As India inches closer towards enacting a law for data protection, an expert committee appointed by the government of India begins today its public consultation process for feedback before it drafts the law.

The committee of experts chaired by Justice B N Srikrishna will hold four public consultations, starting with one in New Delhi today and followed by Hyderabad (January 12), Bengaluru (13th), and Mumbai (23rd). Stakeholders interested in attending can register for the meeting.

We reached out to a few of India’s data privacy and information security experts to hear more about why India’s long awaited data protection law matters, the fault lines that the data protection framework will have to toe around, and their submissions to the 200-odd questions asked in the 233-page white paper.

India’s data protection framework is based on seven principles , which includes informed consent, data minimisation, and deterrent penalties. The summary for the white paper explores the scope and exceptions under the framework, raising questions on the definition of personal data, sensitive personal data, data controller, processor, and other aspects like cross border flow of data and data localisation.

It also asks questions around grounds for data processing, processing of sensitive personal data, and rights of individuals, such as the right to be forgotten. There are dozens of questions on accountability and enforcement models, codes of practice, and remedial measures, such as penalties and compensation for offences. For the TL;DR (too long, didn’t read) crowd, PRS Legislative Research has put out a one-page summary.

Why it’s needed, and why it matters

As the white paper notes, India needs a privacy law as the IT Act is limited in its applicability, and doesn’t take into account instances related to processing of personal data. “We needed it years ago,” Justice Srikrishna told FactorDaily in an earlier feature exploring India’s data protection law.

Despite having the CEO of the Unique Identity Authority of India Ajay Bhushan Pandey as a member of the committee, it notes public concerns and criticisms about Aadhaar, as the citizen ID project is called, as a “coercive collection of personal data by the State”. A five-judge Supreme Court constitutional bench is hearing pleas against the mandatory linking of Aadhaar with various services. The pleas argue such a move is against a citizen’s right to privacy, among other things.

Prasanth Sugathan, legal director at the Delhi-based, not-for-profit legal services organisation Software Freedom Law Centre (SFLC) says the 10-member committee lacked adequate representation from civil society. “Now that they are starting the consultation process, this is where the people can really get an edge,” he says, adding a caveat that the committee needs to ensure that it gets proper feedback and comments from stakeholders to questions on the white paper.

“The problem with the white paper is that it is so dense, to make a summary of the white paper itself is a task. To start a discussion, you need to have people with an understanding of the issues involved… for that, this white paper cannot be distributed,” he says. SFLC is working on its feedback and will be responding all the 200-odd questions asked in the white paper in another two weeks. The final deadline for submissions is January 31.

Sandesh Anand, a security professional who had earlier written about why India needs a cyber breach notification strategy shared his response to questions on private data breach notifications (Chapter IV, Part 2B). Biometric data leaks are the most dangerous category, as there’s no way to get a new fingerprint in the case your Aadhaar fingerprint leaks, he warns. “A larger debate is necessary on appropriate responses to incidents where biometrics are leaked. At this point, it appears that the best course of action would be to recommend moving away from biometrics as authentication information,” he writes.

“We need to ensure that the law is being framed in such a manner that we’re protected from interests of the corporate and various private entities as well as the government,” Sugathan says. A lot hinges on the notion of meaningful and informed consent, as most people give away their data without really understanding what is being done with their data. “Consent should be such that the person really understands what kind of consent he or she is giving,” he says.

The data protection framework white paper is pretty balanced at this point, and hasn’t taken a stance, says Shivangi Nadkarni, CEO and co-founder of Arrka, a Mumbai data advisory and consulting firm. Arrka published a privacy study on Indian smartphone apps in December, which found that a majority of them do not take explicit user consent, give a choice to opt out from giving personal information, or offer clarity on what happens to a user’s personal information after an app is deleted.

“If you look at countries with data protection laws, at one end of the spectrum is the EU-GDPR, which is pretty stringent and severe, and at the other end, you have the US, where they’re pretty laissez faire in terms of their approach,” Nadkarni says, echoing the consensus among privacy experts. The US has no single, comprehensive national law regulating the collection and use of personal data, while the EU’s GDPR (short for General Data Protection Regulation) regulations, which will come into effect on May 25 this year, includes hefty penalties for companies for non-compliance (fines of up to € 20 million or 4% of a company’s global revenues) and will require companies to report data breaches within 72 hours of discovery.

There are positives and negatives to both approaches, with the EU-GDPR overloading in terms of compliance requirements, stifling innovation on one hand, while the consumer loses out on the other hand, she says. “I do think in a country like ours, we need a balanced approach, a little bit of what I call danda (stick), and a little bit of carrot,” says Nadkarni. “We can’t be on either extreme. At the same time we have a huge population which is totally clueless, with no awareness of the data privacy implications,” she says.

From a business point of view, regulations could lead to more compliance costs. The data protection law could make it mandatory to appoint a data protection officer for certain classes of data controllers, for instance. Data localisation, where companies might be required to store and process data on servers located within national borders, could also drive up compliance costs, both for Indian and multinational companies operating in India. “Data localisation will be an extreme step as a means of ensuring privacy of citizen data. A better process would be to ensure that there are proper regulations in place to ensure that the data is protected,” SFLC’s Sugathan says.

The data protection law will surely have implications on India’s software development industry, which just about coming to terms with a culture of secure coding. As of now, very few organisations know the the difference between data security and privacy, says Nadkarni. “A lot of apps are developed using readymade libraries, most developers are not even sure of what is there in those libraries,” she says. “On your notice, you might say that we not using your data for advertising purposes, and then you find that data from your app is going out to advertisers through one of these libraries, and nobody is aware of this.”

---