Take a fresh look:A data protection law must be people oriented

 There is a curious irony to the Government of India withdrawing the personal data protection bill in Parliament and stating instead that a “comprehensive legal framework” would be legislated shortly. When the Justice B.N. Srikrishna Committee was given the task of recommending a data protection law for India for the first time in 2017, the chairman and members of the Committee (I was a member) requested for a reasonable period of time for precisely the same reason — to recommend a framework that would take a holistic look at India’s digital economy, prevent regulatory overreach and protect privacy of citizens. That request was not heeded, not because time was of the essence but because in the governmental system, all deadlines are unthinkingly immediate, irrespective of the nature of the task.

As a result, the Committee, within the limited time offered to it, came up with a data protection legislation that promised a uniquely Indian approach to privacy and data protection — distinct from American way that protected individuals against the State but not as much against Big Tech, Chinese approaches which made individuals subservient to the State, as well as heavily regulatory European approaches like the General Data Protection Regulation, a goldmine for lawyers. Despite our best efforts, our recommended statute looked a bit like GDPR-lite, albeit with some uniquely Indian characteristics.

Over time, this version became heavy-handed, scarcely resembling the initial version that had been presented. The chief culprit of this was the Joint Parliamentary Committee that took two years to give its recommendations and presented a report that would imperil privacy, choke the digital economy and allow surveillance agencies wider latitude than they needed to do their job effectively. The demand that this matter go to the JPC was made by several groups which, perhaps a little too optimistically, felt that a bipartisan committee might better protect privacy than the government might. The JPC’s report, which includes in the long title of the bill the need for data protection “to ensure the interest and security of the state”, is a timely reminder to well-meaning activists and civil society groups that they must be careful what they wish for.

Handed such a befuddling report, confused in its concepts, vague in its recommendations, while at the same time voluminous in its opinions, the government appears justified in going back to the drawing board. Doing so gives it the opportunity of doing what might have been done five years back — consider the big picture of the digital universe in India. If that is indeed done, three distinct areas emerge for governmental action as part of a “comprehensive legal framework”.

First, there is an urgent need to protect children from online harm. It is unpardonable that with the withdrawal of the personal data protection bill, what technological companies can do with data of Indian children remains essentially unregulated. Children not only receive advertisements, but their behaviour can be tracked across websites and a detailed behavioural profile can be created. Further, plenty of inappropriate content is available on the internet for children without any warnings or restrictions. There is an urgent need to protect the personal data of Indian children from being mined for commercial gain.

Second, technology can play a critical role in promoting ease of living for citizens. While the government’s Jan Dhan-Aadhaar-Mobile record has been impressive, much more can be done to tap the potential of technology to improve lives. For example, despite JAM, property registration requires physical presence at the sub-registrar’s office together with the blackening of each of your fingers. The familiar rigmarole of providing physical photocopies of Aadhaar, PAN, Voter ID card plays out at otherwise well-functioning passport offices, even when requesting something as simple as change of address. To stop this, there needs to be a legislative mandate to use paperless, presence-less mechanisms whenever they are available. The promise of technology is understood by all, but behavioural change needs a strong legislative push.

Such a push is also needed because large amounts of non-personal data today lie untapped in silos within the government and the private sector. Imagine the utility of traffic data in the city of Bangalore to prioritise where the metro needs to be extended to in order to decongest the city. Or the evidence of particular kinds of disease in the population to decide which kind of medical specialist to send to a particular primary healthcare centre. The benefits of responsible processing of non-personal data are immense in facilitating ease of living. But this won’t happen unless there is a clear vision and legislative mandate to implement it.

Finally, with time, deliberation and consultation, India can also get the ‘fourth way’ privacy statute that the Srikrishna committee had aspired for. Much of its constituent elements are present — but in order to serve as a model for the Global South, a new data protection legislation needs to think in Gandhian terms of the last person in the queue — the face of the poorest citizens of the Global South — and how a data protection statute can help them access and navigate the intimidating world of the internet in an effective and safe manner.  If that isn’t incentive enough, then perhaps consider this — globally, maximum data will flow to those countries whose legislative regimes are either considered ‘adequate’ by the European Union or countries that have specific bilateral data-sharing arrangements. Such arrangements will not happen without a dedicated data protection legislation.

