|
Listen to this story
|
The debate around data privacy
If we ask the question, “What is Privacy?”, it will be difficult to answer. One cannot arrive at a specific definition of privacy. The epoch that triggered this event in the first place was the scandal surrounding Cambridge Analytica which purchased data from Facebook and unleashed a psychological warfare tool on voters in the US. Defining the behaviours that constitute a violation of the right to privacy is made more challenging by the ambiguity in the definition of privacy. Much data is being collected by organisations based in India and abroad. Organisations use the concept of informed consent as a part of their terms of service to take consent from users for data collection and storage. However, the debate around how this data is used for analysis is a mystery.
Data is the new oil
Like oil in the 18th century, data is an undervalued resource in the 21st century. Like oil, there will be enormous rewards for those who see the basic worth of data and learn how to extract and exploit it. With the advent of massive data storage and processing technologies like machine learning and artificial intelligence, which can extract meaningful insights for strategic decision-making for organisations, it has become extremely important for them to collect more data from their consumers without any checks. With the percolation of internet services in India’s remotest towns and villages and the increasing availability of affordable smartphones, the average citizen’s data usage has grown considerably. As of January 2022, there are approximately 650 million internet users in India. This implies that approximately 650 million data points are available, of which every data point generates a variety of data such as social media data, pictures, emails, texts, voice and more. Out of this, approximately 460 million users were active on some form of social media, including Facebook, Twitter, Instagram and others. As of early 2022, Facebook has approximately 330 million users, YouTube has 467 million users, and Instagram has 230 million users. These are indicative of the amount of data generated by every user. The organisations processing this data generally store it within the boundaries of India. There have also been instances when some organizations have refused to hand over the data to Indian authorities upon request. All this emphasises the need to have a strong data security framework that protects Indian interests and prevents any misuse of the data of Indian nationals.
It is time for India to act and take inputs from the laws of other countries; the lawmakers drafted the Personal Data Protection Act in 2019 and have now introduced the Digital Personal Data Protection Act, 2022.
Businesses and the New Law
The earlier version of the Personal Data Protection Bill needed to be more compliance intensive. Data localization was a parameter but more so for large enterprises. It also included a contentious requirement for local data storage within India’s borders. These concerns were considered in the revised bill, which has relaxed these demands. It enables data flow to a limited number of international locations, possibly fostering trade agreements between countries. The PDP Bill (2019) did not recognise the data principal’s right to post-mortem privacy or the ability to withdraw consent, notwithstanding the Joint Parliamentary Committee’s recommendation. However, the revised bill is viewed with scepticism and has been vague on many issues. Companies have their own set of concerns and one of the prime concerns is data storage in another country. As the government has almost absolute authority in modifying and changing the list of “trusted nations” for data storage, businesses fear how frequently any country would be added or removed and what criterion will be used for adding a country to this list. In a situation where a country has been removed from the list, how much time would be available for the organisation to transfer data to another trusted nation is a point that requires clarity since businesses invest significant amounts of money for data storage. In addition, the bill grants sweeping powers to the government, especially in deciding the composition of the data protection board which many tough critics fear would be used to turn the country into an Orwellian state.
In Conclusion
The new draft legislation is the first step and is viewed as an increasingly positive initiative by the government to take the privacy of its citizens seriously. However, the proposed legislation has relaxed many stringent compliance norms that should have been viewed positively earlier. In contrast to its predecessor, the proposed legislation handles “personal data” more straightforwardly while imposing tough penalties on violations and is viewed as more accommodative. This may be a step towards phase-wise implementation of the legislation wherein the government would gradually tighten the norms as per the trends in future. As a part of public consultation, the government has invited suggestions from various quarters of society to fine-tune the proposed legislation, and it’s expected that the government would act positively after reviewing the suggestions. India will see a new dawn of information security framework which will be accepted, adopted and complied with by every institution very soon.
This article is written by a member of the AIM Leaders Council. AIM Leaders Council is an invitation-only forum of senior executives in the Data Science and Analytics industry. To check if you are eligible for a membership, please fill the form here.
