Data Privacy, Localisation And Protection: Considered Decision Needed

Recently, data privacy has become one of the most important topics in public discourse all over the world. One of the main reasons being the Cambridge Analytica – Facebook data scandal that brought to light the ways in which people’s data could be used to sway something as personal as political opinion. The aftermath of the event involved a worldwide public backlash and led to a number of discussions concerning the unethical behavior of the data processors and a lack of proper regulation. The need of the hour prompted certain governments to bring in a set of regulations that would give people more rights and authority over their data, which is in the possession of other data processing organisations.

The first one being the European Union, which introduced the General Data Protection Regulation (GDPR) in May 2018. After that, the state of California too passed the Consumer Privacy Act, 2018 in order to regulate the data being collected by the technology sector. Following the footsteps of the European Union and the state of California, India has also started its journey towards achieving a better framework for data regulation. The Srikrishna Committee’s report that was released in June this year is one such step in that direction, even though there is a lot more that needs to be changed in that report. The outdated IT Act of 2000, which has been the legal framework for the Indian technology sector, is not enough to regulate the new forms of technology that have come up today and that will be coming in the near future. The recent news about identity theft because of security lapses in Aadhaar have reinforced the need for a regulatory framework that would protect the citizens from data breaches and give them a proper grievance redressal platform in case of a breach. The Srikrishna Committee was under a lot of criticism because of a lack in transparency and public participation during the process of drafting its report in order to avoid any interference in its functioning.

A common view held by most experts is the massive amount of data that is being created and the speed with which digitalisation is taking place in India. N S Kalsi, Additional Chief Secretary-Home, Government of Punjab, pointed out that India has one of the largest digital footprints in the world and is ranked amongst the top two countries globally in terms of digital literacy empowerment. Upcoming technologies such as Internet of Things (IoT), neural networks, robotics etc support the need for a proper regulation to deal with the massive amount of data that will be created. He also said, “There are huge challenges before us when handling this new technology. These challenges would be policy framework, legal framework and regulatory framework.” K V Eapen from the Department of Administrative Reforms and Public Grievances (DARPG), supported these statements by talking about expanding the Internet subscriber base in the country. Further he added, that the JAM trinity (Jan Dhan, Aadhaar and Mobile) have played a huge role in promoting this digitisation. This has, in turn, been used to create other services such as BHIM, e-KYC and the digital locker.

Even today there are people who still question the need for digitisation and to what extent should services be digitised. Rajat Kathuria, Director and Chief Executive of the Indian Council of Research on International Economic Relations (ICRIER), was also interested in the role, technology and digitalisation could play in bridging the trust deficit between the public and the private sector. He believes that by using data to provide better governance services, the problem of crony capitalism can be solved. He also pointed out that the big data has economic benefits such as creating opportunities where none existed before and bringing demand and supply together. Thus, allowing markets to function in a better way.

Although efforts towards digitalisation have been great so far, there is still a huge segment of population that needs to be brought in contact with the internet. Eapen also talked about how digital services are largely confined to the urban population of the country. Along with him, some other speakers also touched upon this issue of making digital services accessible all over the country.

Another area of agreement between most of the speakers was the need for a proper regulation. Sucheta Dalal, Trustee, Moneylife Foundation, was quick to point out that despite all these talks about digitalisation and our technological prowess, India does not have any sort of system for checks and balances. Regulatory authorities have zero accountability and most of them have become “sinecure for retired bureaucrats”. Dalal, who was representing the view of the civil society added further, “We are pushing the so-called digital technology without something as basic as hygiene like an audit”. She used the example of SBI’s TDS accidental increase and security issues with Aadhaar to convey the dangers of rapid digitisation without any mechanism to regulate it.

Gulshan Rai, National Cyber Security Coordinator, echoed the concerns raised by Dalal and said, considering the fact that Aadhaar is also linked to our biometrics, the dangers of identity theft are even more pronounced there. There are no standards, no guidelines, there is no moral value about what data needs to be collected, what needs to be sold and stored.

