The government can process even sensitive personal data without consent, for ‘functions of the state’.
Not so long back, India summoned Mark Zuckerberg, Facebook CEO, after the Cambridge Analytica scandal broke out and now our lawmakers are all set to formulate a law that aims to protect our personal data. In fact, this will be the first piece of legislation meant to specifically protect the privacy and security of people online. It assumes greater significance after the apex court’s landmark judgement that has made right to privacy a fundamental right. It is based on the GDPR or the General Data Protection Rules brought in by the European Union in May 2018. So, while GDPR is the world’s toughest online privacy laws, let’s understand how good will be our laws.
Firstly, there is not enough clarity as to how companies will go about informing consumers the specific data points that they will collect and its end-use. The explicit process of how consumers will go about providing their consent for harvesting of their personal data is needed. This is a vacuum that needs to be spelt out in greater clarity, like the GDPR does (from where a lot of the Bill has been lifted from).
Secondly, every one of us has a “right to be forgotton”; essentially, it means that if at some point of time, I don’t want my personal data to be harvested, then there should be a clear roadmap for that. If there isn’t, then people’s data is being used even when they don’t want it to be.
What happens when there is a breach? Yes, there are penalties, which I will come to in a bit, but who informs you that your data has been compromised. Someone should. So assuming a hacker gets access to thousands (or millions) of accounts and the personal information is hacked, then who informs these account holders? If the hacking goes unnoticed, then no one informs the data holder that her data has been hacked into and has been harvested! Obviously, for any protection of our data, this provision needs to change. This will have a larger bearing on how we address breaches, penalties and put in place a mechanism for swifter response to hacking. On the related issue of penalties, the copy-paste job of lifting GDPR provision of 4% of companies’ turnover will be penalised, needs to be revisited. It is less and needs to be higher. This is also dependant on today’s economic reality that data is the new oil and is the most precious resource for companies and slicing/dicing/harvesting of data to one’s advantage will make some companies and organisations gain (and very rich) at the consumers’ expense. India houses a sixth of the world’s people, but consumes a fourth of the world’s data consumption. Obviously, India needs to take the lead in online privacy protection.
Another key concern has been about storing Indians’ data locally—or data localisation. This is a concern that I feel has not been fully addressed and more safeguards are needed. So the fear is if our data is stored overseas, not only will we have less control over our data, but also will have limited to no recourse in case of a breach since the matter will fall within multiple jurisdictions. It is for this very reason that the Reserve Bank of India in its April 2018 notification had said “all system providers shall ensure the entire data relating to payment systems operated by them are stored in a system only in India”. This is a crucial clause and many, like this author, assumed would be a cornerstone of the legislation that is likely to be passed in the current winter session of Parliament. But that is not to be. This concern of the RBI has been watered down. Instead of seeking data localisation, the draft bill has made a provision of requirement of a copy of the data that’s stored overseas. A climb down that should be revisited once the Data Protection Authority is formed.
This brings us to the most controversial part of the Bill—whether the Government has sweeping powers over the data of private citizens. While the draft Bill says consent would be at the heart of processing personal data—our data—it does provide exemptions for the government which can process even sensitive personal data without consent, for “functions of the state”—a sweeping power that many feel is bound to be misused. In fact, too many agencies will have too easy access to our data—again a worrying fact.
Of course, there are concerns of the corporates, but I will not get into them since they are secondary to the larger interests of individuals and protection of their fundamental rights.
Even after the legislation is passed, I believe there will be a lot of grey areas since only a broad framework will be made into a law and finer details will be left to the first regulator of the Data Protection Authority. While some of this may land on the regulator’s desk, larger issues would need a political intervention. After all, we don’t want that the next time we summon Mark Zuckerberg or Sundar Pichai, legal loopholes ensure corporate sharks get away. If we have made GDPR as the backbone of our data protection policy, then let’s also ensure we have the same set of tough rules that need to be framed.
Gaurie Dwivedi is a senior journalist covering economy, policy and politics.