The Justice Srikrishna Committee has presented its draft of India’s newest data privacy bill but before it becomes a law, the technology industry is voicing its support strongly in favor of the law primarily safeguarding customer data.
The much-awaited white paper on the proposed data protection regime, following the SC judgement in August 2017, that underlined the need for data protection laws to protect the privacy of individuals, was released by the government last month.
The judgement recognizes the role of data-driven innovation (DDI) for the growth of economies, and for job creation. But it emphasises that the data so collected be utilised for legitimate purposes.
The white paper proposes a data protection framework based on the following seven principles: technology agnosticism, holistic application (both to private and public sectors), informed consent, data minimisation, controller accountability, structured enforcement, and deterrent penalties.
The IT/BPO industry, which is $150 billion, requires innovation – data-driven innovation – to grow to a trillion dollars over the next few years. The proposed data protection law will play a seminal role in encouraging DDI, even as it promotes data privacy of individuals.
I wish to comment on some of the foundational principles such as data minimization, data localization, ‘adequacy test’ along the lines of the EU General Data Protection Regulation (GDPR), in the white paper, which has the potential of negative impact on DDI. In the next piece, I will provide constructive thoughts on achieving stronger enforcement, without being high handed, through co-regulation and capacity building.
Data minimization principle, as a foundational principle is not correct since it can undermine innovation. Data collection should not be restricted, but the focus has to be on preventing misuse of data, and preventing harm.
Innovation is fundamental to the growth of the start-up ecosystem in India, which is the third largest in the world. We have to remember that innovations in the fields of Internet of Things (IoT) and Machine-to-Machine (M2M) technologies have just begun. Artificial Intelligence (AI) and Machine Learning (ML) hold similar potential.
All these require data to innovate, not just applications for new services, but also innovative methods for enhancing security, defence, and intelligence applications.
For example, drones deployment at borders; devices for health and traffic management, airport security, campus security, and services. All these can raise privacy concerns, but data minimization is not the answer; preventing harm is. Start-ups bank on ideas, and take risks; if the laws are not conducive to innovation, our own youngsters will find better places like Israel, and the US; angel investors too will migrate.
It is worth reiterating that Europe with its stricter privacy laws has hardly any innovation to talk about unlike the US, which is home to all start-ups that have struck it big – Facebook, Twitter, Google, Yahoo, Instagram, YouTube, Uber and many more.
A recent report by Analysys Mason estimates that DDI contributed $10 billion to India’s Gross Value Added in 2015, which is expected to rise to $50 billion by 2020. An ICRIER study too estimates that apps contributed a minimum of $20.4 billion in the year 2015-16 to India’s GDP; expected to grow to $270.9 billion by 2020. This would be nearly eight percent of India’s GDP.
The study also finds that while 10% increase in total Internet traffic and mobile Internet traffic globally increases global GDP by 1.3% and 0.7% respectively, for India the impact is much higher – 10% increase in total. Also, Internet traffic delivers on average a 3.3% increase in India’s GDP, and a 10% increase in mobile Internet traffic, delivers on average a 1.3% increase in India’s GDP. Clearly, the impact of the growth of Internet traffic is far more in India than the global average.
It is also instructive to quote Deloitte study that estimated its economic impact on the European economy – reduction of GDP by € 173 billion (1.34% of GDP in EU-27) leading to a loss of 2.8 million jobs – combined effect from only 4 sectors: web analytics, direct marketing, online behavioural advertising and credit information.
Data Localization does not enhance security, while it is advocated to address issues of lawful access to data. Clouds and large service providers implement risk-based security programs that track latest threats and vulnerabilities, with latest technology tools, and highly skilled manpower. Small organizations can not invest that much in security, while the risks are similar; they opt for clouds.
Clouds provide data centres to start-ups for their innovative activities, without having to invest in infrastructure. DDI stories of Indian start-ups using global clouds are growing. Moreover, cross-border data flows happen when a transaction takes place, since multiple apps connected to websites enable newer services that are valued by global customers.
The law should not discourage that, since India as the global hub of IT/BPO industry is home to such data processing. Exceptions can be carved out for some sensitive data that should be stored within the country, but the law should not provide for data localization.
