The draft, published by MeitY on November 5 this year with several policy strategies for the growth of the data centre sector in India, asked for recommendations from domain experts, public policy professionals, and students within 15 days.
In a response to the MeitY’s request, points made in the recommendations published by the IFF present valid concerns in terms of the lack of data governance and security standards in the draft.
With the number of internet users in the country predicted to grow to 800 million by 2023, India will generate a huge amount of personal data that will get stored in data centres.
While that is the case, India has been a host to 1.45 million cyber-security incidents from 2015 to 2020 (till August), according to the Computer Emergency and Response Team – India and 54 Central Ministries websites and 37 State governments websites have been hacked in 2019 and 2020 (till August).
The IFF, thus, rightly points out the lack in the specification of security standards in the policy draft that the data centres must adhere to.
Given that the country is plagued with data breaches, IFF recommends that the policy specify security standards for the data centres or follow the ones that may be prescribed by the Data Protection Authority proposed under the Data Protection Bill. At the very least, IFF feels it is important for the policy to lay down a broad framework to ensure data protection.
Digital Rights & Regulatory Oversight
As the draft on the Data Centre Policy lacks language regarding privacy and data rights, the question remains whether they will be covered under the Data Protection Bill, as the regulation of the operations at the data centres are likely to come under it.
IFF recommends that if the issues are going to come under the Data Protection Bill, then a method for ensuring compliance with the same must be specified.
It states that there should be a ‘clear and unequivocal acknowledgement’ within the policy for oversight by the Data Protection Authority contemplated by the impending Personal Data Protection Bill, 2019.
While the recommendations rely on the Data Protection Bill and the resulting Data Protection Authority that is to be put in place, several criticisms have been made with respect to the Bill itself, both inside and outside parliament.
One of the main issues is pertaining to the exemptions given to the government for the processing of data. Several experts have also called more autonomy or independence for the Data Protection Authority and questioned its composition.
As a response to this, the IFF recommends the use of an alternative private member bill, that was introduced by MP Dr D Ravikumar, as it addresses several of these issues.
Imposition Of Essential Services Maintenance Act
The Essential Services Maintenance Act (ESMA) was enacted by the parliament in 1968. This act lists services that are essential and prohibit key employees working in these services from striking, putting ‘significant curbs’ on employees’ right to freedom of expression, according to the IFF.
In 2010, for instance, the state of Andhra Pradesh included the IT industry under the ESMA. This gave the police the right to arrest any IT employee on strike without a warrant.
While IFF recognises the importance of data centres in today’s digital world, it states that the draft policy does not make any valid arguments to warrant the inclusion of data centres under ESMA and calls the inclusion ‘a step too far’.
While several economic and geopolitical advantages of growth of the data centre industry in India merit a Data Centre Policy, at the same time it is equally important for the policy to address issues like regulatory frameworks that will protect data, privacy, and rights of the people.
It is crucial that MeitY considers the recommendations made by the IFF to ensure sustainable and safe growth of the data centre sector in the country.