SATURDAY, APRIL 27, 2024
Binayak Datta
A friend happened to ask me what this hula-baloo on our ever-postponed “Data Protection Bill” was all about. And I said, in my years in Finance and Analytics, data has never been so precious, of so much importance and of value as it stands today. And the difference is that, you are now no longer “YOU” …you are today, your 12-Digit-Aadhar Number, only known through a sea of personal data, complete with your biometry in an electronic, readily copiable, easily transferable, analysable form.
So, can this harm anybody? Yes, for profiling and targeting not only for marketing purposes, but for other reasons like, for immoral purposes, for political purposes (there’s already a case on this).
The first alarm bells rang when a whistle blower blew off the lid on Cambridge Analytica having allegedly used data of 87 million Facebook users (Face Book admitted data of about half a million Indian users were compromised).
In August 2017, the Supreme Court ruled privacy is a fundamental right, flowing from the right to life and personal liberty under Article 21 of the Constitution. The Court also observed that privacy of personal data and facts is an essential to the right to privacy.
Most developed countries – the EU countries, The US and UK, Canada, Australia, South Korea and New Zealand have well-structured data protection laws in place.
The Government introduced the “Personal Data Protection Bill” first in 2018, it lapsed, one more in 2019 (after an experts’ committee recommendations), but it’s hanging somewhere in the parliamentary committees’ shelves somewhere. The Government had asked for suggestions from citizens and I had put in my points.
I plan to look at the basics of our bill; the pros and cons and finally a set of new points from my side.
My Takes: Currently there are hardly any Data Protection Laws in India. There were recently amendments to the Information Technology Act, which provide for compensation for disclosure of “sensitive” personal information. But the “sensitivity” and its degree remain vague in its definition.
The Data Protection Bill seeks to provide for protection of personal data of individuals, create a framework for processing such personal data and establishes a Data Protection Authority for the purpose. The four basics of the bill – just to recapitulate, are: 1) “Data Fiduciaries” (the party collecting, holding and processing the data – the Government for example, or say your cell phone operator, or the Social Media Intermediaries who hold your personal data, will hold data in trust(on your behalf) a) they would ask your informed consent for collection of data, b) you have a right to know how the data will be processed and used; c) encroaching on your privacy is forbidden, for example from profiling you, tracking your movements, monitoring your choices and behaviours, d) targeting you for undisclosed motives and finally, e) your right to be “forgotten” like, erasure of your past data from the fiduciary’s servers on your behest. 2) Data Localisation: “Sensitive” data has to be stored in servers in India – other data can be stored elsewhere with a copy in an Indian server. 3) A Data Protection Authority will oversee the entire process and 4) Violations: invite steep fines and even imprisonment.
I think this is an excellent step reinforcing citizens’ privacy.
But first, in my view, we as a people have to first, have a lot more respect for data and data-based Analytics rather than ‘hunches’ – this fact is simply borne out by the poor quality of data that one faces in any meaningful exercise he gets into – almost as though there was an Edward de Bono in the corner with his “How to Think Critically Using Sun Tzu’s Art of War Stratagems” giving out a gem: “.. Most executives, many scientists, and almost all business school graduates believe that if you analyse data, this will give you new ideas. Unfortunately, this belief is totally wrong. The mind can only see what it is prepared to see.” We tend to wake up only when there are data-leakages of millions of private citizens. My second point is – on the appointment and powers of the Data Protection Authority (DPA). Can the Executive, which in most cases is the Data Fiduciary itself, be also appointing the DPA – I think independence could severely be compromised – I suggested that the appointment should be done on approval from the Judiciary ONLY. My third point is on the multitude of exemptions heaped on the Executive in obtaining, processing and storing personal data of citizens in the name of security concerns. What are the standards, for example in “anonymised data”? Does this stand legal scrutiny? Western Countries have standards set for de-personalisation of individual’s data. I think our data law should be more professionalised especially in cross-border data handling particularly in IT enabled services where we had been lead-players once. I may add here that the EU for example, would look for “adequacy tests” under EU General Data Protection Regulations and OECD guidelines for back-offices handling personal data.
I would also like to see serious initiatives on the Non-Personal Data (NPD) front as well, collection-protocols, processing, storage and publishing non-personal data. The Government had recently constituted an Experts Committee, who recommended legislation governing NPD...I wish I knew what finally happened there.
And in conclusion: The importance of all this is, in the three parties – the Citizen, in his safety and privacy, the Executive in its governance and Commerce in its growth.
Business should be facilitated - not slowed down – and we should never be seen as putting one more hurdle on its growth trajectories. I think let’s go ahead fast – we can evolve better as we proceed!
(Binayak Datta is a Finance Professional)
