Robust economic argument for a sound Indian data protection law
After a historic constitution-bench judgment in the Supreme Court of India that privacy is a fundamental right, the country is poised at the cusp of a major debate. A committee appointed by the Ministry for Electronics and Information Technology (MeITy), and headed by retired Supreme Court justice B N Srikrishna, is looking at the various facets of data protection for Indian citizens.
In Tuesday’s article on this debate, it was pointed out that there is a need for MeITy and the Srikrishna Committee to make policy decisions clearly choosing the right to privacy over the economic incentive of unregulated access to data. It is clear that both government and industry in India have bought into the narrative of “data is the new oil,” and consider it central to the country’s immediate economic future.
However, conversations around privacy and data have become inevitably linked to the idea of technological innovation as a competing interest. While the value of innovation as a competing interest itself is questionable (it is not a competing right, nor a legitimate public-interest endeavor, nor a proven social good), let us for a moment examine the substance, and not the basis, of this argument.
The idea that in policymaking, technological innovations may compete with rights (both fundamental and consumer rights) of individuals at any level assumes that there is social and/or economic good in allowing unrestricted access to data. The social argument is premised on the promises of mathematical models and computational capacity being capable of identifying key insights. In turn, they can be useful in decision-making. The indiscriminate collection of data can be a form of hoarding, stashing stuff away because it vaguely promises that it might come in handy someday.
Sufficient research suggests that indiscriminate data collection is greatly increasing the ratio of noise to signal, and can lead to erroneous insights. Further, the greater the amount of data you collect, the greater is the attack surface that leads to cybersecurity risks.
Perils of indiscriminate data collection
Finally, indiscriminate collection and sharing of data by various parties translates into ability to aggregate and correlate data from a wide variety of sources, which means a greater of risk of re-identifying individuals from data that supposedly has had identifiers removed.
These factors severely qualify the social benefits of allowing unrestricted access to data for processing. The Srikrishna Committee’s white paper does talk of exemptions where data processing is being done for research, archival or statistical purposes. However, it is necessary that these exceptions are applicable only where the purpose of processing is for public interest.
The economic-good argument is built on the idea of a digital infrastructure in the form of an “India stack,” which refers to multiple, inter-dependent layers of software services that are built on top of one another. The stack model, its proponents claim, promises to enable a scalable digital infrastructure for services, with authentication and consent built into it.
The digital identity infrastructure and building an ecosystem to enable delivery of services are very much at the center of the vision of India’s digital ambitions. There is also talk of leveraging this growing system for data diplomacy.
So far, these initiatives have progressed in the absence of any data regulation, and this is reflected in both the collection and, in many cases, public disclosures of Excel sheets of personal data by government departments, and emergence of data-driven business models that relies on indiscriminate data collection, harvesting and sharing.
A quick global review reveals that more and more countries are recognizing the importance of stringent data-protection requirements that address the concerns around privacy and security.
The European Union’s General Data Protection Rights (GDPR) are to come into effect this year. The growing influence of the EU’s approach to data-protection law on global adoption of such regulations suggests that a lack of robust data regulation is a significant impediment to any ambitions that India has to become a data powerhouse in the future.
Two other jurisdictions that have emerged as important regional centers are New Zealand and Ireland, and they both distinguish themselves on account of providing a home with strong privacy protections.
Further, the ongoing litigation challenging standard contractual clauses for transfer of data between the EU and the US is also ominous for the data-processing industry in such countries as India, Brazil and Russia, which rely greatly on outsourcing of these activities from European companies, and all have lesser levels of data protections than the US.
The High Court of Ireland, on the basis of a finding by the Irish Data Protection Commissioner that standard contractual clauses do not provide sufficient protection to EU citizens, has permitted a reference to the Court of Justice of the European Union, which may now decide on the validity of the standard contract clauses.
The EU is India’s No 1 trading partner, accounting for 13.5% of its overall foreign trade in 2015-16, and its trade in services with the EU has almost trebled in the past decade. Indian companies rely entirely on standard contractual clauses in order to provide data-processing services to EU. It is therefore necessary that Indian data-protection laws are considered robust by the EU for this arrangement to continue.
These facts clearly do not make a case for dilution of privacy principles to accommodate technological innovation in data-processing practices. On the contrary, it emerges that it is imperative for any country with ambitions to emerge as a key center for data-processing activities to have strong regulations in place.
This is the second article in a three-part series. The first part can be read here.