Commentary

Find our newspaper columns, blogs, and other commentary pieces in this section. Our research focuses on Advanced Biology, High-Tech Geopolitics, Strategic Studies, Indo-Pacific Studies & Economic Policy

Data Protection Bill, an unfinished piece of work

Bill demands age verification and consent from guardians of children for data processing

Shashi Tharoor has a strong case when he says that the personal data protection Bill should have come to the information technology standing committee. It does set a precedent when issues as important as the bill do not go through proper channels of debate. Because of the nature of the Bill, there is a tremendous amount of scope for discourse and disagreement.

Let us begin with the most debated aspect of this legislation, the Data Protection Authority (DPA). Because the mandate of the Bill is so large, it can only go on to set guidelines and give direction on where the data protection space should go. The heavy lifting of enforcement, monitoring, and evaluation has to fall on the shoulders of a different (and ideally independent) body. In this case, it is the DPA that has the duty to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the act, and promote awareness about data protection. The body needs to enforce the Bill down to auditing and compliance, maintaining a database on the website that has a list of significant data fiduciaries along with a ranking that reflects the level of compliance these fiduciaries are achieving, and act as a form of check and balance to the government.

However, the DPA may end up not being the force of objective balance that it has often been made out in the Bill. Here is why. The body will have a total of 7 members (a chairperson with 6 others). All of them will be appointed by the government, based on the recommendations of the cabinet secretary, secretary to the Government of India in the ministry (or department) dealing with legal affairs, and the secretary to the ministry (or department) of electronics and information technology. All of this falls under the mandate of the executive and has no involvement required from the judiciary or for that matter the legislative. Also, the current version of the Bill does not specify who (or which department) these recommendations will go to in the central government. Is it MeitY? NITI Aayog? PMO? There is no clarity.

One cannot help but notice a pattern here. The Bill itself is going to go to a committee dominated by members of the ruling party and the enforcer is going to be wholly constituted by the executive.

Where is the feedback loop? Or the chance for scrutiny? You could at this point begin questioning how independent the DPA is going to be in its values and actions.

That is not to say that the Bill is all bad. Specifically, it does a good job of laying out the rights of the personal and sensitive personal data of children. And that is not often talked about a lot. The Bill here has a unique approach where it classifies companies that deal with children’s data as guardian data fiduciaries. That is crucial because children may be less aware of the risks, consequences and safeguards concerns and their rights in relation to the processing of personal data. Here the Bill clearly requires these guardian data fiduciaries to demand age verification and consent from guardians for data processing. Also, fiduciaries are not allowed to profile, track, monitor or target ads at individuals under 18.

This is a loss for Facebook. The minimum age to be on the social media platform is 13. And Facebook’s business model is to profile, track, monitor, and micro-target its users. One of two things will happen here. Facebook will either have to change the bar for entry onto the platform to 18 as per the Bill. Or, it will need to ensure that its algorithms and products do not apply to users who are below 13. Either way, expect pushback from Facebook on this, which may or may not result in the section being modified.

The other thing the Bill should add on children’s rights is the requirement to simplify privacy and permissions for children to be consistent with global standards. For instance, the GDPR mandates asking for consent form children in clear and plain language. There is value in making consent consumable for children and for adults. So provisions in this regard should apply not just for children but also for adults, mandating a design template on how and when consent should be asked for.

In sum, the Bill is an unfinished product in so many ways. It has good parts, such as the section on the personal and personal sensitive data of children. However, it needs debate and scrutiny from multiple stakeholders to guide the DPA to be the best version of itself and it is in the government’s hands to make that happen.

Read More

What the GDPR Means for India

As the GDPR seeks to protect data users in Europe (and regions where the EU laws apply), it might not really make a difference to data users in India. However, this law extends to both citizens as well as non-citizens within the boundaries of the continent. So, if you have plans to travel to Europe, you have the added advantage of being covered by the protections under the GDPR as soon as you land there.On the other hand, the GDPR requires companies all over the world to comply with its provisions if they provide any goods or services anywhere in Europe, or in any manner monitor the behaviour of any individuals in Europe. This means that some Indian sectors such as information technology, the outsourcing industry, and pharmaceuticals might be hit by the GDPR. As the penalty for a contravention is up to 4% of the annual turnover of the company, this is not a trivial obligation for affected Indian data controllers.

