Data Protection, GDPR and the India Imperative: Opportunities and Challenges
In a world that is anxious about data leaks, breaches, and alleged data manipulation, data protection has been at the center stage for the past year or two. The media landscape has been inundated with stories on topics such as data protection/privacy, General Data Protection Regulation (GDPR), data breaches, delayed disclosures of past data breaches by companies, and so on.
As India builds its data protection regime, the focus of the narrative is on ensuring the security of citizens’ data, data protection, and localization.
The essential ingredients for a 'state of the art' law are already in place and there is a lot to learn/adopt from GDPR, which has been in force for more than a year now
On the domestic front, in a unanimous verdict over a year ago, a nine-judge bench of the Supreme Court declared privacy a fundamental right that is intrinsic to life and liberty and thus comes under Article 21 of the Indian constitution. Following that came the recent judgment on the Aadhaar case wherein, while upholding its constitutionality, the SC struck down1 Section 57 of the Aadhaar Act 2016 that allowed the use of Aadhaar data by private entities. The Reserve Bank of India has also mandated storing Indian users’ payment data only in India by October 15, 20182 and did not extend the deadline even on the request of some big names like Google3. The noise about data localization is getting louder by the day with a big player like WhatsApp confirming setting up data servers in India for their payments operations while some others want the issue to be reexamined. The narrative around localization may be due to legal safeguards from local laws, carrying out investigations against data breaches, and enhanced law enforcement; but only localization cannot ensure data protection.
As India builds its data protection regime, the focus of the narrative is on ensuring security of citizens’ data, data protection, and localization.
Based on Justice B N Srikrishna committee’s report on data protection, a draft data protection bill was submitted in July 2018. The bill borrows quite a lot from GDPR, and makes interesting recommendations on how organizations should collect, process, and store citizens’ data; but leaves significant gaps on giving full liberty to the government to process data, data subjects being left to deal with the implications of a data breach after withdrawal of consent, thereby completely diluting their rights.
Notwithstanding when a data protection law comes into force in India, an informed conversation on the issues involved is very much needed. The various stakeholders in the data ecosystem are:
- Data Subject (whose data it is)
- Data Controller (an entity which determines purpose & means of data processing),
- Data Processor (an entity which processes data on behalf of the Data Controller),
- Authority (which will define and enforce the rules of the data game), privacy focused activists, government, media, and intermediaries who sometimes act as agents to gather data from the data subject.
The plight of data subjects in India
In the maze of data management, more often than not, the data subject is on the losing side as their data can be grossly misused. While foreign companies make headlines for being held publicly accountable when a data breach takes place, Indian companies in sectors such as telecom, banking and finance, retail, hospitality, and many others, indulge in data misuse with impunity.
Data subject related issues have many dimensions:
- There are more than 700 million mobile users in India. Many of them gave their Aadhaar details to service providers due to incessant pushing by companies that mislabeled it a mandatory requirement. The recent SC ruling has quashed it once for all. However, the important questions to be asked are: how will the data subjects get their Aadhaar data deleted from telecom companies’ records? Are there audit and surveillance mechanisms available to verify deletions?
- Adopting DND (Do Not Disturb) as a solution to pesky calls and messages was a non-starter due to flawed logic and poor enforcement wherewithal. Whether you are on DND or not, there are unwanted calls and messages in dozens every day.
- Even while there was no mandate to link Aadhaar, many financial sector companies (banks, non-banking finance companies, insurers, card providers etc.) pressurized consumers to link the same and a large number of users complied.
- Many fintech companies have been rather indiscreet in using consumer data. Storing card data in spite of unchecking the box, snooping on customers visiting websites—all this puts the users at serious risk of their personal data being used for unknown/unstated purposes.
- There is also the issue of consumer data collected by one company being indiscriminately used by other group companies without the consent of the data subject. A similar situation arises after mergers and acquisitions where existing users are never asked about exchange of their data between the companies involved.
- Companies in many sectors use agents for getting subscription to their product and services. While the data is strictly meant for the Data Controller, it often finds its way into unscrupulous hands of Data Brokers, is sold for a pittance and gets enriched with granular details, which makes the scenario scarier.
