Crafting a Data Protection Law That WorksThe Critical Need Is to Define Standards and Enforce Them
As India's Parliament prepares to finalize a new privacy and data protection law in the weeks ahead, there's still no consensus among security practitioners about what approach the legislation should take.
While security practitioners, law enforcement authorities and others debate the merits of the bill, what's needed is far more clarity on privacy standards - and then enforcement of those standards.
"Rather than focus on where data is stored, a better approach would be for the government to ensure all companies that handle Indians' data comply with clearly defined privacy and security standards."
But balancing the right to privacy with business needs is challenging.
In a panel discussion at the recent DSCI Summit, Rui Bastos, head of digital transformation at Reliance Industries, noted: "Most businesses collect data to better the quality of life of their customers. We can't grow without data. So the dilemma is, do we deal with data for the right to quality of life or right to privacy? This is something that concerns me."
Harms-Based vs. Rights-Based Approach
The draft of the data protection bill unveiled six months ago takes a "harms-based" approach that some have criticized. The harms-based approach represents the view that data protection obligations must be scalable depending on the potential for harm. Under this approach, impact assessments should take into consideration the spectrum of potential adverse effects, including the general societal impact.
In contrast, the EU's General Data Protection Regulation takes a "rights-based" approach. It focuses on empowering people to know and claim their rights, and it increases the accountability of organizations that are responsible for respecting, protecting and fulfilling rights.
Vaishali Bhagwat, a cyber lawyer and advocate, argues that the harms-based approach is the right option for India.
"Previously under any law, a "harm" was never as well defined as it is under this legislation. Though there is backlash, I personally feel a harms-based approach ... will actually help in quantifying the damage," she says.
Some critics, however, argue that harms-based approach puts the onus on victims to prove harm to data fiduciaries, which could prove difficult.
The draft legislation emphasizes data localization as a way to help protect privacy. It would require that all companies dealing with the personal data of Indians store at least a copy of the data domestically. And the most critical personal data would have to be stored and processed only in India.
Some Indian companies, including Paytm and Reliance Jio, argue that data protection legislation will have little teeth without localization. But opponents argue that India will lose business if it imposes data localization requirements.
"We are not for complete data localization, but at the same time, I believe government has the right to access data when required," says Srinivas Poosarla, data protection officer at Infosys.
Some critics fear that data localization could increase the risk of government misuse and surveillance of personal data. And they point out that even if the data is stored in the country, the encryption keys may still remain out of the reach of national agencies.
The Right Approach
Rather than focus on where data is stored, a better approach would be for the government to ensure all companies that handle Indians' data comply with clearly defined privacy and security standards - or face punishment. The government should come up with policies to ensure data is anonymized and encrypted and privacy is practiced at the design stage - and then enforce its new requirements.
As Bhagwat points out: "The problem in India is not lack of laws but the improper implementation of these laws."