How Can India Get Better Data Processing Laws?

India has the sovereign right to use its data for the welfare of its people and the idea of free trade doesn’t necessarily justify the idea of a free flow of data, commerce and industry ministry Piyush Goyal argued in his speech last week at the G-20 trade ministers’ meeting in Japan.

The minister was channelling a mantra that almost every government around the world has taken to heart – data is an asset.

This also explains why they are getting more concerned about its security. The European Centre for International Political Economy (ECIPE) calculates that in the decade to 2016, the number of significant ‘data localisation’ measures in the world’s large economies increased almost threefold – from 31 to 84.

‘Localisation’ is the practice of storing a country’s data on domestic soil. The effectiveness of such a move is questionable, but perhaps more importantly, storing data domestically takes away from it processing power that could prove to be valuable when stored internationally.

This brings us to how we can ensure as a country that India’s data is processed securely. The answer may lie in setting security standards for how our data is processed.

In Europe, the foundation was set in 1981 through a legislation called ‘Convention 108’. ‘Convention for the protection of individuals with regard to the automatic processing of data,’ the convention and its modernised form currently in use, ‘Convention 108+’ contains lessons for a world moving towards data-driven artificial intelligence. It is a step towards securing the data privacy of citizens who belong to member countries.

The Council of Europe introduced Convention 108+ in 2018, a new instrument keeping in mind contemporary advancements in technology.

108+ has the following innovative provisions previously absent in the original convention:

  • Proportionality (so far implicit and concerning only the data), in particular data;
  • Accountability, in particular of data controllers and processors;
  • Privacy by design;
  • An obligation to declare data breaches;
  • Transparency of data processing;
  • Additional safeguards for the data subject such as the right not to be subject to a decision solely based on automatic processing without having his or her views taken into consideration, the right to obtain knowledge of the logic underlying the processing, and the right to object.
  • Possibility for International organisations to accede to the modernised convention.

Convention 108+ is a relevant discussion to have for India. Especially since it is proven that the convention can have non-European members. Uruguay is the only non-European member as of October 10, 2018.

This brings us to the question: How can India enter into the convention? For New Delhi to get accepted into 108, it would need to meet legal provisions laid out in the convention’s text and get assessed by the committee for compliance.

How hard would this be for India? The strength of Convention 108+ lies in the quality of data protection it offers. And so the vetting done by the convention committee is likely to be a strict test for compliance of values outlined in the Convention’s explanatory report. This brings us to the question of whether India has the capacity, and more importantly, the intent to deploy the measures required to pass the compliance tests laid out by the Convention.

To draw this analysis, let us compare three major listed requirements of the convention (as cited in the sections above) and compare them to India’s actions and outlook.

Legality of processing

The first and perhaps most important requirement for India to meet is that of securing the legitimacy of data processing. The idea behind the law is that the government should have to establish a legal basis or individual consent for processing an individual’s data (as stated in Chapter 2, Article 5, Paragraphs 40-54).

This requirement goes directly against the actions of the Indian government which recently backed collecting and processing of individual data (in motion or otherwise). The notification is a challenge to entering Convention 108+ as it does not lay out a due process of law for how this surveillance should be conducted. There are no mechanisms listed for parliamentary or judicial oversight and no legal safeguards for rights of the data principal.

Also read: India’s Proposed Data Protection Measures Don’t Do Enough to Protect Data or Privacy

If India is serious about entering the Convention, this notification will have to be amended with the aim of putting legal safeguards in place and fulfilling the requirements as laid out by the explanatory report (as stated in Chapter 2, Article 5, Paragraphs 40-54).

Standards of security

Secondly, the convention has stringent requirements for data security. The explanatory report calls for the installation of state of the art systems – both technological and organisational – to ensure data security. These measures are aimed at preventing possible data breaches and require data controllers to notify relevant supervisory authorities of incidents relating to security. The convention also allows for supervisory authorities to demand data controllers to present reports of incidents to itself and any other agencies it deems relevant to the incident.

While the processes regarding organisation and collaboration between Indian supervisory authorities and data controllers are unclear, the country is not ranked highly in the cybersecurity index (23rd out of 165 countries), hinting at the need to improve existing technologies.

