India’s approach to data regulation seeks to harmonise two seemingly conflicting objectives of data protection — protecting personal data and facilitating growth of the digital economy.
Here’s all we need to know about the proposed data protection bill, and India’s hits and misses.
India’s Data Protection Bill marks the fourth wave of efforts at defining and regulating our ubiquitous digital future. So far, three clear approaches to data regulation have emerged in the global polity.
The first being the laissez faire approach taken by the United States of America; largely due to the first mover advantage of US tech giants like Alphabet, Apple, Amazon and Intel.
The second is the rigid and national security approach taken by China — resulting in a very localised and territorial approach to data generation, processing and storage.
The third example before us is the European law, which has held individual liberties and rights (such as the right to be forgotten) a sine qua non.
The Indian method seeks to harmonise two seemingly conflicting objectives of data protection, namely, protecting individual personal data, and facilitating growth of the digital economy.
It does so by emphasising that the aforementioned objectives are, in fact, complementary, by protecting individual autonomy and creating a real choice for citizens (as opposed to an illusory notion of choice).
Success 1: Data As A Matter Of Trust Rather Than Property
At the core of a fiduciary relationship, there is an implicit cognisance that an unequal balance of power exists. To even the playing field in favour of the individual (data principal) the bill has placed ‘consent’ as a potent shield of individual rights and liberties.
Not merely consent that is collected at the cost of information fatigue — as evident by the complex plethora of terms and conditions in apps and software.
Rather, it provides for granular, and explicit consent which can be subsequently withdrawn.
Granular in the sense that the individual must be able to choose specific purposes for which enumerated data is required.
Companies can no longer offer the standard “all or nothing” terms of contract, effectively unbundling how consent is given.
Additionally — the data divulged should be a 'reasonable expectation' of the individual and can only be shared with third parties who are known and have a genuine reason to be involved.
Explicit and affirmative consent implies that companies cannot offer a pre-checked form, rather the individual must assent with complete awareness.
That is a lot of consenting, disclosure and choice. But the common man needn’t worry. Also proposed in the committee report is the setting up of consent dashboards — a common platform where all the purposes are stated, and the data collection is made easily visible and transparent.
There’s an underlying ambiguity with regard to the nature of an individual’s data — is it a form of valuable property? If yes — then does the divulging of personal data act as quid pro quo (counter performance) for the services rendered by an app/software?
Does this data derive its value at an individual’s level, or is it made valuable as an aggregated big data set?
Seeing the current treatment of data as merely something that enables processing strips it of the essence of all commerce — something bought and something sold. This treatment of data as a valued property belonging to a person would have massive spillover effects with regard to some further provisions of the present bill.
The first spillover would affect the infamous 'data localisation' clauses.
Data localisation presently requires that companies keep at least one live copy of all data processed in India.
Companies that operate as BPOs, or solely process data for foreign clients might be exempted from this requirement. But once the treatment of data as a property finds merit, data localisation norms would have to protect the individual’s right to private property.
Localisation wouldn’t merely mean keeping a copy, rather individuals should have the ability to take it away from the hands of data companies. Exclusive right to enjoy one’s property without prejudice is a hollow right if data is copied or is mirrored on foreign servers.
This brings with it a critical dilemma — why would companies invest in creating a digital ecosystem, only to deal with duplicated costs and possibly lack of any commercial interest.
Thus, treating data something to be entrusted rather than sold, gives a society more choice whilst making gains in privacy.
Miss 1: Big Data
Our legal luminaries have to prepare our government and society regarding — delineating personal data and anonymous data. While the Data Protection Bill is with regard to personal data, questions are bound to arise as to what happens to ‘big data'.
Big data is aggregated individual data which are processed by algorithms to draw out trends and behaviours that may have inter alia, defence and marketing uses.
Now, if data is irreversibly anonymised, with no possibility of re-identifying the individuals that are in the aggregate, then such data would be outside the purview of the Data Protection Bill — a gaping loophole, as companies can continue to collect big data while anonymising it, going against the spirit of data and purpose limitation.
The committee feels that the “remote risks” of anonymised data sets being re-identified are small gains in privacy against the larger benefit of big data to society.
Should the bill go through, substantial efforts will be needed to keep such risks 'remote' — surely something that rogue companies operating out of opaque jurisdictions wouldn’t intend to subvert.
Data practices regarding anonymisation of data, and minimal standards of 'irreversibility' are in the ambit of the Data Protection Authority (DPA). The bill fails at emphasising the standards of anonymisation, the regulation for industry practices regarding irreversible data anonymisation, the reliance upon independent data auditors or even the DPA’s powers to enforce in this regard.
Miss 2: Ambiguity In Terminology
The bill, in its attempt to provide adequate data protection has sought to distinguish and define ‘personal data’ and ‘sensitive personal data’ under Section 2. To its credit, the bill has to a large extent provided quite specific and unambiguous terminology.
However, Section 40 of the bill, dealing with ‘restrictions on cross-border transfer of personal data’ allows the central government to notify categories of personal data as ‘critical personal data’ that can be processed only in a server located in India. Critical personal data, however, has not been referred to anywhere else in the bill and consequently, has not been defined either.
Success 2: Data Quality
Big data will certainly result in a slew of innovations with applications ranging from medical diagnosis to legal research.
However, if decision making on a data set were to contain any bias, or discriminatory intention, then such a tendency would need an effective countermeasure.
No doubt that all learnings and innovation gleaned from big data will eventually find its application in the processing of personal data.
There’s a delicate balance to be achieved, between fostering the digital economy and protecting individual privacy — this fine balance is achieved in sections pertaining to 'data quality', where personal data has to be segregated as data based on facts and data based on opinions and assessments.
Thus, any inherent bias that might slip into algorithmic decision-making might be countered by this segregation.
Miss 3: Self Regulation
Breach of a contract is an obvious concern as most tech giants are feared to be 'too big to be regulated'.
To quote the committee:
Critical to the efficacy of any legal framework is its enforcement machinery. This is especially significant in India ‘s legal system, which has often been characterised as long on prescriptions and short on enforcement.
Yet, when it comes to the obligations of data security, especially when a tech company transfers the data to a third party, the bill is hauntingly too reliant upon self-regulation by tech companies.
The fiduciaries are to adopt 'model contracts' that place obligations on transferee entities as per Indian law, with the primary obligation of preventing breach on the entity under Indian jurisdiction.
That would be dissuading and a long protracted legal procedure for proving and prosecuting any breach.
Device Versus Data Future?
Albeit, the situation looks grim, with the general populace either numbed by the lack of data protection, or the lack of a viable alternative.
However, there is a solution emerging. Surprisingly, it is the technological giants that have been able to foresee the digital future, and rightly so.
We find ourselves with two broad ecosystems with regard to personal devices and networks.
One is a fragmented, democratised network of devices, spanning all economies, promulgated by arguably the world’s biggest Internet search company.
The other, a restrictive walled network, afforded by the elite; that refuses to build backdoors into its devices — even if it results in defending a criminal’s privacy.
The closed, and walled off ecosystem has time and again demonstrated that data, and purpose limitations can operate within a thriving app and software marketplace — provided that the counter performance is not data, rather a monetary ‘premium’; that reflects in the price of both the devices and the permitted apps.