INDIA CONSIDERING REGULATIONS TO REIN IN ITS FREE-FOR-ALL DATA MARKET
▶ The move is a necessity with rising internet use and digital ID system. Rebecca Bundhun reports from Mumbai
India is looking at enforcing strict data privacy laws, which will have huge implications for the use of personal information by global technology companies such as Facebook and Google, as well as Indian companies.
A committee led by retired Supreme Court judge BN Srikrishna at the end of July submitted a draft personal data protection bill to the government. Its recommendations include foreign technology companies storing data in India rather than overseas, setting up a regulatory body, and hefty penalties for those who fall foul of the law.
“In India, currently data privacy is not very stringent, so there have been a lot of companies which have been set up around data-based marketing because data is freely available in the market,” says Vikram Kotnis, the managing director of Amura Marketing Technologies, a digital marketing agency in Pune. “I think the data protection needs to come in from a consumer standpoint, but it will have far-reaching implications when it comes to a lot of companies.”
Under the data protection law, the implications of the recommendations are that “Google and Facebook will have to start moving all their data centres to India, so there may be a big boom in commercial real estate and data centres and there will be a spike in companies and jobs related to data storage”, he says.
India currently has little regulation in place regarding storage and personal information. This has become an issue given the rapid rise of smartphone and internet use in the country of more than 1.3 billion people.
The ever-expanding population in India using the internet at the end of 2017 stood at 481 million, an increase of more than 11 per cent from a year earlier, according a report by the Internet and Mobile Association of India and Kantar IMRB.
Amid the rapid rise of Indians moving online, experts explain it has been something of a free-for-all environment when it comes to many companies obtaining Indian citizens’ personal data.
“Given international developments like the changes made by the European Union to its data protection law, the General Data Protection Regulation (GDPR) and Facebook’s Cambridge Analytica fiasco, the need for a similar legislation like the GDPR in India seemed imminent,” says Rajesh Begur, the managing partner of Ara Law based in Mumbai. “The bill, to that extent, is one of the many developments towards making India a jurisdiction at the cusp of international best practices – while also being an important step aimed to enhance individual rights.”
GDPR is a European privacy law that was enforced in May and curbs targeted advertising.
There is still a need for more clarity and the bill is likely to undergo several changes before it becomes a law, says Mr Begur.
Google India declined to comment on the draft bill. A spokeswoman for Facebook in India said the company was “still studying the policy”. Facebook has more than 240 million users in India, making the country its largest market.
“One will have to see the final form and how it is legislated,” says Darshan Upadhyay, a partner at Economic Laws Practice, a law firm based in Mumbai. “However, as it now stands, several businesses including health care, telecom, banking, targeted marketing and several apps and search engines will have to modify the manner in which they collect, process and store personal data.”
Given the government’s ambitions to move more processes online under its Digital India initiative and increase the use of the biometric identification scheme, called Aadhaar, which most of the Indians are signed up to, it has become critical to look at protecting data.
“The recent news and claims on the compromise of the Aadhaar database from the servers and its partners has made citizens wary of the security of the biometric information they are providing to the government and has sparked privacy concerns,” says Rajpreet Kaur, a senior analyst at Gartner, a research and advisory company. “Also, the unscrupulous use of personal data and information by businesses that record and sell user information to various third parties has led to outrage among citizens about the protection of their personal information and privacy.”
She says “the fear of reputational risk” due to growing public fears about data loss and identity theft is “making organisations increasingly concerned about data privacy”.
Many business leaders, therefore, say it is a welcome move, which should restore confidence in companies.
Dushyant Jani, the chief executive of digital marketing company Mobclixs in Mumbai says, “I’m happy to see that this much needed regulation will institutionalise a standard process to follow while dealing with any form of data.”
Government bodies would also have to comply with the privacy law under the recommendations.
“In general, this shall make the organisations, whether government departments, public sector enterprises more responsible in their approach towards handling the data.” says Rana Gupta, the vice president of Apac sales, identity and data protection at Gemalto, which focuses on digital security.
It will ultimately be smaller companies dependent on easy access to data in India that will be the hardest hit. The likes of Facebook should be able to adapt given that they are already complying with such laws in other countries, analysts say.
“Companies like social networking websites, apps, process data for millions of users in India, often stored at remote servers,” says Rajdip Gupta, the managing director of Route Mobile, a cloud communication provider headquartered in Mumbai. “However, once the bill is passed, these companies will have to encrypt and store the data in India. Also, such companies may face difficulties while abiding by data localisation requirements, which is a challenging task. Apart from this, the infrastructure costs will increase, since data centres are more expensive to build and run taking into consideration factors such as high power costs, real estate.”
The potential introduction of new data protection regulations in Asia’s third largest economy could provide a dramatic boost to the cloud computing and data centre segments of India’s $160 billion (Dh588bn) IT sector, analysts say. India’s cloud computing industry, which reached $1.8bn in 2017 according to Gartner, could be one of the main beneficiary from the proposed law.
“This law will be particularly advantageous to cloud computing, internet service providers, data centres, IT infrastructure, and help them run at their optimal capacity,” says Mr Gupta. “Further investments would be spurred towards building more data centres and infrastructure.”
But there are others concerned about the bill.
The draft data protection bill “is catered more towards the needs of individuals, sidelining the excellent data mining that marketing and digital research companies such as ours can conduct with some of this data to deliver better results for their brands and the overall industry to move forward”, says Zafar Rais, the chief executive of MindShift Interactive, a digital marketing company.
His industry and business will be hampered, if the proposed measures come into effect. “Most players have been using data in India towards effective targeting and driving higher outreach, but things shall change towards making campaigns more costly, reduced outreach and a reduction in being able to data mine and build far more effective campaigns,” he says. “Smaller local tech companies I worry will incur additional costs and obstacles that could form deterrents towards their growth speed.”
Ultimately, when India does implement new data privacy laws, it will be how well those regulations are actually enforced that will be critical.
The bill is one of the many developments towards making India a jurisdiction at the cusp of global best practices RAJESH BEGUR Partner at Ara Law