, in regulations such as GDPR it is referred to as joint data fiduciary. Under Indian DPDP Act, they would be termed as data fiduciaries, where common personal data is being processed by both the parties. However, both are identifying the means and purpose of their own respective uses. Hence, obligations of data fiduciary will be applicable to both of them.

Even if they have associations with any other parties, as long as they are defining the means and purpose of the personal data that the processing, such entities will act as data fiduciaries and the relative obligations of data fiduciary in terms of protecting the data, ensuring that the right notice is provided and consent is taken, ensuring that in case of any data breaches, the notifications are provided to the Data Protection Board as well as the individual – all the data fiduciary obligations would be applicable to the OTT as well as the telecom service providers.

Pallavi: Thank you, Mini. Adding to that previous question, we see that there are provisions for or fines on the data fiduciary who fail to protect the data or misuses it. How does that help someone whose data is being misused?

Mini: There is no explicit provision in the Act that mentions compensation or help for someone whose data has been misused or compensation for data principal. In fact, it is not really a practice that is followed across most global regulations as well. However, it is up to the Data Protection Board, which is expected to be set up soon, to decide if they would want to compensate the data principal in addition to the penalty that they would impose on the data fiduciary.

However, there are significant fines and penalties that are applicable to a data fiduciary in case of any instance of data misuse or any violation to the Act, which ideally should act as a deterrent to misuse the data in the first place. So, no direct compensation, but still deterrents are available such that the data misuse is avoided in the first case.

Pallavi: Law is the first step. What institutional capacity is being built to ensure the law is being implemented? In case of a data breach that harms the data principal, will there be a separate agency to take it further or will it be going to the normal police channels?

Mini: There are provisions around grievances; there are provisions to take matters across various escalation levels. So, as a data principal, or if someone comes to know of a breach or any harm that is caused to a data principal, they can first take it to the data fiduciary and request for clarification and more details. If they are not satisfied with what the data fiduciary’s response, the data principal has the provision to go to the Data Protection Board. In fact, if the principal is not satisfied with the Data Protection Board’s response as well, there is a provision to go further to Telecom Disputes Settlement & Appellate Tribunal (TDSAT). A natural progression from TDSAT eventually is a possibility of approaching the Honorable Supreme Court as well. So, there are multiple levels of escalation that have been provided that can be leveraged in case of any harm to a data principal.

Further, if you look at the overall capacity of monitoring, the data fiduciary is classified as a significant data fiduciary (data fiduciary dealing with a large volume of personal data, sensitive personal data or the risks associated with the processing would be high), then they will also need to undergo periodic audits. They will need to appoint an independent data auditor. And all of this, in fact, is a way of ensuring that there is some monitoring capability and capacity built on top of what a data fiduciary is doing. All of this put together does act as means and provisions to help in case of any harm or potential harm that could be caused to a data principal.

Pallavi: Journalists in media houses deal with a lot of personal data of various data principals — from news consumption, interviews, article publishing, and movie reviews. Would media houses and journalists need to obtain consent prior to possessing their personal data?

Mini: Unlike General Data Protection Regulation (GDPR) and most global data protection regulations where journalistic purposes and public interest are exempted, in the Indian DPDPA, there is no exemption provided for journalistic purposes and public interest, and hence we will have to wait for the rules to see if there would be any exemptions that would be coming up. In fact, the ministry is seeking consultations on the subject of any exemptions and the justifications for the same.

We may be looking forward to some exemptions for journalistic purpose. Else, under what we see as per the current version of the Act, we will have to rely on consent, which may practically be difficult and extremely onerous as well. Additionally, the Press Act of India may also come to light where it allows processing of data for journalistic purpose. So, while there is a no provision, from DPDPA perspective, we would need to look at the Press Act of India and see if the same can be done.

Pallavi: Thank you for joining us and sharing all these valuable inputs on how the DPDP Act has impacted the OTT sector.

Mini: Thank you.

Pallavi: On that note, we come to end of this episode, make sure to hit subscribe on the preferred platform if you haven't already so you can get notified about our next series of podcast. Thanks for listening in. Until next time. This is Pallavi, signing off.

Back to podcast

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

EY | Assurance | Consulting | Strategy and Transactions | Tax

About EY

EY is a global leader in assurance, consulting, strategy and transactions, and tax services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EYG/OC/FEA no.

ED MMYY

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

Topics

General

People

Back to podcast

Podcast transcript: Digital Personal Data Protection Act, 2023: Impact on OTT platforms

15 min | 18 October 2023

Back to podcast

Welcome to EY.com

Topics

General

People

Trending

Back to podcast

Podcast transcript: Digital Personal Data Protection Act, 2023: Impact on OTT platforms

15 min | 18 October 2023

Back to podcast