Lacing the data shoe

India is the largest & fastest-growing market for digital consumers, heading toward 730 million internet users by the end of 2020, as projected by NITI Aayog. Indian mobile data users consumed 8.3 GB of data each month, had 1.2 billion mobile phone subscriptions and downloaded more than 12 billion apps in 2018 alone, proclaimed Amitabh Kant, CEO – NITI Aayog, in a Nov ’19 tweet.

While India leads the world in data consumption and app downloads, monetising the Indian internet user has been a massive challenge. This begs the question who is funding the creation and sustenance of all the apps we are downloading – is it our personal information? Few among us are aware of the extent to which we are permitting internet businesses to gather personal data and fewer still are aware of how these businesses are using our data.

The mainstreaming of technologies like machine learning, artificial intelligence and natural language processing has meant that businesses are able to monitor our every move on the internet and profile us based on our behaviour, preferences, spending patterns, etc. Several new internet-native business models have emerged. Some of which are predicated on selling our personal data for better ad-targeting, upselling products and services, etc. In fact, India alone has witnessed the emergence of over 1,000 start-ups working in machine learning, artificial intelligence.

Businesses across the board recognise the value of data. At an event around artificial intelligence that we had organised at our office, the founder of one of India’s largest AI assistance platform stated emphatically to the audience that a data analyst should be one of the first three people hired in ANY company starting up. Much like crude oil enabled the automotive revolution, data will enable the technological revolution. Clive Humby, the founder of Clubcard, said it best - Data is the new oil! It is the most useful resource of the 21^st century, and has tremendous monetary potential. But like every good story the data story has a dark side, which includes misuse, theft, fraud and breach of privacy. Cambridge Analytica, being the most popular cautionary tale of what can go wrong when data is misused. The need for a framework to protect personal information is evident, however one size doesn’t fit all in this case resulting in diverse policies across the globe.

Evolution of Data Protection Law globally and in India

Several countries over the years have tried to formulate a data protection regime suitable to their ethos. The EU has adopted an approach where personal privacy of an individual is the central pillar of the protection regime. The US being a laissez faire culture, has mainly focused on an individual's right to be left alone by the State and the restrictions are largely around personal information being processed by the Government. China, on the other hand has adopted a centrally dominant model focussing on aversion of national security risk. Each of these regimes is founded on each jurisdiction‘s understanding of the relationship between a citizen and the State in general.

India’s path to a personal data protection law has its roots in the Aadhar case, wherein a nine-judge Constitution bench ruled that the right to privacy is a fundamental right flowing from the right to life, individual dignity and personal liberty as well as other fundamental rights securing individual liberty under the Constitution. The Supreme Court recognised that ‘Privacy, in its simplest sense, allows each human being to be left alone in a core which is inviolable’. Taking this forward, B N SriKrishna Committee (constituted in 2017 to identify lapses in the extant framework) introduced the ‘right to be forgotten’ which provides the user a commanding tool. The Personal Data Protection Bill, 2019 (Bill) followed suit.

Evolution of Data protection law in India

Implementation and challenges:

The Bill is centred around the principle that informational privacy, is a right to autonomy and self-determination with respect to one‘s personal data. Digital companies now become “data fiduciaries” instead of being mere data collectors, where they assume responsibility for obtaining user permission for both initial collection and subsequent processing of user data. Social media intermediaries have been categorised as “significant data fiduciaries”, knowing they have a substantial impact on the electoral democracy, security of the State, public order or the sovereignty and integrity. A user now becomes a “data principal” enhancing the autonomy of individuals with regard to their personal data.

User consent: The Bill requires that a data fiduciary must provide a notice to a data principal before collecting their personal data and seek an explicit permission before processing their personal data. In doing so, it must explain the extent and the purpose of data collection, identity of the data fiduciary, source of such collection and also inform him about his right to withdraw consent. Explicit permission must also be obtained at each stage of subsequent data processing. Compliance with this provision could be tricky, because digital companies not only collect personal data, they also process that data bunched together with data collected from other principals to create new information that does not belong to the original data principal. Further, a lay man often cannot comprehend/ does not take the effort to understand what he is agreeing to when he consents to e-contracts – the Government must find a way to simplify such contracts.

Ownership of personal data: The Bill and logic both propose that an individual should be the owner of their own personal data. While simple in idea, this vision could impose a massive implementation burden for digital companies. Further, once data has been processed and new derived information has been created by a fiduciary, how does one ascertain ownership?

Data Portability: Fiduciaries now need to store sensitive and critical personal data on servers located in India. Sensitive personal data may be processed outside but must be retained in India. Critical personal data cannot be taken out of the country at all, even for processing. Digital companies currently operate in a seamless cyber world, where they mostly store and process their data wherever is economically most efficient. With this restriction, companies will now be forced to have adequate data storage systems in India, which may not go down well with the global tech companies.

State interest:  The Government and their public sector entities are exempt from the purview of the bill and can collect and process any form of personal data. Ideally, an individual should be entitled to make autonomous life choices free from interference of State and non-State actors. Unfettered data access to the State could lead to political surveillance and propaganda. This is a massive dilution of the individual’s right to privacy. On the other hand, one needs to be mindful that the Government would want some access for national security and governance reasons. It remains to be seen how the middle ground will be achieved here.

Compliance and enforcement:  The Bill proposes stringent compliances such as requirement to conduct an annual data audit by certified third parties and steep penalties for non-compliance or data breach or inaction by the fiduciary upon a data breach, reach up to INR 15 Crore or 4% of a company’s annual worldwide turnover for the preceding financial year, whichever is higher. Since there is no monetary threshold for qualifying as a data fiduciary, even small companies/ start-ups will have to bear this burden at par with multi-nationals.

Standout provisions:

Having laid out the obstacles in implementation, I do believe this a bold step for India in the right direction.

The right to be forgotten granted to data principals under the Bill is a very powerful one, enabling individuals to ask organisations to limit, delete or correct their personal information on the internet. This right to me is the hero of the Bill! It is in sync with the right to privacy upheld in the Puttaswamy case and establishes autonomy in it’s true sense.

Data localisation will help tremendously in easy access to data for investigation purposes and solve for jurisdictional complexities. While it may be a tough pill to swallow for global organisations, it will change the way privacy is perceived and practiced and will build a strong base for a ‘trustworthy’ digital India.

A national Data Protection Authority (DPA) is proposed to be established in India for the first time to ensure supervision and enforcement. It would be relevant for the DPA to collaborate with its counterparts across the globe to enforce some of the aspects of the Bill such as cross border data transfers and share some learnings through the journey. The transformative potential of the digital economy to improve lives in India and elsewhere, is seemingly limitless at this time. At the same time, the potential for discrimination, exclusion and harm is equally likely and needs to be protected for. The Bill is India’s first attempt to legislate data protection and the optimist in me believes it will do well for our country and its citizens.

In the words of Justice BN SriKrishna, ‘The data protection law will be like a new shoe, tight in the beginning but comfortable eventually’.