It is important to understand that end-to-end encryption in messaging services has become the norm. The service provider has no control over encryption, nor does it have access to the encryption key. Encryption is a rightful tool, a Privacy Enhancing Technology, that is used for privacy protection. Law enforcement can resort to other methods, such as lawful hacking, for accessing encrypted data under national laws.
Existing Mutual Legal Access Treaties (MLATs) between countries, designed for collecting evidence about crimes in the pre-internet era, are highly inefficient. US and UK are moving towards bilateral information sharing arrangement by improving oversight for surveillance and lawful access to data.
Making of data protection law presents an opportunity to enhance privacy safeguards based on the sensitivity of data being accessed/intercepted, which can also help establish India-US data sharing arrangement for sharing of data between US companies and Indian Law-enforcement agencies.
Right to be forgotten has also to be balanced against the freedom of expression (FOE) right. Search engines merely provide links to the original sources of data, which exist anyways, even if not shown by searches. Besides search engines, many other types of intermediaries including start-ups too will be impacted. Platforms will be asked to police by applying public interest test; much against the norm of the Internet being open and free.
In a vibrant democracy like India, the legitimate rights of journalists and researchers have to be protected; merely because it finds a place in EU GDPR cannot be the reason to include it in the Act. Many countries such as Japan, Australia, South Korea have ruled out RTBF. I will focus on it in a separate piece.
Finally, the most vexed question. Should India include “Adequacy test” in its law? Indian IT/BPO industry has considered adequacy test as a non-tariff barrier by the EU. It has lost several opportunities because of this, even though our companies are better equipped to deliver services at highly competitive prices.
Adequacy adds no value to the quality of services, nor delivers any extra data protection. In 22 years since 1995, European Commission, with all its resources, has found only 11 countries ‘adequate’.
India would require humongous resources for conducting adequacy test on other countries. Besides, it would put the $150 B industry into a difficult position, since India would have to conduct “adequacy test” of the United States, leading to an incongruous situation vis-a-vis the latter being our biggest partner in the IT/BPO industry, and which never conducted any such adequacy test on India, even when IT Act did not exist.
It is the existing Contract Law, and the contracts between a DC in the US and a DP in India, with the data protection standards and best practices agreed to, as part of the contract, that has inspired and nurtured trust in the service providers from India.
Adequacy test for a country forces the service providers into a compliance regime that does not encourage innovation. Moreover, the cost of services goes up, because prescriptive methods require repetitive actions and certifications, and legal costs to mitigate risks.
So, then what should drive the data protection law for the informational privacy of individuals, while allowing unhindered innovation for the growth of the economy, and job creation. Data Protection Law, should not limit data collection and use, but instead focus on preventing misuse of data, and causing harm to users. It should be technology and platform neutral, applicable horizontally across all the sectors, and it should factor in the socio-economic impact of Internet-enabled services and apps in India.
It is the universally accepted privacy principles that should lead the way: Notice/Choice for informed consent for data collection and processing, with focus on purpose notification, collection limitation, access and correction, security, openness, and controller accountability.
The user should be empowered through transparency and choice; and data portability across platforms; Consent of an individual is essential before collection of personal data, with explicit consent for sensitive personal data.
Consent fatigue be avoided by not insisting on consent at various stages of use. No consent be required when legitimate interests are there to process personal information, e.g. medical emergencies, security scans on devices, etc, or legitimate interests of the state.
Data controller and data processor be required to implement privacy programs, with security best practices, and demonstrate the same through privacy impact assessments, and privacy audits, if required by the regulator under the law. Preventing harm should be at the heart of controller accountability, instead of data minimization which can have a chilling effect on innovation, as noted above.
The focus of regulator should be on building a privacy ecosystem comprising accredited privacy professionals who help create awareness, design and implement privacy programs in organizations.
Data-driven innovation, cross-border data flows, the growth of ICT industry, job creation, while protecting the privacy of users, and trust in the enforcement of the law should be the defining features of the Data Protection Act.
(Dr. Kamlesh Bajaj was Founder CEO, Data Security Council of India; Founder Director, CERT-In. )