The Indian Government has released a paper to address the inadequacies in data protection and privacy legislation, proposing some ‘interesting’ exemptions, to leave the matrix open to abuse.
The purpose of the paper is simple; assess an area of the Indian digital economy which is under-developed, and make the relevant recommendations. It is an investigation which has been burrowing away for months, and follows a global reaction to some very public data abuses. The report is adequately timed, and should provide a framework to protect the Indian consumer as the world becomes increasingly connected. That is the theory of course.
As you would expect, there are some very good things in the report. There are restrictions of what personal information can be gathered by the internet companies, large and small, while justification needs to be present. It seems the purpose is to address the wild-west approach to the data economy across the country, with information being collected for ‘clear, specific and lawful’ purposes. Like GDPR in the European markets, it seems the purpose to provide some restrictions of the free-flowing and potentially-abusive relationship between the internet giants and the consumer.
Other interesting aspects include the right to be forgotten, perhaps giving the consumer more ownership over their own personal information, explicit opt-in consent for certain categories of data (that which is deemed sensitive), and also data localisation. The investigators do seem to have leant on lessons learned in Europe with GDPR, but then localization laws could be deemed a bit more nefarious.
This is the suspect part of the report; there seem to be a number of exemptions to any potential new laws for government agencies and offices. Data maybe processed without consent or knowledge if this is considered necessary for any function of Parliament or the State. The language is hazy and ill-defined, allowing plenty of wiggle-room. The whole situation creates an opportunity for abuse, and we have seen on numerous occasions around the world, governments can rarely be trusted to act without accountability.
Lazy definitions and localised data residency will leave some of the larger players in the digital economy in an dubious position. Resistance to requests for information, or appeals to courts, would have to be made locally in India. Some interest companies can resist government requests due to the way data is stored, think about Microsoft’s battle with the US government over information stored on one of its Irish servers, theoretically adding an extra layer of protection to the consumer. This set up would potentially leave the Indian consumer quite open to abuse.
For Save Our Privacy, an Indian data protection advocacy group, poor definitions and guidance are not the only concerns; Indian spooks are getting too much freedom as well.
“There is a dire need for surveillance law reform in India,” the group said in a statement. “It was our hope that this effort would provide a comprehensive framework overhauling surveillance and interception in India – in consonance with the international standards on necessary and proportionate principles, along with providing proper judicial scrutiny. However, the report and bill does not seem to provide substantive changes in the surveillance regime in India.”
The need to address data protection and privacy laws is clearly evident throughout the world. Numerous economies are still reliant on regulation and legislation written for another era, think about how much society has changed over the last 5 years. Any attempts to create an environment suitable for today’s digital normality should be applauded, but the Indian government has not got this one right.
Governments have shown they cannot be trusted with un-monitored or un-accountable access to data and communications networks. The recommendations in this report, notably focusing around government exemptions, are too loosely defined, making the opportunity for abuse abundant. This cannot be a situation which is allowed to develop.