The time for specious arguments of not regulating data protection to incentivise startups, comfort Big Tech and the BPO industry is over. If India is to become a data leader of the Global South, it needs a package of laws that deal with data protection, children’s data and technology-enabled ease of living for Indian citizens. By withdrawing the personal data protection bill, the government has taken a good preliminary step. It must now follow up right.

Arghya Sengupta is Research Director, Vidhi Centre for Legal Polic

Source: The Telegraph, 17/08/22

Falling short: On data protection provisos

 It has been more than three years since a draft Bill on personal data protection was crafted by the Justice Srikrishna Committee of experts and submitted to the Ministry of Electronics and Information Technology in 2018. Two years since a Joint Parliamentary Committee was set up to scrutinise another version — the Personal Data Protection Bill (PDPB), 2019 — it was finally adopted by it on Monday. But as dissent notes submitted by some panel members from the Opposition point out, the draft falls short of the standards set by the Justice Srikrishna Committee to build a legal framework based on the landmark judgment, Justice K.S. Puttaswamy vs Union of India, on privacy. The key divergences from the Justice Srikrishna Committee’s draft Bill are in the selection of the chairperson and members of the Data Protection Authority (DPA) which shall protect the interests of data principals and the leeway provided to the Union government to exempt its agencies from the application of the Act. While the 2018 draft Bill allowed for judicial oversight, the 2019 Bill relies entirely on members of the executive government in the selection process for the DPA. In contrast to the 2018 Bill that allowed for exemptions to be granted to state institutions from acquiring informed consent from data principals or to process data in the case of matters relating only to the “security of the state” and also called for a law to provide for “parliamentary oversight and judicial approval of non-consensual access to personal data”, the 2019 Bill adds “public order” as a reason to exempt an agency of the Government from the Act, besides only providing for those reasons to be recorded in writing.

As JPC member from the Rajya Sabha, the Congress’s Jairam Ramesh, rightly mentions in his dissent note, the “government must always comply with the Bill’s requirement of fair and reasonable processing and implementing the necessary safeguards”, which requires that the exemptions granted in writing should at least be tabled in both Houses of Parliament; but that was not accepted by the JPC. His note also points out to the dangers of exemption on the grounds of “public order” as it is susceptible to misuse and not limited to “security of the state” which is recognised by other data regulations such as Europe’s General Data Protection Regulation as a viable reason for exemption. In October 2021, the Global Privacy Assembly, featuring Privacy Commissioners from over 19 countries including those from the European Union, Japan and the U.K., came up with a clear resolution on principles for government access to personal data. In its resolution, the Assembly asked for a set of principles on legal basis, the need for clear and precise rules, proportionality and transparency, data subject rights, independent oversight, and effective remedies and redress to the individuals affected. As the JPC’s adoption of the draft Bill and the dissent notes appended to it suggest, it has fallen short of standards protecting privacy rights of individuals against blanket misuse by the state. It is now the task of Parliament to tighten the provisions further and bring them in conformance with the 2018 Bill.

Source: The Hindu, 23/11/21

Data can be an asset for governance, growth and public welfare

 Data is a critical component for measurable and actionable governance and policy perspectives, as well as for triggering innovation and growth. Data to enhance ease of living and efficiency has been addressed through several Government of India initiatives, including the Jan Dhan-Aadhaar-Mobile or JAM trinity, the Open Government Data Platform of India, and the National Judicial Data Grid.

The report by the Committee of Experts on Non-Personal Data Governance Framework, led by the ministry of electronics and information technology (NPD Report), and the Data Empowerment and Protection Architecture (DEPA) paper released by NITI Aayog have built on the concept of data’s benefits. Data as a beneficial good is also covered in the Economic Survey 2019, which proposed that data gathered by governments on issues of social interest ought to be democratised in the interest of social welfare, or made a public good.

The DEPA paper states how the architecture “flows from the Centre’s overarching position that data is primarily an economic good”. Its key goal is empowering individuals with control over their personal data, through a robust and dynamic regulatory, legislative, and institutional framework, supported by technology design for secure data-sharing. DEPA involves regulators across banking, securities, insurance, and pensions — namely, RBI, SEBI, IRDAI, PFRDA and the ministry of finance coming together.The DEPA platform’s availability as a public good allows market players across the financial and technology ecosystems as well as new entrepreneurs to have the chance to leverage and build on this digital platform. As the paper states, the problem is not that companies are benefiting from the data of individuals; the problem is that individuals and small firms do not benefit. The consent process of DEPA merits special mention, since it takes care of many of the potential concerns.

