The conversation around data privacy seems incomplete without the mention of India. Touted to be the fastest growing economy, India has leapfrogged into growth, with digitisation being a leading factor of growth. With all the hype around digitisation, there has been a simultaneous focus on data privacy. India is at the front and centre of a new movement in data protection, as the state, the people and the judiciary are working together to provide data integrity to millions of Indians.
Amba Kak, in her role as policy advisor, works on developing Mozilla’s position on law and political developments pertaining to the Internet.
You were at Mozilla Fest. Tell us what the event is like and what is going to be addressed there.
There is a great energy about the event; it’s a place with people who love the Internet and all the good it brings. Specifically, about India, there is a lot of curiosity over the rapid pace of developments such as Aadhaar and the data privacy bill. India is also a massive Internet-driven economy, and other governments are looking at India for lessons on how they should regulate.
It has been an interesting year for data privacy—what is the ground reality in a country like India?
Things have moved fast, Even two years ago people would happily relegate privacy as an elite issue. It was easy to argue that developmental challenges were more important, and privacy was characterised as a hindrance to innovation. In the last couple of years, we are seeing a paradigm shift in the discourse surrounding data. In less than a year, we have a draft of a data protection bill. There is an urgency to address data integrity now, and all the stakeholders are taking it seriously.
What are the changes that have led to an enhanced awareness around data protection?
I believe three developments have led to this change. The first is Aadhaar—a technological innovation that has touched everyone in India and created a national level conversation around technology. Privacy has dominated this conversation, given that it is one of the largest data collection projects to date and created a database of sensitive biometrics. There are many legal challenges to Aadhaar on the grounds of privacy. Disagreeing with the government, the Supreme Court judges laid down that every individual was guaranteed a fundamental right to privacy. This was immediately followed by the push for a data protection law, and a public commitment from government that they would pass one soon.
The second major development is the GDPR, which was implemented for EU businesses in May 2018, has had global impact. The European Commission will only allow unrestricted data flows with Europe, if it has “adequate” data protection law. And it’s a high bar. For this reasons, many businesses are also in favour of clear rules to allow for unrestricted data transfers. Moreover, the Committee drafting India’s law has borrowed heavily from the lessons of the GDPR.
Thirdly, and this is what I’ve talked about at MozFest—the backlash in India over how global big technology platforms are exploiting the data of citizen’s at the expense of domestic industry and the State. This discussion includes whether data should be stored in India, and who should have access to it. It has national overtones to it, and what’s a bit concerning is the debate possibly devolving into a power equation—who controls the data? Should it be the private overseas companies or Indian entities? Or should it be the State? We risk losing sight of the individual whose privacy we’re trying to protect.
I believe consent is not entirely understood in India. With Internet traffic growing from rural and semi-urban pockets, how can the gap between user awareness and internet frequency be addressed?
Consent is a very hard problem world over. It’s unfair to frame it as a failing of users—if a user is given a convoluted privacy services where he has no other option but to agree to the terms and conditions to use the service, the consent isn’t meaningful. It’s unfair to berate the concept of consent. A real change is needed in the way services approach consent. It has to be granular, with opt-outs. Supposing a user provides consent to use a service for which a particular data point is needed, there should be an option to deny consent to data points that are not relevant to that particular service. Other changes include “just-in-time” notifications which give you choices about your data while you’re using a particular function of the app, rather than buried in a privacy policy.
Another interesting pain point to be observed is that most of these policies are only in English. We have to remember that there is a big push in Internet usage coming from India’s rural and semi-urban pockets where English isn’t the primary mode of communication. We need to be more creative—instructional videos instead of long-winding legal parlance or legal notices in regional languages on data protection should be made possible.
Finally, we need meaningful consent, but given these difficulties we need obligations on companies and government that should apply irrespective of what the user “chooses.”
What is the journey that India’s Personal Data Protection Bill needs to make to become a law?
In commendable time, a ten-member committee led by Justice Srikrishna was put together and a draft bill released within a year. Following the submission, India’s Ministry of Electronics and Information Technology ran its own consultation with the public. Now, reports are doing the rounds that the bill may even be introduced as early as the Winter Session of the Indian Parliament. Of course, whether the bill will be passed in Parliament is a whole other discussion but the fact that it has come this far in such a short span of time reflects how heated this discussion has become, and therefore a government priority
What are the major takeaways from this bill?
The bill is a compelling document, modelled heavily on Europe’s General Data Protection Regulation. While it elucidates specifics pertaining to processes involving retaining data privacy, there are some areas that are still unclear. One example would be the steps to enlist an agency. While the bill mentions there has to be a data protection regulator, it is still unclear how this agency will function? How will it remain independent from the government which related to what would their tenure and qualifications of the members will be? Given the speed at which the bill has taken shape, I believe the above questions should also be addressed as soon as possible because this is a critical issue, and clarity will go a long way in advocating the right and meaningful use of data.
Last month, the Apex Court upheld the constitutional validity of Aadhaar, striking down some of its contentious provisions on mandatory linking to services – in a significant move towards data protection, Your thoughts?
The fact that the SC has understood that unrestricted proliferation of Aadhaar was a growing surveillance and security concern is important. There has to be some sensible limits of the use of Aadhaar. Interestingly, the government argued that privacy concerns related to Aadhaar would be addressed by a strong data privacy law. That is yet to be seen, but it sets the baseline that a data protection law must apply to government and companies alike.
India has witnessed rapid digitization in the past decade but has cyber resistance grown at the same pace? If not, what can businesses do to catch up? Security is no longer an option for any credible service, it’s central to trust. Businesses today have either been affected by a cyber attack at some point or have had to liaise with companies that have suffered a data breach—both of which are not healthy for business in the long run. Companies have now recognised the need for a robust cyber infrastructure and investing in security measures. But the very problem of data breaches begs a larger question of how businesses approach data storage. The more data a company owns, the more risk the company is at. Which is why we get back to limits on collection of data in the first place, which is what a data protection law will hopefully address.
Tell us a little about your work at Mozilla and what the company is trying to achieve in the space of data privacy over the last year, there has been a heightened focus on advocating strong data protection. Mozilla is currently working on data protection advocacy not only in India, but Brazil, Kenya, and the US as well.
As a company, we don’t believe privacy and innovation are at odds with each other. In this heated debate where governments are pitted against big tech companies, we cannot forget the individual’s rights, which must be the foundation of any effort.