Privacy as a Fundamental Right - 2017
The 21st century is often referred to as the information age, where data is a powerful asset, with humans generating about 2.5 quintillion bytes of it per day. In the early 2010s, India also saw an explosive rise in the number of ways information was being used when global players like Uber, Facebook, and Airbnb entered the market.
The collection, processing and storage of data generated by nearly 450 million Indian users opened up a whole new world of possible data-driven innovations. Uber was able to find a route with the least traffic, Facebook could reunite long lost friends and Amazon could recommend a product that even you didn't know you needed! This all sounded magical until users took a closer look at these recommender systems, and realised that they were being shown ads for products that they had only ever expressed interest in verbally. This led to the landmark judgement by the Supreme Court of India that ruled the Right to Privacy as a Fundamental Right in 2017.
Protecting Consumer Data - 2018
Following concerns regarding the privacy of consumer data, the IT Act (2000) was also amended to include the right to compensation for improper disclosure of personal information and, in addition, digital companies were required to let users know what personal information they were collecting.
Although an improvement from no regulation, this amendment still does not compare to the comprehensive rules laid out by the European Union’s General Data Protection and Regulation (GDPR) or the USA’s Personally Identifiable Information (PII) Laws. While both regulations have been criticised for either being too stringent or too lenient, a whitepaper released as part of the Digital India Initiative in 2018 suggests that the Government of India may adopt a data regulation policy that would be a combination of the two prevailing global standards.
Data Protection Bill - 2019
In December 2019, a fully fledged Personal Data Protection Bill (DPB) was introduced to the Indian Parliament by the Ministry of Electronics and Information Technology. This bill – currently still being analysed – would regulate the collection, processing, storage, usage, transfer, protection, and disclosure of personal data of Indian citizens. It comes as an important development for global firms who may need to re-evaluate their business models, especially ones that offer free services in exchange for personalised ads.
The DPB enumerates a number of features that would not only require companies to alter their business models and practices, but also some features that would add to the cost and complexity of their service. Let’s take a look at some of the features that businesses would need to keep in mind in preparation for India’s new regulation on Personal Data Protection.
Explicit User Consent
The DPB would require companies to gain explicit consent from the user, both while collecting the data and for any subsequent processing. This puts the burden of trust on the company, making them more Data Fiduciaries than Data Collectors.
Personal Data as Property
The DPB defines that the data generated by the user is owned entirely by the user, as equivalent to personal property. While this idea sounds simple, it could be a nightmare to implement for digital companies because with physical property the owner can ask for it to be returned to them. This means that these companies would have to consider the infrastructure to remove all stored information about the user, should the user wish to terminate their membership, which could prove to be very tricky considering that the user’s data may have already been sold to a third party.
The DPB classifies data in three ways, with specific regulations and allowances for each:
Sensitive Data: Any information on financials, health, sexual orientation, genetics, gender status, caste, or religious belief – must be stored within Indian borders but may be processed outside.
Critical Data: Information deemed by the government as important with respect to national or public security – must be stored and processed within Indian borders.
General Data: Classified as any piece of information not falling within the above categories – no restriction on storage or processing.
Lastly, perhaps one of the most controversial features of the Data Protection Bill is the first regulation of it’s kind in global social media:
The Verification Tag
This feature requires all digital companies to verify their users and sort them into one of the following categories:
- Users with verified registration and display names
- Users with verified registration but anonymous names
- Anonymous and unverified registrations.
This essentially means that these companies are now also responsible for collecting and verifying real identities of their users. To put this into perspective, Facebook has been faced with the same dilemma with over a 100 million fake accounts as of today and a verification tag will curb the presence of such accounts on various social media platforms, thereby holding the users accountable for their behaviour online.
2020 - Splinternet?
The Personal Data Protection Bill is currently being reviewed by a Joint Parliamentary Committee in consultation with experts and other stakeholders, but in the current state that it is in, experts predict one of two outcomes:
1. Companies align with the new regulations, alter their business models and include additional infrastructure. As a result, the user gets to enjoy these global services and their benefits while still having Data Privacy regulations similar to the likes of the EU and Canada.
2. Companies don’t align with the new regulations and are either forced out of the market or decide to pull out of India to be replaced by Indian counterparts, drawing a very intriguing likeness to when Chinese regulation forbade players like Google and Facebook from operating within China’s borders. This locational divide and eventual fracturing of digital supply chains could hinder a global economy causing the “Splinternet”.
The Future of Data Privacy in India
In either scenario, the Personal Data Protection landscape in India will undergo some drastic changes in the coming years, placing a greater emphasis on the protection of it’s “netizens’” data. Global digital companies operating in India would have to rethink their business models and invest in the infrastructure required to comply with the new regulations, but is this enough?
Here’s how a professional, working with and researching Personal Identity Management, puts it:
With the technology that is available today, through blockchain, cryptography or edge computing, it is very possible to reimagine the data storage and processing systems that most companies use today.And it would be ideal for the user’s privacy if these regulations come about. But what will crucially affect the implementation of such policies is how the companies are penalised if they flout these norms.
- Vikram Bhushan - Co-founder, Hypermine
It is evident that alternatives to the current data economy exist, which hold user information at a high level of confidence. Data Unions are an excellent example of this. With Data Unions, not only is the user-data anonymised, with only essential information made available for processing or analysis, the user is also rewarded with Streamr DATAcoins for consenting to share their data. Data Unions put the user in complete control of their data while simultaneously allowing companies to analyse information that is essential to improving their services.
With various paths to explore solid data privacy and with the presence of solution providers in emerging technologies, the Indian government can create data privacy guidelines that not only safeguard consumer data, but also incentivise data-driven innovation. The future holds as many opportunities as there are challenges and India is on a path that has the potential to enable a thriving data economy.