Data, especially non-personal data, is a vital component for elevating transparency and good governance. The NPD Reportemphasises its importance from a public good perspective. At the intersection of big data and good governance, access to current big data sets also helps provide opportunities to quickly address issues in new technology-led solutions. The report lucidly sets out the “why” and to a large extent, the “how” to accomplish maximum benefit, with enough flexibility within, to accommodate and dynamically adjust to the ground realities from the legal, regulatory, and design principle components. When weighing the risks and rewards of using big data sets for good governance, what needs to remain contextual is that adequate protections are being afforded to the community and individuals. The utility of raw/factual data sets comprising anonymised user information data that is collected is also crucial. The data sharing purpose is extremely relevant for policy on governance.

The recommendation that India should specify a new class of data at a national level, namely data of special public interest or high-value datasets, while also progressively identifying other priority sectors is important. Also insightful is the emphasis on the need for high quality India-relevant data sets in public good sectors to build on Artificial Intelligence and Machine Learning systems. Meta-data-sharing too will spur innovation on an unprecedented scale and also promote and encourage the development of domestic industry and startups that can scale their data businesses.

To ensure optimum governance outcomes, access to and utilisation of big data is going to be key. This will benefit Indian society from an ease of living perspective. It will also spur the overall achievement of ease of doing business along with world-leading innovation in India. This is what is contemplated by both DEPA and at a more macro-level, the NPD framework. These are important initiatives in this rapidly evolving landscape.

Amitabh Kant is CEO and Desh Gaurav Sekhri Is OSD, NITI Aayog

Source: Hindustan Times, 12/01/21

Data science is the new age engineering

With data and AI becoming the fuel for companies, demand for data science skills is growing exponentially

Many don’t understand what data science is, often mistaking it for data entry, database administrator or a similar entry-level job. Humans have learnt to use oil effectively by refining it. Data science is the ‘refining of data’ to make it useful, and unlike oil, every company needs to use data to solve complex issues. Consider the case of the new coronavirus. Using data science techniques, one can sift through massive volumes of data to detect and monitor the spread of this highly contagious virus. Companies like BlueDot, an AI startup, have developed a software that could determine the chances of disease occurrence. Data science started off as a tool used by banks to detect fraud but is now being used worldwide in areas such as internet search, health care, speech recognition, image recognition and even airline routing. “Data science is the present and the future of mankind and has the potential to revolutionise the way our life is organised today,” said Dr Abhijit Dasgupta, director of the Bachelor of Data Science program at SP Jain School of Global Management. This statement defines the way data science has evolved — as a lucrative and high-growth career option for youngsters. Big Data Analytics has already established its position as a pre-requisite for formulating effective and insightful business and communications strategies. For three years in a row, the role of a data scientist has been named the number one job in the US by Glassdoor. According to a report by the US Bureau of Labour Statistics, the rise of data science needs will create roughly 11.5 million job openings by 2026. The World Economic Forum predicts that by 2022, data scientists and analysts will become the number one emerging role in the world. Data science experts are needed in virtually every job sector, not just technology. In fact, five of the world’s biggest tech companies — Google, Amazon, Apple, Microsoft, and Facebook — contributing to over 52 per cent of the world’s market capitalisation globally, are the biggest employers of data scientists and engineers. According to Glassdoor, in February 2020, the base pay for data science professionals touched an all-time high of AU$114,000 in Australia (average salaries were reported to be between AU$90,000 and AU$200,000 for a data science graduate vis-à-vis AU$40,000 – AU$60,000 for business graduates). In the US, the average data scientist salary is US$113,000, according to Glassdoor. With the demand of data scientists showing no immediate signs of slowing down, salaries for this position will continue to remain high, especially for those who have a degree in data science or related fields.

Source: Economic Times, 17/03/2020

Let’s focus on broadening scope of data collection to make statistical system more comprehensive

Volatility of oil prices and structural changes in the economy make the forecasting of inflation and GDP a difficult job indeed. However, we should supplement our existing measurement practices with “big data” to make our statistical system robust.

