Can law fix what technology has cast in stone? This is the question that the committee of experts led by Justice B.N. Srikrishna must wrestle with as it sets out to craft a data protection law for India. The committee’s recent White Paper has commendably surveyed the landscape of rights and principles that could populate this new legislation.
Perils of one law
What is missing from the paper, however, is an understanding of the many technologies that come together currently to protect data in India. A digital economy — such as India’s — that relies overwhelmingly on imported technologies cannot be levelled overnight to make way for a uniform data protection law. For instance, more than 80% of Indian smartphone users today rely on Google’s Android operating system. But the majority of those mobile devices are sold by Samsung, Xiaomi or Oppo. Does the committee believe an operating system designed in Silicon Valley and a mobile phone manufactured in China’s Guangdong Province have similar rules to protect data? Or better still, can they be made to comply with a single, catch-all set of data protection standards?
The issue of data protection is one over which the Indian state has, unfortunately, little say. Major players in the country’s digital economy are not only based abroad, but also export data to other jurisdictions. Perhaps, if the data of every citizen were to be held inside the country, the state could probably enforce rules for its storage and sharing. But to demand “data localisation” would be unwise (the Srikrishna Committee too acknowledges this). Many of the world’s giant data centres are located in northern climes near water bodies, since they require mild temperatures and enormous quantities of water to cool thousands of servers.
The U.S. Department of Energy in 2015 estimated that data centres in the country took about 2% of its overall power supply. Can India, with its round-the-year warm climate and scarce natural resources, really afford to divert electricity and water to maintain data centres? State and central governments will also need to spend substantial amounts on physically securing these installations. The theory of comparative advantage tells us that India is better off relying on servers located elsewhere, while gaining in connectivity and access to high-quality digital products.
There is, however, a trade-off: India’s inability to localise data means its digital economy is governed by hundreds of “private” data protection policies, some of which even contradict each other. For this reason, the Srikrishna committee cannot follow the same legal strategy used in the Aadhaar Act, which lays down strict rules for the collection and sharing of biometric and sensitive personal data. In that case, the Unique Identification Authority (UIDAI) is the custodian not only of Aadhaar data, but also data servers and secure lines that store and transport them. It is possible, therefore, to have a uniform law that can be strictly enforced. With a data protection statute, this may not be entirely feasible.
Take the issue of “sensitive” personal data: the Srikrishna Committee has provisionally recommended that current definitions of “sensitive” information be re-evaluated in the light of India’s socio-economic context. This is a laudable objective. But how does it sit with the way mobile devices and operating systems in the market define the term? The Google Developer Policy -- which app developers must comply with if they want their products featured on Android phones -- requires “sensitive” data to be collected only for a “core capability”. In other words, if such data is absolutely critical for the app’s functioning, it may be sought from a user. Even if India’s data protection law were to determine that some health data is too sensitive to be shared under any circumstance, it is very likely that an Android app somewhere would still permit its collection. “Genetic testing” apps – used to predict the kind of hereditary ailments a user may be susceptible to — are becoming increasingly popular and collect precisely such information. Would the Indian state, then, ask Google to block such an app? How would the law be enforced?
Android phones also have “layers” of permissions written into them that determine the kind of sensitive data an application can collect. An app could tap into a phone’s fingerprint authentication hardware with only a “normal” permission, which is automatically given at the time of its download. But to access the user’s location from the phone, the app requires a “dangerous” permission, meaning the affirmative consent of the user. Were Indian law to prohibit apps from accessing the fingerprints of users without their consent, will it declare the Android system of ‘permissions’ unlawful? Classifications aside, the point here is that data protection rules are embedded into technologies by software developers according to their beliefs, which may not reflect India’s statutory considerations.
On the other hand, the Chinese smartphone manufacturer Huawei candidly acknowledges it may transfer the data of users to locations with no data protection laws at all. Huawei’s End User License Agreement merely suggests it will provide “similar and adequate” levels of protection as the country of origin. But how would Indian regulators ensure that the data of citizens is treated uniformly, even after it has been exported to, say, China? In this case, the very nature of the data flow is a limit on the implementation of a data protection law.
The way forward
This is not to say the Srikrishna Committee is performing an exercise in futility. Current data protection rules under the Information Technology Act urgently need an update and should reflect modern trends. For instance, India can and should enact safeguards for data collected through known points of vulnerability in its digital economy: a mobile phone’s camera software, public Wi-Fi spots, firmware updates, QR codes, and so on. But the committee will find it difficult to conceive watertight definitions of “sensitive” data, or lay down guidelines to determine what data should be collected, when the user’s consent is required, or even the kind of encryption to protect such data.
Perhaps, this is just as well. India’s data protection laws should not foreclose options for its own software developers — who need country and community-specific data — as they build products tailored for the digital economy.
A modest solution could be to allow companies to pursue independent data protection policies (guided by baseline norms), but monitor their enforcement through a national, multi-stakeholder agency. There is precedent for such an institution: the United States Federal Trade Commission performs such a role, investigating data breaches often according to best practices within the industry. In 2013, for example, it found the smartphone manufacturer HTC guilty of circumventing Android’s own installation checks and allowing the download of “insecure” apps. Pitting businesses against their own data protection standards and those of their competitors will create a “name and shame” environment, and weed out poor practices that compromise users’ data. When the Indian digital ecosystem is mature enough, there could be more comprehensive guidelines on the storing, sharing and collection of data.
Arun Mohan Sukumar is a PhD candidate at the Fletcher School, Tufts University
