India’s data dilemma: How to protect all of it

An operator works on his table while enrolling villagers for the Unique Identification (UID) database system at an enrolment centre at Merta district in the desert Indian state of Rajasthan February 21, 2013. In a more ambitious version of programmes that have slashed poverty in Brazil and Mexico, the Indian government has begun to use the UID database, known as Aadhaar, to make direct cash transfers to the poor, in an attempt to cut out frauds who siphon billions of dollars from welfare schemes. Picture taken February 21, 2013. REUTERS/Mansi Thapliyal (INDIA - Tags: SOCIETY POVERTY SCIENCE TECHNOLOGY BUSINESS) - GM1E92S1AM201

Unlike the West, India will become data rich before it becomes economically rich—according to Nandan Nilekani, one of the co-founders of the Indian IT company Infosys. Nilekani was also the chairman of Unique Identification Authority of India that issues the 12-digit unique number to all residents of India based on their biometric and demographic data called Aadhaar – the largest biometrics based identification system in the world. He envisions India to move from being data poor to data rich country in five years.

However, the recent Cambridge Analytica scandal has proven that free market mechanisms leave much to be desired in securing data and protecting the privacy of individuals. When a large, middle-income country rapidly becomes data rich, there are obvious concerns about the challenges related to the usage, privacy, and protection of the individual’s data given the greater scope for misuse. There are many issues to resolve before India can migrate to a seamless digital platform.

An expanding digital ecosystem

It began with the government’s unique identification program providing each Indian with a way to directly receive government benefits. India Stack was then launched to enable this identity to authorize access to documents, make payments, and other digital services. The Digital Locker eliminates physical paper and fake documents by issuing documents digitally, while the eSign service allows all Aadhaar holders to digitally sign documents and request digital signatures. Initiatives such as these have elevated India into the top 100 on the United Nation’s E-Government Index.

Aadhar is already embroiled in privacy issues, as is India Stack. The latest concerns involve India Health Stack, the digital backbone to the National Health Protection Scheme being launched by the government. It intends to combine disease registries, personal health records, a coverage and claims platform, and a health analytics platform. However, the open application program interfaces (APIs) used by Health Stack have raised concerns related to privacy of individual health records. Individual health data is particularly sensitive in nature and can be misused for profit, manipulated, or used to discriminate against the data subject.

New data protections for India

The judiciary in India has taken a lead in establishing safeguards for data privacy. Last year, the Supreme Court of India held the right to privacy to be a fundamental right. Closely thereafter, in its landmark Puttaswamy judgement the Supreme Court established the individual’s control over her data. The Ministry of Health & Family Welfare ratified the draft Digital Information Security in Healthcare Act in March 2018 to regulate digital health data. Later in April, the Reserve Bank of India, the country’s central bank, issued a data localization order requiring all payment system operators to ensure that their data was stored in a system in India. The past year thus proved to be a watershed for data privacy laws in India.

As the European General Data Protection Regulation (GDPR) comes into effect, India has started the process of drafting its own data protection law. The draft bill makes provision for processing of personal data, issue of consent, and the right to be forgotten. While the bill is a good start, it doesn’t do enough to protect evolving privacy rights. While India’s proposed law is similar to GDPR concerning higher penalties for infractions, it is riddled with language that makes it ambiguous and lenient. The requirement of data localization, broad permissions for government use of data, and independence of the regulator’s adjudicating authority are some of the concerns. The right to be forgotten does not extend to completely deleting the individual’s data. Another major concern about the Indian law is how well it will be enforced.

Learning from other approaches

India is actually a late entrant in the group of countries that have enacted data protection laws. However, this can help India avoid the pitfalls of other approaches. While the U.S. lacks one omnibus law regulating the collection and use of personal data, the EU has been criticised for being excessively stringent and imposing many obligations on the organisations processing data ,including high cost of compliance. The ‘Smart Nation’ initiative of Singapore’s government has been criticised on account of personal data being widely collected, inadequately protected, and easily misused, despite a personal data protection act being in force since 2014.

Aspects like consent, commercial use of data, data sensitivity, and right to be forgotten have quickly grown to be key concerns for governments, users and service providers. Furthermore, India is a socio-economically, technologically, and politically complex country that requires regulation customised to its level of economic and demographic development. Nilekani describes India’s approach to the internet being simple: empower users with the technical and legal tools required to take back control of their data.

It is pertinent for India, given the size of its population and economy, to have a strongly enforced data protection law. If it is too lenient and vague, individual rights in a democracy suffer; if it is too restrictive, the ease of doing business and promise of growth suffers.