The Best Time to Enact Data Protection Laws was 20 Years Ago; The Next Best Time is Now!

The road to personal data protection in India has been rocky. In 2017, India’s Supreme Court upheld the right to privacy as a part of our fundamental right to life and liberty. A panel chaired by retired Justice B N Srikrishna was given the task of drafting a Bill. In 2018, this panel submitted its draft to the Ministry of Electronics & Information Technology. The Personal Data Protection Bill that was eventually tabled in parliament in December 2019 proposed restrictions on the use of personal data without the explicit consent of citizens and introduced data localization requirements. It also proposed establishing a Data Protection Authority.

However, the bill was widely seen as a diluted version of what was originally envisioned by the Srikrishna panel in terms of its ability to truly protect the data/privacy of individuals. The bill was seen to place a significant regulatory burden on businesses and thus viewed as an impediment to the “ease of doing business” in India. A major bone of contention was the bill granting the government a blanket right to exempt investigative agencies from complying with privacy and data protection requirements. Understandably, there was pushback from BigTech, global financial services players as well as activists; even startups were unhappy with the proposed regulatory burdens.

In December 2021, after a number of extensions spanning over two years, the Joint Parliamentary Committee (JPC) that was set up to examine the draft bill submitted its report to the Lok Sabha. The JPC report has reportedly highlighted areas of concern and proposes a number of amendments/recommendations such as:

  • a single law to cover both personal and non-personal datasets;
  • using only “trusted hardware” in smartphones and other devices;
  • treating social media companies as content publishers, thus making them liable for the content they host.

In early August 2022, the government withdrew the Personal Data Protection Bill, 2019, with the promise to introduce a new one with a “comprehensive framework” and “contemporary digital privacy laws”.

 

India needs New Regulations to Plug the Data Protection Gap

That India needs robust data protection and privacy regulations which should be enacted soon is beyond debate. With digitalization becoming ever more pervasive by the day, the longer we are without clear regulations, the greater the risk is to our citizens. Each of the major trends below has the potential to infringe on individual privacy and can give rise to large-scale risks of user data (including personally identifiable information) being leaked/breached and misused:

  • The growth in digital banking, payment apps and other digital platforms.
  • The potential for Blockchain-based apps (in education- e.g., degree certificates, mark sheets; in health care – medical records; in unemployment benefits; KYC, passports etc.).
  • The growing popularity of crypto assets (and the attendant risk of them being used for money laundering, funding terror/anti-national activities etc.).
  • The rise of Web 3.0.
  • The increase in the use of drones for civilian purposes (e.g., delivery of vaccines, food to disaster-hit areas etc).
  • The emergence of the Metaverse as a theatre of personal/commercial interactions.

According to a news report, IRCTC had sought the services of consultants to help them analyze the huge amount of customer data they have and explore avenues to monetize the information. Given that the existing bill has been withdrawn, they have deferred this plan till new legislation is in place. Delays in enacting new data protection legislation thus also can impact revenue growth and profitability of various businesses- which is another reason for quickly coming up with new legislation.

 

The New Data Protection Law should be Well-defined and Unambiguous

While “consent” must be a cornerstone of any such legislation, the government must also ensure that users whose data need to be protected, fully understand the implications of what they are consenting to. For example, each time an individual downloads an app on his/her smartphone, the app seeks a number of permissions (e.g., to mic, contacts, camera etc.). As smartphones become repositories of larger slices of personally identifiable information as well as financial data (such as bank/investment details), and authentication details such as OTPs, emails etc., the risks of data breaches and misuse that cause serious harm increase. There are a number of frauds and digital scams to which citizens are falling prey. Commercial and other organizations that build and manage various digital platforms must be held accountable for what data they capture, how they do so, why they need the data, how/where they will store such data, who will have access to them etc.

Just as important is for the new law to define unambiguously terms like “critical data”, “localization”, “consent”, “users”, “intermediaries” etc. Many companies are establishing their Global Captive Centres (GCCs) in India, to take advantage of the large talent pool and process maturity. Strong laws will encourage more layers to consider this route seriously, thereby adding to jobs and GDP growth. Such investments also make it easier for India to be a part of emerging global supply chains for services (including high-value ones such as R&D and innovation).