Last week was not kind to global markets as fears of the coronavirus turning into a world-wide pandemic affected markets adversely, India included (it was also impacted by news of Yes Bank). During all this, the latest GDP data witnessed significant revisions that have gone largely unnoticed. In the last few years there has been a lot of noise regarding the data revisions. While part of it requires closer examination, we must be fair to our statistical system as such revisions are, in large part, due diligence and happen globally.

Let us first look at the history of GDP data revisions. The first table shows the extent of GDP data revisions since FY15, when the new series was introduced. The first column in the table explains the simultaneous revisions that have taken place over the years. The NSO releases the first estimates of any fiscal year in January, revises it in February and then again in May.

Simultaneously, it revises the previous year estimates in February, alongside the February data release. The primary criticism, apparently, with the current year’s fiscal data is that the revisions in February for 2019-20 and the 4th revision in 2018-19 are almost identical, implying that the sanctity of 5 per cent growth was statistically protected.

Let us examine, based purely on data, the criticism of such revisions. First, there is precedence to the first and second quarter revisions for the current financial year that happen in February. For example, while in the current fiscal, the cumulative downward revision was close to Rs 30,000 crore, in FY19, there was even a greater upward revision of roughly Rs 86,000 crore in February.

Second, is there precedence of such large first-time revisions? Yes, there has been since 2014-15. In 2018-19, the first-time data was revised by a sharp Rs 1.43 lakh crore, while in 2017-18, it was revised by an even larger Rs 1.69 lakh crore.

Third, the simultaneous revisions are mostly in the same direction, though different in magnitude, and hence it is unfair to say that the 2018-19 data was revised downwards to protect the 2019-20 numbers.

The problem has been that the global and domestic uncertainties in 2017-18 and 2018-19 have been so swift that it has been virtually impossible to predict the outcome initially. While in 2017-18, the final estimates were progressively higher, in 2018-19, while the interim estimates were higher, they wereWe would like to point out here the example of US Fed that had also missed the possibility of the US economy bouncing back in 2018 on the back of tax cuts when in 2015 it had projected the economy to expand by only 2 per cent, only to change it to 3 per cent in 2018 (almost at par with scale of revisions in India).

It is common for such unconditional bias to arise due to the fact that the statistical reporting agency produces releases according to an asymmetric loss function. For example, there may be a preference for an optimistic/pessimistic release in the first stage, followed by a more pessimistic/optimistic one in the later stage. Intuitively, one might argue that the cost of a downward readjustment of the preliminary data is higher than the cost of an upward adjustment. This asymmetric loss function is not so relevant at the reporting stage, but at the forecasting stage. A statistical reporting agency like the NSO simply does not have all the data at hand and has to forecast the values of the yet to be collected data. It is at that moment that the asymmetric loss function comes into play. So, we must be careful about interpreting data revisions by the NSO by attributing ulterior motives as we more often tend to do.

However, we must also add that unlike countries across the world, India is still significantly lagging in its use of data analysis. Some of the current methodology of data collection is based mostly on thin surveys and is not supported by data available in the public domain that are more comprehensive, less biased and real-time in nature, based on digital footprints. The end result is that we end up publishing survey results that are misleading.

Thus, we must develop an ecosystem that is high quality, timely and accessible. Big data and artificial intelligence are key elements in such a process. Big data helps acquire real-time information at a granular level and makes data more accessible, scalable and fine-tuned.

For example, a US inflation report released in April 2019 offered an interesting take on how the use of big data was revolutionising data collection. Instead of sending people out to stores to check prices, as it has done for decades (and also practised in India), the US Bureau of Labour Statistics gathered data for the price of apparels directly from a big department store. With the switch, the largest monthly drop in apparel prices on record was witnessed. In similar vein, for India, the inclusion of items available for online sale could even further compress the headline consumer price index. drastically scaled down later as the impact of the NBFC crisis began to unfold.

The use of payments data can also help track economic activity, as is being done in Italy. Different aggregates of the payment system in Italy, jointly with other indicators, are usually adopted in GDP forecasting, and can provide additional information content. Using a similar corollary for India, proper use of GST data will reveal the sectors that are giving maximum revenue, that are showing month-on-month increase, and can help make predictions of net revenue growth, while also helping in fraud detection. Further, as India is a consumption-oriented economy, we must explore measuring GDP using the GST data.

