At the panel discussion organized by the Broadband India Forum (BIF) on the recently released draft Bill on Data Protection, Kuldeep Singh with other eminent panellists welcomed the opportunity to express their views. He appreciated the recommendations of the Puttaswamy committee that brought in the importance of consent. With the judgment, the right to privacy was elevated to the level of fundamental right. Therefore, Singh believes that the user who is parting with his data has the right to know where the data is used and for how long will it be used.
This is one of the positive aspects of the recommendations that he highlighted. The worrisome issue he believes is the recommendation for the data localisation in the country. What could be the objective of such localization in the country, he muses. Objectives could be security, accessibility to the government and the agencies outside the country. But while highlighting the positive aspects he also had certain apprehensions with the Bill as well.
No Cost Benefit Analysis
Singh believes that for anything to work in a proper manner, we have to analyze the cost-benefit of the plan. The cost of having data mirroring or localization in India would require a huge amount of storage and servers. Therefore, it will definitely have a huge impact on startups.
Today, when the Indian market is mainly dominated by startups, for them to go through that kind of expenditure, might just hinder the progress of small medium enterprise. The players with deeper pockets will not feel the pinch that much but small players like startups being in the nascent stage are more likely to suffer. There is also a chance that an SME if given a choice, will opt for a cheaper market to operate. This in turn will lead to the SMEs migrating abroad and India losing out not just on GDP numbers but also innovation.
According to Singh, there is a case of reciprocity also that cannot be ignored. India has been in the business of data processing for a long time i.e. India has been handling sensitive data from abroad which has been processed here. By taking the example of European Union, he tries to explain that if the flow of data is stopped, within Europe, it would be like putting “custom duties” which will in a way put a stop to services that are coming to the country.
Poor Law enforcement
The major concern in our country according to him is law enforcement in our country. When asked about how the bill plans to protect the intellectual property of the programmer who is disclosing the source code, he stated that he believes the laws must not be complex. Someone will analyse the source code which will take time and also will be messy work. He believes this might lead to it becoming another source of misuse of discretionary powers and some apps will be stopped while come will be not.
He says, the thought behind the laws may be good, but if the implementation fails, the entire idea crumbles down to nothing. Just like Adhaar, which brought in biometrics to the system, but it was poorly implemented and thus lost its value. Therefore even if localization occurs, will it be localized properly? He has doubts about it. He questions if it is going to be safer in the country?
Surveillance through Section 40(3)
Commenting on the inclusion of Section 40(3) in the draft Bill, which allows the government to exempt certain categories of personal data from the mirroring requirement in the interests of necessity or strategic interests of the State; he said that the difficulty again arises with implementation and enforcement. To decide which kind of data is to be exempted (and which is not) and who is going to take this decision, he says probably they will entrust this to the DPA. It has come through especially in the telecom sector and he hopes DPA will so good job.
A Need for National Encryption Policy
He looks at encryption positively and says India doesn’t have a national policy related to it yet. Therefore we don’t know which data is to be encrypted, how long should be the key. But if such policy comes into being, he says, it will be a good thing. Taking financial data into consideration, whether it is stored locally or abroad, it has to properly encrypted .one has to make sure that there is no leakage of data. Sensitive data should be properly encrypted.
As far as localization is concerned, he accepts that the internet knows no boundaries. He calls localization as an “artificial kind of thing” (like custom duties). What is more important according to him is that one must prevent misuse of data, if there is a misuse it should be detected and the ones who are missing the data should be penalized for doing so. These three are most important: “Prevention, detection and penalization of misuse of data” than where it is stored. Therefore the purpose of the Data Protection Bill still needs to clarified for it to bring in better results.