Pri­vate Life in the Coun­try

Data pro­tec­tion laws are not enough. Pri­vate in­for­ma­tion of In­di­ans must be stored in In­dia

The Economic Times - - The Edit Page - Pawan Goyal

Ever since GoI man­dated link­ing Aadhaar to PAN (Per­ma­nent Ac­count Num­ber), there has been much de­bate about how the Unique Iden­ti­fi­ca­tion (UID) num­ber in­vades cit­i­zens’ pri­vacy. While there are valid con­cerns around Aadhaar data, the pri­vacy is­sues with data col­lected by per­va­sive dig­i­tal ser­vices are equally, if not more, im­por­tant.

It is hard to imag­ine a life with­out Google, What­sApp, Face­book, Uber and Ola, Flip­kart and Ama­zon, Net­flix, Paytm, et al. Th­ese ser­vices have made in­for­ma­tion ubiq­ui­tous, con­nected the world, and im­proved the qual­ity of life. How­ever, th­ese ser­vices also col­lect huge amount of data about every in­di­vid­ual who uses th­ese ser­vices. Your friends and rel­a­tives, your in­ti­mate con­ver­sa­tions, the places you visit, the amount of time you spend at dif­fer­ent lo­ca­tions, the things you buy, your in­ter­ests, your po­lit­i­cal views — all are pieces of data known to th­ese ser­vices.

If one puts all th­ese data to­gether, one can build a bet­ter pic­ture of an in­di­vid­ual then, per­haps the in­di­vid­ual him­self. Now imag­ine all this data of Indian cit­i­zens avail­able to, say, an in­tel­li­gence agency of a for­eign gov­ern­ment.

The pos­si­bil­i­ties of us­ing this data are end­less. If a pol­icy de­ci­sion is likely to be un­favourable for a coun­try, the agency can dig up dirt us­ing the dig­i­tal data on, say, a key pol­i­cy­maker, and make her change the de­ci­sion.

If a politi­cian or an in­dus­tri­al­ist is not favourably dis­posed to­wards a coun­try, the lat­ter can start tar­get­ing him with mes­sages to change his opin­ion. It can de­tect troop move­ment just based on lo­ca­tion data change of army­men, and ob­tain mil­i­tary in­tel­li­gence. Who needs spies when you have ac­cess to dig­i­tal data?

But Indian laws will pro­tect such in­for­ma­tion from for­eign in­tel­li­gence agen­cies and gov­ern­ments, right? Wrong. There is no law that pro­tects Indian cit­i­zens’ data get­ting into the hands of a for­eign en­tity. In fact, the USNa­tion­alSe­cu­ri­tyA­gency’sPRISM global in­ter­net sur­veil­lance pro­gramme col­lects ex­actly such in­for­ma­tion. So why do Indian laws not pro­vide pro­tec­tion against such ac­cess? The issue has to do with where the data is ‘res­i­dent’ (read: stored).

I Live Abroad, But on Server

Data is pro­tected un­der the laws of the land where it is stored. The data col­lected by the afore­men­tioned ser­vices are res­i­dent out­side In­dia, mostly in the US. Thus, US data pro­tec­tion laws ap­ply to them.

Th­ese laws re­strict US gov­ern­ment ac­cess to US cit­i­zens’ data. How­ever, no pro­tec­tion is af­forded to nonUS ci­ti­zen data. So, the US gov­ern­ment can have as much ac­cess as the ser­vice providers are will­ing — or di­rected by court — to pro­vide.

To al­lay pri­vacy con­cerns of the EU, the US passed the Ju­di­cial Re­dres­sal Act in 2015. This law pro­tects the pri­vacy of a ci­ti­zen of a coun­try, to a lim­ited ex­tent, if there is a treaty between the US and that coun­try. In­dia is not cov­ered in this Act. Fur­ther­more, the Don­ald Trump ad­min­is­tra­tion has weak­ened the pro­tec­tion of­fered un­der the Act.

So, what should GoI do to pro­tect its cit­i­zens’ data and keep it pri­vate? It needs to cre­ate data res­i­dency laws that man­date that ser­vices that store per­son­ally iden­ti­fi­able in­for­ma­tion should store them in In­dia so that the data re­mains un­der the ju­ris­dic­tion of Indian courts.

In April, At­tor­ney Gen­eral of In­dia Mukul Ro­hatgi promised to bring a data pro­tec­tion law by Oc­to­ber. That is great. But with­out data be­ing res­i­dent in In­dia, Indian pri­vacy laws will have lit­tle rel­e­vance for a vast ma­jor­ity of data col­lected on Indian cit­i­zens that re­sides out­side In­dia.

Data res­i­dency laws have al­ready been en­acted by Rus­sia and China. The EU is in the process of en­act­ing them. Bei­jing has an ad­di­tional draft law out for com­ment that will re­quire any for­eign-owned en­tity to cer­tify that any data taken out of China’s bor­ders will not im­pact na­tional se­cu­rity or in­ter­ests.

In­dia has taken lim­ited steps in this di­rec­tion. Any data that is part of any gov­ern­ment dig­i­tal ser­vice, such as Aadhaar, is man­dated to be res­i­dent in In­dia. It now needs to ex­tend the same reg­u­la­tion to pro­tect non­govern­ment-owned ci­ti­zen data.

One issue of­ten raised against data res­i­dency laws is that they will ma- ke it hard for new ser­vices to gain a foothold in a new coun­try. For ex­am­ple, if What­sApp was re­quired to have data res­i­dent in In­dia, due to costs, it may have never in­tro­duced the ser­vice here.

This issue can be ad­dressed by en­sur­ing that data res­i­dency laws come into ef­fect only once the ser­vice has a ma­te­rial num­ber of cit­i­zens us­ing it. So, ser­vices will in­cur in­creased costs of data res­i­dency only when they have reached a scale at which they can af­ford it.

Data is the New Weapon

Cur­rently, Indian agen­cies are at the mercy of for­eign agen­cies to get data of its own cit­i­zens. This isn’t de­sir­able from a se­cu­rity per­spec­tive. Indian agen­cies should be able to get ac­cess to ci­ti­zen data that is per­mis­si­ble by Indian laws.

The next war will not be phys­i­cal, it will be in cy­berspace, and data will be key weapons. We need to pro­tect our weapons, and pre­vent coloni­sa­tion — in what­ever seem­ingly be­nign form it may be at­tempted by for­eign pri­vate com­pa­nies or gov­ern­ments — all over again.

The writer is gen­eral man­ager in a soft­ware firm

For­tify your data

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.