In India, currently survey results are giving contrasting results. For example, the weighting pattern of food items in CPI at 45.86 per cent is based on the 2011-12 consumer expenditure survey (CES). This is significantly different from the share of food and beverages (27.6 per cent) in the private final consumption expenditure (PFCE) published by the national account statistics (NAS). If we approximate the CPI with the NAS food weights, the headline CPI drops to 7.6 per cent from 5.5 per cent in the latest inflation print.

Recent independent research also shows significant divergence between the consumer price index for industrial workers and the consumer price index (urban) in recent times, when in terms of the composition of the basket and the target population, the two are quite similar.

But to be fair to both the RBI and the NSO, the volatility of oil prices and structural changes in the economy make the forecasting of inflation and GDP a difficult job indeed. however, we should supplement our existing measurement practices with “big data” to make our statistical system more comprehensive and robust.

This article first appeared in the print edition on March 9, 2020 under the title ‘Don’t blame it on NSO’. 

Source: Indian Express, 9/03/2020

Notice, consent, privacy: Why we need to do better

A user’s interaction with privacy policies faces many blocks. The most basic is the barrier of accessibility.

Most people do not read privacy policies. Those who have tried would testify that these documents can be pretty hard to understand. Running into several pages that are filled with legal jargon and unexplained phrases, the main purpose seems to be to protect the company from legal liability rather than genuinely informing the consumer. We discuss this in a recent paper co-authored with Rishab Bailey, Faiza Rahman and Renuka Sane at the National Institute of Public Finance and Policy.

We conducted a quiz to test how well urban, English-speaking, college going students understand the policies of five popular tech companies - Flipkart, Google, Paytm, Uber and Whatsapp. The short answer? Not very well. The students scored an average of 5.3 out of 10, faring the worst in areas where the policy terms were unclear or required the reader to make their own inferences.

The right to informational privacy implies that, at the very least, every individual should be able to determine who can use her personal information and for what purpose. Moreover, these interactions must take place in an ecosystem that recognises the power and information asymmetry between the parties, and has sufficient safeguards to protect the individual’s interests.

One way in which most data protection frameworks, including the one currently under consideration in India, try to achieve this is by resorting to the “notice and consent” regime. This framework regards individuals as pragmatic actors, who are capable of weighing the pros and cons of the options available to them and pursuing their best interests. Entities that seek to collect and use personal data are therefore tasked with the duty to provide adequate and meaningful “notice” to users. Armed with this information, users can then choose to grant their “informed consent”, which becomes the basis for processing of their data.

Each time a person clicks the “I agree” button she has presumably conducted a reasoned tradeoff between her desired level of privacy and the value being derived from the service in question. This would assume that each Uber user understands that the policy is worded broadly enough to allow the company to track her location at all times. Similarly, all Gmail users are comfortable with their emails being scanned for producing targeted advertisements.

In reality, however, a user’s interaction with privacy policies faces many stumbling blocks. The first, and most basic, is the barrier of accessibility. Almost none of the privacy policies are available in languages other than English. Of the companies we studied, only Google provided its privacy policy in multiple Indian languages. This is clearly not optimum in a country where only a fraction of the population is able to read and understand English.

Second, the construction of sentences and phrases in most policies is of a level that requires advanced comprehension skills. Using the Flesch-Kincaid readability score we found that all of the selected policies had scores ranging from 16 to 41, which correspond with graduate level reading skills. To put this in perspective, only about 8.2 percent of India’s above 15 population has an education level of graduate and above.

The third concern arises from the sheer volume of the transactions that take place in the digital economy and the big data analytics emerging from that. As per App Annie’s State of the Mobile Report, an average Indian smartphone user has about 70 apps on her phone. Spending even half an hour reading each policy would translate to about 35 hours of reading time. Add to this all the other daily interactions involving the processing of one’s personal data, and the impracticality of expecting a user to go through all the policies becomes evident.

Finally, even if a “model consumer” were to read and absorb every term, it would not change the fact that the user still lacks any real bargaining power vis-a-vis the provider. In markets with a handful of dominant players, the only options are to either accept the terms set out by the provider or not use the service at all.

The culmination of these factors has led many to argue that “consent” can no longer serve as a legitimate basis for the processing of personal data. Yet, for many others, the idea of consent is so deeply rooted in individual autonomy and liberty that doing away with it would require a fundamental rethink of how we understand the right to privacy. The middle-path perhaps lies in building a robust set of data protection principles and accountability mechanisms, which would apply irrespective of whether the user’s consent has been obtained. To some extent, the draft Personal Data Protection Bill also tries to achieve this, even though it retains a central role for consent. At the same time, we need privacy policies to be better drafted and designed, keeping in mind the differential needs of different categories of Indian users.

