New Delhi, June 2 : Last week marked a year since the implementation of European Union (EU)’s General Data Protection Regulation (GDPR). It was a significant milestone as it started a conversation around privacy in boardrooms at a time when companies were taking for granted millions of bytes of consumer-generated data, every day.
The fact the many other countries have followed suit is evident enough to show how important privacy and data protection will be in the coming years to consumers. India was not an exception when it came up with a robust policy in 2018.
As the new government takes charge, it will be one of the key policies that industries are watching out for as implementation of data protection bill would change the way they operate.
In July 2018, Justice BN Srikrishna committee submitted the Draft Data Protection and Privacy Bill which is currently awaiting the Cabinet nod. It is quite an ambitious policy that not only upholds the Supreme Court’s ruling that privacy is a fundamental right, but also draws a line on how corporates can access and process customer data.
If the policy were to be implemented, consumers will have ultimate authority over how their data is being used or if it can be used at all. It is not unlike EU’s GDPR.
However, unlike how the companies were ready to comply with EU’s GDPR, there have been voices of dissent after the Srikrishna committee submitted the draft. The voice of dissents, mostly from multinationals, were not against the entire idea of data protection but regarding a specific aspect of the Bill — data localisation.
The draft bill states that all companies should ensure at least one copy of personal data is stored in India. In addition, the critical personal data can only be processed in the server located in India. Failing to comply will result in penalties in the range of 2-4 percent of companies’ global turnover or fines between Rs 5 crore and Rs 15 crore, whichever is higher.
This would mean that companies such as Google, Facebook and captives such as IBM, for whom India is a major market, will have to store data here. This is where companies and Indian government are not in sync.
When IBM’s Ginni Rometty had come to India recently, she said that barrage of regulations would hinder growth and there is a need to differentiate between consumer and business data. It is yet to be clear how one can separate the two given that the boundaries are blurring. Facebook founder Mark Zuckerberg in his blog in March said that the company will not set up local data centres in every country that has privacy laws. In his defence, certain countries have a track record of violating user privacy and setting up data centres in those regions will only make it easier for those governments to access citizens’ information.
He did not mention India specifically. However, it does give off the message that he is not entirely convinced about complying with the data localisation aspect of Bill in India.
Here is where the challenge for the new Communications and IT Minister Ravi Shankar Prasad, who will assume charge on June 3, lies. Not only should he find the right balance between interests of citizens and companies, but also need to put his foot down where it matters.
As far the track record goes, Prasad might be able to do just that. When the series of fake messages forwarded through messaging platform WhatsApp resulted in violence, and at times death, Prasad held several rounds of talks with the instant messaging company to resolve the issue. WhatsApp CEO Chris Daniels flew to Delhi frequently for the same.
Prasad laid out few conditions for WhatsApp to continue operating in India. These included installing India head for WhatsApp and add features that would reduce number of messages being forwarded. WhatsApp did both. We have WhatsApp Head for India now and you can forward message only to five people.
He has said that implementation of data protection will be one of the top priorities for the new government. Though he seems more than capable, we will have to wait and see how Prasad achieves this.