- A majority of mobile users click the ‘I Agree’ button without knowledge of its implications, such as the use of data for purposes other than stated ones, sharing with third parties, analytics, collation of data from multiple sources including social media platforms, and profiling.
- In case of misuse of data by the company holding it or an intermediary, the redressal process is non-existent. The entire grievance redressal structure is designed to frustrate the complainants to such an extent that they give up. Needless to say, the odds are stacked heavily against the data subject.
Companies that comply with privacy laws will command a premium over their competitors as privacy compliance capability will be a significant competitive advantage
Data Controllers and Data Processors
This set comprises players with different profiles, presence, and business operations.
- Many India-based companies in the ITES sector serve global customers with offices across the globe. Those with a significant presence in the European Union, such as TCS4 and some others, were early birds on privacy and compliance with GDPR. They have comprehensive systems and processes in place to enable data subjects to exercise their rights, deal with data breaches, handle notice and consent, maintain records of processing activities, privacy risk management, cross border data transfers through contracts having standard contractual clauses as required by GDPR, data minimization, privacy by design etc. They have appointed Data Protection Officers (DPOs) as per GDPR requirements.
- Quite in contrast, companies with local operations in telecom, banking and the financial sector, media, retail, and other sectors, have been taking data subjects for granted—and with impunity—be it (mis)use of Aadhaar data, unauthorized linking of accounts, or data transfer/leakage to other agencies.
Data Protection Authority and Regulators
- Data Protection Authority (DPA) is a key stakeholder in the data privacy regime. Wherever it exists, it is tasked with multiple activities such as educating stakeholders, defining the rules of the game, building a privacy eco-system, investigating privacy related incidents, arbitrating cases, deciding on penalties, and so on. While there is a proposal to have a DPA in India, the Indian situation has to be considered while creating such an organization and defining its authority.
- Reserve Bank (central banks in general) is a key player wherever financial information is involved. RBI has mandated that all companies, which have any financial business such as payments banks, must localize data to India by setting up servers within the country.
- The government is an extremely important stakeholder in the privacy landscape. While the SC ruling has restricted the government’s authority on processing personal data, defining what is a reasonable requirement against what is excessive, is sine qua non for ensuring privacy as a fundamental right.
- Other stakeholders include privacy activists and pressure groups, industry bodies focusing on privacy as a subject or representing industries. Depending upon what they stand for and whom they represent, their role cannot be ignored. For example, Data Security Council of India (a NASSCOM outfit), has done a commendable job of bringing data privacy to the centre stage. Hopefully, in the coming few months, we will see more buzz and action around data privacy in India.
Data is not only the new oil but also a currency in the global economy, which puts it at risk of theft and misuse
Technology and data as a double-edged sword
While technology has helped automate taking consent, issuing privacy notices, and tracking data subject requests, will consent forms and privacy notices be made simple enough for data subjects from various sections of society to grasp and make an informed choice?
Data is not only the new oil but also a currency in the global economy, which puts it at risk of theft and misuse. At the same time, the possibilities of using data for human benefit are immense. The real challenge is to strike a balance between individual privacy and the extent to which technologies such as machine learning, artificial intelligence, automation, big data and analytics can be applied.
Culture and maturity of countries and regions
Many countries/regions in the developed world have long experience with data privacy. The EU had the 1995 Data Protection Directive, which guided discourse and decisions before GDPR became a law. Compared to that, data protection in India is at a rather nascent stage. The way EU residents value their ‘right to be forgotten’ is rooted in their long experience and the assumption that people should get a second chance and should the need arise, their past data must be erased.
The Business and Financial Imperatives
It is given that compliance to global privacy laws will increase the cost of doing business. An estimate5 indicates that the top Fortune 500 global corporations may spend in excess of USD7 billion to comply with GDPR, and many risks may still remain unaddressed due to lack of understanding or inadequate explanation of the law. A contrarian view is that this impact will be short term and companies that comply with privacy laws will command a premium over their competitors as compliance will be a competitive advantage.
The way forward to handle some of the issues raised above is tabulated in the below table.