The progress of public policy in India typically traverses a path through decadal milestones where generation next reforms are left for the next generation. In May 2010, in the run up to the introduction of Aadhaar, a committee of secretaries was set up to recommend a ‘Legal framework for data protection, security and privacy norms’.
The briefing note said: “The security and protection of personal data being collected by various government and private agencies is in question because of a gap in the law as there is no data protection legislation in India. India will need to start thinking about these issues in a comprehensive and systematic manner.” In 2020, a decade and more later — after a billion Aadhaar enrolments, committees and commissions, the Supreme Court judgment on privacy and a white paper — India continues to await a framework to protect data and ensure privacy of personable information.
Yes, there is a Section 43A of Information Technology Act which ensures private entities are liable to damages and payment of compensation. However, the definitions of data are narrow and the provisions not comprehensive. Aggravating the circumstance is the inadequacy of the redressal system and the complexities of data flows in a digital world landscape.
This could change if the government expedites the passage of The Personal Data Protection Bill 2019 — introduced in Parliament in December 2019 and pending with a joint committee of Parliament since — in the forthcoming winter session of Parliament. The Bill itself is not without problematic issues, particularly in the wide leeway afforded to the state, triggering comment on fears of an “Orwellian State” by Justice B N Srikrishna who chaired the committee which authored the White Paper.
The reference is about exemptions afforded to the government, at different levels, in Clause 12 to process data for national security purposes — for prevention, investigation and prosecution. There is also the vague legalese in exemptions for data fiduciaries to process data for “public purpose” without the consent of the data principal — that is, the citizen-user. Clearly, the process of review and appeal promised has not been convincing enough and leaves room for improvement. The fears are legitimate and the expectation is the joint committee will weigh upon the clauses.
More importantly, the government must allow a robust debate to ensure credibility and legitimacy. A nation aspiring for $5 trillion GDP in an increasingly digital world can scarcely afford the status quo. The yawning gap and the imperative for a law to protect personable data are best illustrated by context. In 2010, as per ITU data, India had roughly 90 million internet users. In 2020, it has has over 740 million registered internet users. And Indians engagement in the digital eco-system is spiralling. Over 320 million Indians are estimated to be on Facebook and over 400 million logged on to WhatsApp.
A recent report by Ericsson states data usage by Indians is expected to rise from 12 GB per month in 2019 to over 25 GB per month by 2025. Even by conservative estimates, over 120 million Indians are shopping online. RBI data shows since 2016 digital transactions rose five times to over 100 million daily and are expected to touch 1.5 billion transactions worth `15 trillion by 2025. The underlying data is vulnerable to breach as also being ported abroad for profit. Add the usage of Aadhaar for eKYC, the inter-linkages which enable government-to-people payments through the direct benefit transfer and the proposed digital framework for provision of health care.
The debate over which approach — the varying state laws in the US or EU’s General Data Protection Regulation — is best for data protection rests on context. The American approach is riveted by informed consent and the aggrieved can sue for breach. It is backed by a robust judicial system. The European model scaffolds privacy through top down compliance and rests on collective liability. Given the Indian context and the inadequacy of the judicial system, the bias for GDPR model is understandable. What matters is how the government can regulate and trim compliance costs so that innovation across public and private sector is not hurt.
The post-pandemic world is expected to see an acceleration of trends — embrace of technology for retrenchment of human interface across sectors. Reconfiguration of supply chains may see increased adoption of digitisation, and movement of skilled labour may be constrained by domestic policies of countries. The rising use of the AI, the thriving start-up culture, the opening up of agri markets, rising remote engagement on factory floors and back-offices present India an opportunity to leverage for growth.
The reality of India as a “data rich” economy is well-established. Harvesting the riches, leveraging data to propel growth calls for more than mere articulation in political commentary or in the Economic Survey. It calls for a road map of a law for protection of data followed by localisation — to enable Davids to reclaim rights from global data Goliaths — and its conversion into a force for public good.
Shankkar aiyAr
Author of The Gated Republic, Aadhaar: A Biometric History of India’s 12 Digit Revolution, and Accidental India shankkar.aiyar@gmail.com