Consent in the digital world will never be perfect but we cannot stop trying to make it as meaningful as possible.

Smriti Parsheera is a fellow at the National Institute of Public Finance and Policy (NIPFP). This is based on a NIPFP Working Paper titled “Disclosures in privacy policies: Does “notice and consent” work?”

Source: Hindustan Times, 21/08/2019

Data is wealth. India must protect it

Our data bill, carrying European-style protections and penalties, is a step in the right direction

Data is the oil of today’s digital age, in which every individual, through Internet activity, leaves a footprint of personal information, which is controlled by others. In fact, just like oil in the past century, data is now the most valuable resource in the world — an engine of growth and change. Akin to uranium, data is a game changer. But like oil or uranium, data must be processed to create something of value.

How data is processed and stored carries major implications for national and international security. Hacking and theft of critical data is central to cyber-espionage.

The global “data economy” is dominated by a few tech titans like Alphabet (Google’s parent company), Amazon, Apple, Facebook and Microsoft. These giants vacuum up vast troves of data that help build a digital profile of every individual, including the person’s preferences, foibles and secrets. Data collection can reveal as much about a person as government surveillance, if not more.

Today’s “data brokers” are financially incentivised to collect and monetise personal data of people all over the world. The collected data, however, is used not just for business purposes. Nor does it stay in the private sector alone. Thanks to Edward Snowden and other revelations, we know that the United States government employs several tools to acquire data from the Internet giants. And through its National Security Agency, it directly accesses the systems of Google, Facebook, Apple and others. America’s massive databases arm it with an Orwellian capacity to track digital footprints and personal information of individuals, both Americans and those overseas, including decision-makers. In fact, the 2015 US Cybersecurity Information Sharing Act has essentially legalised all forms of government and corporate spying. This serves as a reminder that the Internet, although a major boon that we cannot live without, facilitates surveillance.

It is paradoxical that those in India who raised a hullabaloo about how the digital-identity Aadhaar system threatens privacy, are mute on the larger and more fundamental issue — the monopolistic control of the most powerful tech companies on the data of all, including Indians. It is as if they believe that Aadhaar, aimed at turning parts of India’s data economy into public infrastructure for doling out subsidies and deterring fake identities, is more dangerous than the expansive data vaults of the global tech giants.

There has been little debate in India on the government’s Personal Data Protection Bill, which seeks to take data back from the global behemoths by granting Indians protection rights and mandating local storage. Not surprisingly, the bill has come under withering attack from the giants and the US government, which is wielding the threat of a Section 301 investigation against India on this and other trade-related issues.

A handful of companies’ data hegemony is raising security concerns not just in India. Many Americans, concerned about unchecked privacy intrusions, are calling for guardrails to data. Europe’s 2018 General Data Protection Regulation enforces tough data privacy rules. Google has faced huge fines in Europe for abusing its data power. France recently imposed a 3% tax on digital transactions, and Italy is following suit. If India and other countries emulated their example, billions of dollars could shift from US tech companies to local economies.

Let’s face it: The Internet is not a competitive, free-market place but an oligopoly, with Google dominating search, Apple and Google controlling mobile, Facebook ruling the social media and Amazon dominating e-commerce. Worse still, these behemoths are relatively opaque when it comes to data collection and retention policies. Their data collection is no less intrusive than government surveillance.

Against this background, India’s data bill, carrying European-style protections and penalties for data privacy breaches, is a step in the right direction. After India’s Supreme Court held that privacy is a fundamental right, the Srikrishna Committee helped draft this bill. Unfortunately, the government, while getting a record 28 new bills passed in Parliament’s recently-concluded session, held back the long-pending data bill to consider changes that could satisfy the US. The bill’s dilution could seriously hobble its purpose.

By opposing India’s move to localise data storage, the tech giants wish to remain unfettered to collect and utilise data opaquely. Their message to India is “trust us”. But as Ronald Reagan said, “Trust, but verify”. A few extraordinarily powerful corporations, with oligopolistic control of sensitive data and US government backing, should not be allowed to influence the provisions of Indian legislation.