User rights

Thirdly, the convention calls for transparency in processing data to ‘ensure fair processing and to enable data subjects to understand and thus fully exercise their rights in the context of such data processing’. This, however, has not always been the approach of the Indian government and can act as a roadblock going forward. There are tools for transparency in the Indian democratic system of course, Right to Information (RTI) being the spearhead in this regard.

However, citizens are seldom notified when the government is processing data related to them, regardless of how comprehensively and often that may be happening. As an example, the Indian government consistently collects and processes data regarding its citizens (as evidenced by Google’s recent report), but citizens are not notified when their information is being processed.

In addition, there is no one particular body that has the mandate in processing citizen data. Data is processed by a different agency depending on the purpose data is required for. In addition, as defined in MHA’s notification, ten agencies now have the mandate to snoop citizen’s digital activity. All of these factors may count against India as it tries to secure a place in Convention 108+.

Should India decide to make a bid to enter Convention 108+, it would need to rethink the relation it has developed with data privacy. For instance, the recent notification introduced by MHA would need to be supplemented with a system that ensures the legitimacy of purpose to data in a transparent manner. While it is well within the government’s rights to process citizen’s data, it should do so within a due process of law, along with provision for judicial and/or parliamentary oversight. The presence of legal safeguards to protect the right to privacy will be an essential foundation for India’s bid.

Secondly, it would bode well for India’s bid to enter the convention to build its cybersecurity infrastructure. The convention lays out two crucial points of cybersecurity, i.e., technology and organisation. This provides us with an adequate framework to establish where we want to go and how to get there. If we are to enter the convention, we need to scope the technological requirements that it will entail, as well as develop a roadmap on how to achieve them. Doing so would also serve as a positive indicator for our ranking in the cybersecurity index, sending a reassuring message to the global economy regarding our approach to data security.

In addition, there is significant work to be done in terms of organisation. There is limited literature on how the Indian landscape of cybersecurity is structured. There is a need to define what the best practices are to enter the convention, the existing practices, how the two compare and finally, what needs to be done to bridge the gap.

Thirdly, the convention stands firm on being transparent on the use of data to ‘ensure fair processing and to enable data subjects to understand and thus fully exercise their rights in the context of such data processing.’

India should take on a two-step plan to achieve this transparency in processes related to data. Firstly, it should notify its citizens when it prepares to process their data, including the name of the department that is undertaking the exercise, as well as the reason why it is being done. This would provide more grounds to citizens for filing right to information claims while also increasing transparency at a massive scale.

Considering the first point, the recent data protection bill provides grounds to bypass the legitimacy of purpose. Data principals will not have the rights offered by the bill if their data is processed for the purposes of  (i) national security (pursuant to a law), (ii) prevention, detection, investigation and prosecution of contraventions to a law, (iii) legal proceedings, (iv) personal or domestic purposes, and (v) journalistic purposes. It is unclear how each of these requirements will be defined in the law, if at all. But the existing framework presents substantial amounts of leeway to not adhere to Convention 108+ standards.

On the second point, the data protection bill calls for organization in the form of a Data Protection Authority (DPA) to supervise and regulate data fiduciaries. Should such a committee be formed, its actions and mandate will be an important factor on whether or not India can enter into the convention. Finally, Convention 108+ has stringent transparency requirements which go against some of the principles of the data protection bill. While the bill requires fiduciaries ask for consent to process individual data, consent may not be required in cases of (i) any function of Parliament or state legislature, or if required by the State for providing benefits to the individual, (ii) if required under law or for compliance with any court judgement, (iii) to respond to a medical emergency, or a breakdown of public order, (iv) purposes related to employment, such as recruitment, or, (v) for reasonable purposes specified by the Data Protection Authority with regard to activities such as fraud detection, debt recovery, credit scoring, and whistleblowing.

Understandably, these measures will be tedious to implement and maintain. Current applications under RTI themselves require a significant amount of manpower to maintain and function effectively. However, it is a cost that comes with the benefit of certified transparency. It would also provide people with a sense of power and actual control over how their data is used. In sum, the cost incurred by establishing such measures will be well worth it in the long term.

This article was first published in The Wire.