Even as Indian politicians engage in a no-holds-barred fight over security of personal data in the custody of the government and political parties, a far more serious discussion is underway – away from the arc lights – on ensuring and enhancing the security of private data in India.
The political debate is partisan and ill-tempered and analysing it here will serve little purpose. Instead, we take a closer look at the issues involved and try to arrive at the best option for India.
At a time when protectionism in the US is reducing outsourcing opportunities across the world and particularly in India, the importance of ensuring data protection and privacy is gaining importance very rapidly. Since comparative advantage ceases to exist in a truly globalised world, companies are left with only their intellectual property as an advantage over their competitors.
And it is here that many large US and European companies have genuine concerns about the quality of data security and levels of privacy protection in India compared to the level of protection afforded by the UK’s Data Protection Act, for example. According to a Forrester Research Survey of 2013, 64 per cent of 99 large companies said they did not outsource really sensitive work across national borders out of privacy and data protection concerns.
And this, in turn, means a lost opportunity worth potentially hundreds of billions of dollars for banking, insurance and healthcare companies in the West and outsourced service providers in India.
Privacy has been a buzz word in India ever since the Narendra Modi government decided to make Aadhaar linkage mandatory for access to a host of government services. Aadhaar is a unique identity number issued to all Indian residents based on their biometric and demographic details, somewhat akin to the US social security number.
With billions of bits of individual data points being shared with government and other agencies, it follows that laws must be put in place to govern the use of this data and protect it from misuse.
At present, data protection in India is governed by the Information Technology Amended Act (ITAA) 2008 rather than specific and comprehensive data protection legislation. The provisions of this Act are considered loosely worded and fail to define sensitive data and as such leaves too many loopholes open.
The European Union (EU) is considered to have the most comprehensive data protection laws in the world. The protection of personal data is a fundamental right in the EU under Article 8 of the Charter of the Fundamental Rights of the European Union. The law states that in case of cross-border flow of information, an individual’s privacy and freedom should be maintained at all levels by processing such data in member states. Its Directive 95/46/EU on data protection says any individual whose data has been leaked is entitled to be paid compensation by the data controller.
The government has appointed a committee headed by Justice B.N. Srikrishna to suggest ways of framing such rules. The panel is expected to present its report in May, newspaper reports suggest. We must hope that this is not a missed opportunity.
India can claim the high moral ground by benchmarking its proposed privacy and data protection law against the EU regulation. This will give comfort to global investors in the US and the EU and encourage the outsourcing of work that has hitherto been considered too sensitive for cross-border transmission and processing.
The Indian Supreme Court, in a far-reaching judgment on August 24, 2017, has already declared privacy a fundamental right. So, any new law on data security will have to take this into account.
These two elements – the EU privacy template and the Supreme Court ruling – can form the basis of an Indian data protection regime that sets the standards globally. India must also give importance to implementation and monitoring, using cutting edge systems and highly trained personnel.
But given the Indian Prime Minister’s instinctive grasp over technology and his single-minded devotion to make India the flag-bearer of all the right things, there is hope that the law, whenever it comes, will satisfy even the most trenchant critics. That can only be good for India, its citizens, and global business.