Suresh Chandra, Secretary Legal Affairs, Ministry of Law and Justice, Government of India, while talking about the importance of preparing ourselves with a foolproof law and regulatory framework added, “There will be no more conventional wars, instead we will have wars that will be fought on the basis of information and the data which is available with the persons.”

Although on a brighter note, Deepak B Phatak, Professor Emeritus, IIT-B & Director, SKOCH Development Foundation, was quick to point out that just like our country moved towards digitisation rapidly, we have been able to come up with a regulatory framework quickly. Moreover, India is not the only country dealing with the issue of regulation. A lot of countries are tackling similar issues as they have realised that the older laws are getting outdated and they need to be updated in accordance with current times.

On the other hand, there were topics that brought in a lot of differing opinions. One being the issue of data localisation. One of the proponents of storing data in India was Phatak who held the opinion that if the Americans aren’t confused about storing data on Americans in America, then why are we confused about storing data of Indians in India? Another supporter of this was Dalal, who used the sovereignty argument and said how global agencies that have access to every last detail of Indians, store their data abroad where they have no Indian agency to monitor what is being done with that data. We call ourselves a sovereign nation but have taken a passive approach towards data of our own citizens because we feel that it is too late to get back what is stored in servers in foreign countries.

The directive by the Reserve Bank of India (RBI) asking transaction companies to store their data in India is an unnecessary move because these companies basically have very little data about Indians. Even the data that they possess constitutes for less than 10 per cent of the total data that is relevant to us and is already available to us through different organisations such as the RBI. Another flaw in the localisation and sovereignty argument, where if every country starts making similar regulations, it could impact global trade and the world economy.

Phatak was quick in rebutting the impact of data localisation on global trade. “The same people who talk about international trade being facilitated by permitting Indian data to stay outside have never dared to suggest the Government of United States, the same thing. That is a completely unfair statement.”

Kathuria, however, took the middle way and suggested the need for balancing data localisation with the economic impact of the activity. If there are alternative ways in which we can achieve the objectives of data localisation, then we should give it a serious consideration. Using the example of the Cloud Act issued by the United States, he explained how the US has managed to deal with Privacy laws across the world and come up with a reasonable method of exchanging data without compromising their security. Further, he said that using such drastic measures could also backfire. Other countries might retaliate by imposing sanctions or similar policies.

Rai was also in support of a less extreme position where he recommended restoring some international practices. He focused on making India look at what other countries are doing; how it is impacting them and then come up with a good regulatory framework. He also spoke about the importance of coming up with an internationally acceptable definition of privacy since, currently there is no such common standard that can be applied universally.

One of the most important issues that was discussed was the need for citizens to be more aware and responsible with their data and to start caring more about issues related to data privacy. “We also need to start caring about who owns the internet, who governs the Internet, who owns the data” said Subi Chaturvedi, President, Yes Global Institute on the issue of people taking a more active role in terms of their awareness of their data. She further said that, what is also needed is, more public interest in the policy formulation. In order to make a policy comprehensive and successful, it needs to be consultative and have some public stakeholder involvement.

Dalal, while talking about the impact of digitalisation on ordinary citizens, said, “One thing, which we Indians do not understand about the technology is that we have adopted digital security.” Phatak was able to sum up the role of the ordinary citizen in this era in a concise manner by exclaiming that; privacy is only as good as the care with which we treat our privacy. Whenever we give apps the permission to access our data we are letting them invade our privacy to some extent. Our role in managing this is as important as any regulatory framework, he added. It needs to be well understood that maximum data in India is actually with the government of India and the state government. So, how do such laws specifically deal with the government and what are the penalties or accountability on the government if such an incident is happening on the oversight of the government? It is not a simple question, it’s a fairly complex tapestry. So, any such decision that the country takes has to be a negotiation, it has to be a discussion.