It must address the risks of deliberate breaches as well. For instance, if hybrid working models are indeed going to remain in place, who should be held responsible for deliberate data leaks by employees working remotely? Or by their friends/relatives/others who take screenshots (or otherwise hack into systems) and share data with fraudsters?

While fears of an Orwellian world cannot be overstated, India’s new data privacy/protection legislation must be sufficiently forward-looking and flexible to give our citizens adequate safeguards. If the government fails to do so, our aspirations to become one of the top three nations on earth will take much longer – worse, they main only remain on paper as grandiose but unfulfilled visions.

Picture Credits: Photo By Fernando Arcos: https://www.pexels.com/photo/white-caution-cone-on-keyboard-211151/ 

While fears of an Orwellian world cannot be overstated, India’s new data privacy/protection legislation must be sufficiently forward-looking and flexible to give our citizens adequate safeguards. 

Related Posts

POST A COMMENT

Blockchain Technology: Don’t Throw the Baby Out with the Bath Water!

Blockchain technology, which underlies cryptoassets, is revolutionary because it is the opposite of conventional software designs. Data is not recorded and stored in a central database, with identified database administrators responsible for updating it and maintaining security. Think of a blockchain as a shared digital ledger of transactions. Unlike a traditional database that relies on tables, blockchains use “blocks” to store information. Each block has a certain storage capacity. When a block is filled (with transaction data), it is closed and cryptographically linked to the previously-filled block. Thus, information is distributed across a “chain of blocks.”

Whenever a new transaction occurs on the blockchain, a record of that transaction is added to the ledger of every participant in the blockchain. This paradigm is supposed to make blockchain applications much harder to hack or for a small group of individuals to act in cohort with the objective of cheating or committing fraud. Cryptocurrencies and NFTs are built and traded using blockchain technology; in fact, blockchains were first used to create Bitcoin, the world’s first-and probably best-known-cryptocurrency.

Cryptocurrencies have crashed- but is blockchain to blame?

In recent weeks, however, various cryptocurrencies have lost significant value, spurring numerous debates around their relevance, safety and sustainability. It appears that the drop in value of most cryptocurrencies was caused by the spectacular drop in Terra, a supposedly stable “fiat-backed” coin that was pegged to the USD, South Korean Won and Mongolian Tugrik and Luna, its sister cryptocurrency. It is believed that massive withdrawals from Anchor, a Terra-based decentralized finance (DeFi) protocol, led to Terra’s UST stablecoin being “depegged” from the USD.

It is not yet clear is why such massive withdrawals happened, and whether it was the result of some kind of conspiracy (the high correlation with stock market movements does suggest some wrongdoing, although it is not clear by whom and with what intent). It is sad that investors lost billions of dollars in a matter of hours and days, and although a new version of Terra coin has been launched, it is too early to say if it will succeed. Naturally, questions are being raised about the much-vaunted safety of blockchain technologies.

Trust is critical to any innovation- the key is to find better ways of applying blockchain

Whether it is the world of cryptoassets or real assets, a key lesson to be learnt is that: trustworthiness will always trump technology and other tangible traits that underlie any physical or financial asset. One must therefore resist the temptation to throw the baby out with the bathwater. In this case, I am referring to blockchains: we should not, based on the failure of cryptocurrencies, give up on blockchains. Instead, we must work on enhancing its trustworthiness even further, so that even inadvertent loopholes don’t arise.

Blockchain technology is finding application in a number of other areas as well. These include supply chain management, shipping & logistics, e-governance, energy, education and financial services. Food traceability, enforcing music rights, securing payments and even tamper-proof vaccination certificates can all be delivered via blockchain. Many of these use cases are already under implementation in India. Even the emerging metaverse world is expected to make use of blockchain concepts.

Image Credits:

Photo by Ivan Babydov: https://www.pexels.com/photo/gold-bitcoin-coin-on-background-of-growth-chart-7788009/

Blockchain technology is finding application in a number of other areas as well. These include supply chain management, shipping & logistics, e-governance, energy, education and financial services. 