However, the biggest impact of the GDPR for India is probably the indirect or the persuasive impact.
Read more here.
Read More

The Devil in the Details

A week ago, the Justice Srikrishna Committee released a draft Personal Data Protection Bill and a Report to go with it. This is another step in the progress that has been made in the past year to create a data protection framework for India. It started with the Supreme Court judgement that recognised privacy as a fundamental right. This was followed by the constitution of the Justice Srikrishna Committee, the release of a White Paper, and public consultations on the recommendations made under it.The Bill and the Report, which had been expected for the better part of six months, have already attracted a flurry of critical commentary. While there are elements of these documents which are welcome, there are also serious concerns that require further attention.One of the positive aspects of the proposed law is its attention to detail. It is comprehensive and ticks most of the boxes that a data protection law ought to have. It vests individuals with certain rights with respect to their personal data, imposes obligations on entities that collect and process such data, and envisages a regulatory infrastructure that is supposed to facilitate the ecosystem within which data is collected, processed, and transferred. The Bill is also applicable to State entities, which is an upgrade over the status quo.Read more here.

Read More
Indo-Pacific Studies, Strategic Studies Manoj Kewalramani Indo-Pacific Studies, Strategic Studies Manoj Kewalramani

China’s big plan for AI domination is dazzling the world, but it has dangers built in. Here’s what India needs to watch out for.

China has been one of the early movers in the AI space, and evaluating its approach to AI development can help identify important lessons and pitfalls that Indian policy makers and entrepreneurs must keep in mind.

In June, Niti Aayog published a discussion paper arguing that India has a significant stake in the artificial intelligence (AI) revolution and therefore needs to evolve a national AI strategy. The document examined policies and strategies issued by a number of countries that could inform the Indian approach.
China has been one of the early movers in the AI space, and evaluating its approach towards AI development can help identify important lessons for Indian policymakers and entrepreneurs.
In July 2017, China’s State Council published its AI plan, outlining the goal of becoming the world’s primary AI innovation centre by 2030. This is a comprehensive vision document, unlike “strategies” or “policies” put out by other key global players.
Read More
Indo-Pacific Studies Manoj Kewalramani Indo-Pacific Studies Manoj Kewalramani

Breaking down China’s AI ambitions

The Social Credit System is about much more than surveillance and loyalty, as popularly understood. Nudging persons to adopt desirable behaviour and enhancing social control are part of the story. But there are larger drivers of this policy. It is fundamentally linked to the Chinese economy and its transformation to being more market driven.

China unveiled a plan to develop the country into the world’s primary innovation centre for artificial intelligence in 2017. It identified AI as a strategic industry, crucial for enhancing economic development, national security, and governance.The Chinese government’s command innovation approach towards AI development is crafting a political economy that tolerates sub-optimal and even wasteful outcomes in the quest for expanding the scale of the industry. Consequently, the industry is likely to be plagued by concerns about overinvestment, overcapacity, quality of products, and global competitiveness.In addition, increasing friction over trade with other states and President Xi Jinping’s turn towards techno-nationalism along with tightening political control could further undermine China’s AI industry. Before we dive into the challenges, here’s some background.Read more here>

Read More
Indo-Pacific Studies Manoj Kewalramani Indo-Pacific Studies Manoj Kewalramani

Unpacking China’s Social Credit System

The Social Credit System is about much more than surveillance and loyalty, as popularly understood. Nudging persons to adopt desirable behaviour and enhancing social control are part of the story. But there are larger drivers of this policy. It is fundamentally linked to the Chinese economy and its transformation to being more market driven.

The Chinese social credit system has to contend with many challenges and has implications far beyond social control.

Ever since it was formally announced in 2014, China’s proposed Social Credit System (SCS) has attracted much media attention. Reports have frequently ranged from painting it as an Orwellian nightmare to a dystopian fantasy, with most commentaries viewing the policy purely from the prism of social control.While the SCS can indeed be located as an initiative in the tradition of Chinese government efforts at maintaining social order and ensuring public compliance of policies, reducing it to merely a surveillance tool doesn’t do justice to the ambitious scope of this initiative.The SCS is about much more than surveillance and loyalty. It is, in fact, fundamentally linked to the Chinese economy and its transformation to being more market driven. So while nudging persons to adopt desirable behaviour and actions and enhancing social control are all part of the story, there are larger drivers of this policy. Moreover, the implications of the SCS are not just limited to Chinese citizens or within China’s territorial boundaries.Read more here>

Read More