Requiring multinational corporations to respect privacy and to store data locally is not about limiting their ability to make money. It is about shielding data through legislative protections that compel these firms to correct their practices. India must seek to loosen their grip over data by mandating greater transparency and imposing limitations on the processing and sharing of personal and sensitive data.

Make no mistake: Like European colonialism in the past three centuries, data imperialism could have serious, lasting consequences.

Source: Hindustan Times, 19/08/2019

Implications of data mirroring

It remains to be seen whether such a policy will backfire when it comes to the potential threat of data colonialism

Data is the new oil and a driver of growth and change. Indeed, India is a supposed to become data rich before becoming economically rich. This digital growth is being pushed by large foreign digital companies. They are largely fuelled by the data of their users. And they are being welcomed by the establishment as is evident by the visits of the prime minister and Union information technology minister to Silicon Valley over the past few years as part of the Digital India campaign.

Important sectors such as e-commerce, social media, digital entertainment, online communication, and information and communication technology (ICT) hardware in India are predominantly served by foreign companies, or domestic companies funded by foreign capital.

Indian users today are accessing digital technology-driven services not only within India’s national boundaries, but also outside its jurisdiction. Consequently, these foreign service providers are free to process the personal data of millions of Indians within their own shores. The advancement of digital tools and technology in areas such as artificial intelligence (AI), has enabled them to monitor and profile user behaviour, preferences and even daily routines, granting them the potential power to influence their decisions through targeted communications.

Many experts have been ringing the alarm bells for the past few years, warning the government of digital colonialism by such companies. Data is now considered a strategic asset by many, and data driven network effects coupled with user feedback loops have given first mover advantage to the more developed western world. The data processed by these companies is not only used offshore to track and profile users, but is also fed as fuel into modern technologies like AI and the Internet of Things (IoT), which are touted to be the drivers of modern manufacturing, service delivery and governance. Perhaps that’s why it is Silicon Valley that is expected to lead the way in researching, implementing and controlling digital technologies, earning it the reputation of being the new Rome.

Recognising the gravity of the issue, the Srikrishna committee in its draft data protection bill has rightly observed that the freedom to share personal data in the digital economy works selectively in the interests of certain countries that have been early movers. These countries can support a completely open digital economy without any detriment to their national interests by virtue of their technological advancement. It goes on to state that popular websites owned by foreign entities refuse to provide data to Indian law enforcement agencies in many instances. It has also flagged other related critical issues in the realm of personal data protection and data sovereignty, such as preventing foreign surveillance and fostering AI in India, all of which need to be addressed.

However, it remains to be seen whether the bill will backfire with respect to the potential threat of data colonialism.

The path recommended by the committee to accomplish the feat is mandating local storage of a copy of user’s data, or data mirroring, something which has not gone down well with its critics. Contemporary public discourse interprets digital colonialism as a large global economy wherein small local players are left out. It has also been argued by industry players, academia and consumer groups that mandating data mirroring will raise entry barriers in the Indian market and adversely impact a variety of smaller domestic stakeholders, such as start-ups and micro, small and medium enterprises .

Valid concerns in this regard are based on the premise that large foreign companies will be able to mobilise the requisite resources to invest in setting up their data centres (DCs) within India, though the same may not be possible for smaller domestic companies. The possible enhanced costs of setting up or renting such infrastructure along with the non-availability of cheaper foreign cloud services may affect their business interests. It may also impact their access to the use of the latest technology.

Such entry barriers, coupled with fears of potential long-term adverse impact on innovation and economic growth, may deepen the existing issues of monopolisation of data and the digital economy, leading to enhanced risks of digital colonialism.

Though with the right intention, it seems that the committee has taken the most obvious path to achieve data sovereignty without exploring other and possibly better alternatives.

The observation of the committee must be treated as a recommendation—one that should be judged from the perspective of India having to carefully balance the possible benefits of localisation with the costs involved in mandating such a policy.

Accordingly, there is a need to do a regulatory impact assessment or cost-benefit analysis (CBA) of the proposed data mirroring mandate before its enactment and implementation. This need is further exacerbated considering the committee’s observation that there was no conclusive evidence presented to them demonstrating a CBA on the above arguments and counter-arguments.

This effectively means that though a draft law has been formulated, it is yet to be determined whether data mirroring will do more harm than good.

Source: Livemint epaper, 21/09/2018