This Analyst Note analyses the pros and cons of India's draft Data Protection Policy released on 27th July, 2018 and evaluates it in the larger context of evolving technologies and their impact, and with a global outlook.
The draft Data Protection Bill 2018 submitted by a 10-member committee to the Indian government on 27th July, 2018 is a great start in the right direction towards data privacy and regulation in India. What the bill managed to achieve superbly is:
- Define various terms such as Data, Personal Data, Sensitive Personal Data, Data Principal, Data Fiduciary, Processing, Profiling, etc., in a crisp and definitive manner
- Lay down penalties for offenders (mostly, business entities)
These two moves in a bill that is trying to regulate an otherwise evolving ecosystem, powered by technologies with seemingly infinite potential bring out some the clarity and unambiguity.
We have evolved from the Industrial era through the Information age and are entering the Intelligence era. And, data privacy and need for regulation in this time is an identified need of the hour, across the world. Every company is a data company – it either collects, needs, uses or generates data. And, every individual consumer/citizen has attributes that can be labeled, identified, processed and profiled. And, digital technologies, primarily led by Advanced Analytics, Machine Learning (ML) and Artificial Intelligence (AI) can generate tremendous value out of such attributes. And, like all technologies, these too can go overboard and turn disastrous if not contained within certain boundaries.
And, in this regard, the very first line of India’s Data Protection Bill – “Data privacy is a fundamental right of every citizen” – sets the context and empowers the individual. The bill goes on to charter a well thought-out framework, covering exhaustive touchpoints.
The bill does fall short in a couple of areas:
- Putting the onus of consent withdrawal and all associated legal costs on the individual, and
- Providing overarching powers to the state, without clearly defined boundaries or limitations
Considering, in the context of collation and usage by various entities, data has multiple forms – collected, compiled, derived, generated, profiled, etc. – and, an average citizen being fairly under-educated on all the forms and their potential use, the state, at least in the early days, needs to protect his rights and lessen the burden on the individual (Data Principal), considering how easy it is for various entities to seek consent (through just enabling of clicking a button over long, jargon based forms).
As for the second point of contention, although in isolation, it sounds potentially abusive, the Indian state and its regulators have a history of handling such ambiguities with responsibility. In telecom, “Lawful Interception” necessitates the service providers to capture all conversations, but the recordings are available only to certain state authorities and upholders of law, in specific circumstances and upon necessary approvals. Also, India is one of the only nine countries around the world to release Net Neutrality regulations in its purest form (when even advanced countries such as USA couldn’t uphold it). And, the state also gave the freedom to its citizens to voice their concerns and impact positive change at a regulatory level, when net neutrality was under threat. So, in absence of examples of power abuse, it is probably a good idea to judge the state by its previous actions instead of the potential extreme extent of the word. Having said that, I expect the Data Protection Authority (an entity that is proposed to be set up to ensure various stakeholders process the data in line with the law) to come up with laws defining the boundaries of various entities including the state.
These are still early days of what can be achieved through data processing and analytics. For instance, the data a company like Google collated, processed and used 10 years ago is completely different to what does today (intent and sentiment analysis), and it will be completely different 10 years hence. Google, with all its data collation and processing capabilities has only come out with its “Knowledge Graph” in 2012-13, which is still very limited in its functionality. No other company has a fully functional Knowledge Graph as yet. Going forward, in 10 years, the pace at which AI and ML algorithms are advancing, Knowledge Graphs will be a commonplace. In such a scenario, it is impractical and impossible to lay down an all-encompassing regulatory framework in the early evolutionary stages of the ecosystem. A restrictive framework can impede the growth and limit the potential of the ecosystem.
India’s Data Protection Bill closely follows and is in line with Eurpoe’s GDPR. And, there exist multiple data protection GDPR frameworks designed and advocated by various entities including large, global companies such as IBM, RSA; government departments of UK, France and numerous consulting firms. India’s iSPIRT has developed a Data Empowerment and Protection Architecture (DEPA) framework, which is a well thought-out design and set of guidelines. Going forward, just like in automobile pollution norms (wherein Europe set the precedent, but India’s Bharat Standards are the gold standard for the world), even in data privacy and protection, Indian entities have the opportunity to lead the world.
The current draft bill is a good start, and needs to be understood in a larger context considering the fluidity of the evolutionary ecosystem that it is trying to regulate. The bill does exactly what it is supposed to do – start a public and political debate on the subject of data collation, processing and privacy, and by extension, educate its citizens and lawmakers (hopefully, adequately). And, considering the upcoming elections next year and what the Facebook-Cambidge Analytica episode showcased the world, all the Indian political parties (lawmakers) have a vested interest in conducting them in a fair manner. So, expect this debate to only get louder and stronger in the near future.
An edited version of this Analyst Note has been published as an Op-Ed in Moneycontrol on 31st July, 2018