Related Posts

POST A COMMENT

India's Own Crypto Asset Regulations Soon: Plugging an Important Gap

Till last year, most people (at least in India) had probably only heard of cryptocurrencies such as Bitcoin and Ethereum; now, many other names such as Dogecoin, Solana, Polkadot, XRP, Tether, Binance etc. are being spoken of commonly in media. The global cryptocurrency market cap is estimated at over US$2.5 Trillion.

India too is witnessing a surge in investment in cryptotokens – especially by millennials. There is a correspondingly increase in the number of advertisements for cryptocurrencies on national television as well as on various web sites; mainstream media reports extensively on the daily price movement of cryptocurrencies. One estimate puts the number of crypto investors in India at between 15-20 million, and the total holdings to be in excess of US$5.3Billion. 

This surge in unregulated cryptoassets is a matter of rising concern globally. Recently, PM Modi urged democracies around the world to work together to ensure that cryptocurrencies do not “end up in the wrong hands, as this can “spoil our youth”. His exhortation came just days after RBI Governor Shaktikanta Das spoke of “serious concerns” around cryptocurrencies.

The RBI’s 2018 blanket ban on cryptocurrencies was lifted by the Supreme Court in 2020. However, the time has now come for the government and regulators to act quickly, and there are indications that regulations are just around the corner. At the time of writing, the government has already announced its intention to table The Cryptocurrency and Regulation of Official Digital Currency Bill, 2021 in parliament in the winter session.

It is expected that through this legislation, the Indian government will seek to ban private cryptoassets. This means that those trade in such cryptoassets may be liable for penalties and/or other punishment. It is also expected that there will be tighter regulations around advertising such products and platforms where cryptoassets can be bought and sold. Another regulatory salvo could be around taxing cryptogains at a higher rate (although such notifications may have to wait for the next budget due to be announced in another three months). The bill is also expected to deny the status of “currency” to cryptoassets because the prevailing ones are issued by private enterprises, and not backed by any sovereign.

The government has also acknowledged the potential of sovereign digital currencies (or CBDC- Central Bank Digital Currency, as they are officially called) in the days ahead. Countries such as China and the USA, are at various stages of launching their own digital currencies, and experts predict that such CBDC will be the “future of money”. In this context, the proposed bill is expected to create a “facilitative framework” to pave the way for the RBI to launch India’s sovereign digital currency in the days ahead by. In fact, the RBI is already working on India’s CBDC, and some media reports suggest that such a launch may happen in the next couple of months (which may also explain the timing of tabling the The Cryptocurrency and Regulation of Official Digital Currency Bill, 2021, at this time). CBDCs too require crypto and blockchain technologies that are similar to those that underpin cryptoassets, so the bill is also expected to promote these technologies for specific purposes. Indeed, not doing so would be akin to throwing out the baby with the bathwater.

Given their wide global reach, cryptoassets arguably will have a role to play in the world’s financial system. However, countries such as India must ensure proper regulation because by their very nature, cryptoassets can easily be misused for various activities that can destabilize the nation. They will allow for free inward/outward remittances that will make it harder to trace; being encrypted, the origins of such wealth too will become easier to hide. All this will make cryptoassets even more convenient ideal for nefarious activities such as money laundering, terror-funding, drugs-financing etc. In the absence of appropriate regulations, the rising supply of cryptocurrencies can hobble the RBI’s ability to perform its basic role. Its ability to manage the Rupee’s value against global currencies too will weaken, as will its ability to use domestic interest rates as a means to balance the economy’s twin needs of inflation management and providing growth impetus. This is a scary scenario, but not one that could unfold in the short-term. Even so, India needs to be prepared.

PS: The Indian government’s announcement to regulate cryptoassets has already triggered a significant (8-10%) correction in the prices of various cryptoassets. It’s therefore a good idea for resident Indians holding cryptoassets to sell them. They can decide on their future course of action once there is clarity on the specific regulatory impact of the proposed bill.

 

Image Credits: 

Photo by Worldspectrum from Pexels

Given their wide global reach, cryptoassets arguably will have a role to play in the world’s financial system. However, countries such as India must ensure proper regulation because by their very nature, cryptoassets can easily be misused for various activities that can destabilize the nation.

Related Posts

POST A COMMENT