The Best Time to Enact Data Protection Laws was 20 Years Ago; The Next Best Time is Now!

The road to personal data protection in India has been rocky. In 2017, India’s Supreme Court upheld the right to privacy as a part of our fundamental right to life and liberty. A panel chaired by retired Justice B N Srikrishna was given the task of drafting a Bill. In 2018, this panel submitted its draft to the Ministry of Electronics & Information Technology. The Personal Data Protection Bill that was eventually tabled in parliament in December 2019 proposed restrictions on the use of personal data without the explicit consent of citizens and introduced data localization requirements. It also proposed establishing a Data Protection Authority.

However, the bill was widely seen as a diluted version of what was originally envisioned by the Srikrishna panel in terms of its ability to truly protect the data/privacy of individuals. The bill was seen to place a significant regulatory burden on businesses and thus viewed as an impediment to the “ease of doing business” in India. A major bone of contention was the bill granting the government a blanket right to exempt investigative agencies from complying with privacy and data protection requirements. Understandably, there was pushback from BigTech, global financial services players as well as activists; even startups were unhappy with the proposed regulatory burdens.

In December 2021, after a number of extensions spanning over two years, the Joint Parliamentary Committee (JPC) that was set up to examine the draft bill submitted its report to the Lok Sabha. The JPC report has reportedly highlighted areas of concern and proposes a number of amendments/recommendations such as:

  • a single law to cover both personal and non-personal datasets;
  • using only “trusted hardware” in smartphones and other devices;
  • treating social media companies as content publishers, thus making them liable for the content they host.

In early August 2022, the government withdrew the Personal Data Protection Bill, 2019, with the promise to introduce a new one with a “comprehensive framework” and “contemporary digital privacy laws”.

 

India needs New Regulations to Plug the Data Protection Gap

That India needs robust data protection and privacy regulations which should be enacted soon is beyond debate. With digitalization becoming ever more pervasive by the day, the longer we are without clear regulations, the greater the risk is to our citizens. Each of the major trends below has the potential to infringe on individual privacy and can give rise to large-scale risks of user data (including personally identifiable information) being leaked/breached and misused:

  • The growth in digital banking, payment apps and other digital platforms.
  • The potential for Blockchain-based apps (in education- e.g., degree certificates, mark sheets; in health care – medical records; in unemployment benefits; KYC, passports etc.).
  • The growing popularity of crypto assets (and the attendant risk of them being used for money laundering, funding terror/anti-national activities etc.).
  • The rise of Web 3.0.
  • The increase in the use of drones for civilian purposes (e.g., delivery of vaccines, food to disaster-hit areas etc).
  • The emergence of the Metaverse as a theatre of personal/commercial interactions.

According to a news report, IRCTC had sought the services of consultants to help them analyze the huge amount of customer data they have and explore avenues to monetize the information. Given that the existing bill has been withdrawn, they have deferred this plan till new legislation is in place. Delays in enacting new data protection legislation thus also can impact revenue growth and profitability of various businesses- which is another reason for quickly coming up with new legislation.

 

The New Data Protection Law should be Well-defined and Unambiguous

While “consent” must be a cornerstone of any such legislation, the government must also ensure that users whose data need to be protected, fully understand the implications of what they are consenting to. For example, each time an individual downloads an app on his/her smartphone, the app seeks a number of permissions (e.g., to mic, contacts, camera etc.). As smartphones become repositories of larger slices of personally identifiable information as well as financial data (such as bank/investment details), and authentication details such as OTPs, emails etc., the risks of data breaches and misuse that cause serious harm increase. There are a number of frauds and digital scams to which citizens are falling prey. Commercial and other organizations that build and manage various digital platforms must be held accountable for what data they capture, how they do so, why they need the data, how/where they will store such data, who will have access to them etc.

Just as important is for the new law to define unambiguously terms like “critical data”, “localization”, “consent”, “users”, “intermediaries” etc. Many companies are establishing their Global Captive Centres (GCCs) in India, to take advantage of the large talent pool and process maturity. Strong laws will encourage more layers to consider this route seriously, thereby adding to jobs and GDP growth. Such investments also make it easier for India to be a part of emerging global supply chains for services (including high-value ones such as R&D and innovation).

It must address the risks of deliberate breaches as well. For instance, if hybrid working models are indeed going to remain in place, who should be held responsible for deliberate data leaks by employees working remotely? Or by their friends/relatives/others who take screenshots (or otherwise hack into systems) and share data with fraudsters?

While fears of an Orwellian world cannot be overstated, India’s new data privacy/protection legislation must be sufficiently forward-looking and flexible to give our citizens adequate safeguards. If the government fails to do so, our aspirations to become one of the top three nations on earth will take much longer – worse, they main only remain on paper as grandiose but unfulfilled visions.

Picture Credits: Photo By Fernando Arcos: https://www.pexels.com/photo/white-caution-cone-on-keyboard-211151/ 

While fears of an Orwellian world cannot be overstated, India’s new data privacy/protection legislation must be sufficiently forward-looking and flexible to give our citizens adequate safeguards. 

POST A COMMENT

The Metaverse and its Numerous Concerns

There is a lot of buzz being generated around the “Metaverse,” which can be defined as a virtual reality-based shared digital world in which users (through their “avatars”) can enjoy three-dimensional, multi-sensory experiences. This rapidly-evolving, technology-driven paradigm is a huge shift away from the present, where digital interactions are based on text, audio and two-dimensional images/videos. The excitement around the Metaverse is due to the immense possibilities that exist around how it can be used for social interactions, commerce, media & entertainment, education, manufacturing, healthcare, defense etc. Not surprisingly, many companies, even in India, are investing in Metaverse capabilities.

While the potential for metaverse cannot be denied, it is just as important to recognize and acknowledge that there are several grey areas around this paradigm. If timely actions to prevent the misuse of the metaverse are not taken by the global community, we run the serious risk of opening a new Pandora’s Box. And once the proverbial genie is released from the bottle, it is virtually impossible (pun intended) to put it back inside.

The Potential Dangers of the Metaverse

 
What are the biggest fears surrounding the Metaverse? Concerns have been expressed from different quarters around issues relating to the privacy, safety and well-being of people who are active in the metaverse. In the current scenario, people use social platforms to connect with each other. If someone with whom I do not wish to engage seeks to connect with me in a basic digital world, I can easily deny the friend request. Even after having granted them permission initially, I can choose to block such persons. During the time they have permission to engage with me, the worst that can happen is that they send unwanted texts, audio messages or images and videos.

This is bad enough, but in the metaverse, the kind and nature of obscene or harmful content will change drastically; consequently, so will the impact of such material and experiences on vulnerable segments of society. 

For example, in the metaverse, it is quite possible for complete strangers to enter someone else’s personal space – without the latter being aware of who the former is. Given the multi-sensory capabilities of the metaverse, which includes haptic technology (the sense of touch), the experience and impact can be far worse. Arguably, the metaverse (as it exists currently) lends itself more easily to bullying, sexual abuse or intimidation. Indeed, there have been recent media reports that some VR-based games that are accessible to young children contain inappropriate content. 

AI-driven deep fakes can further muddy the waters by creating and distributing patently false content that is almost impossible to detect as fake. There is enough fake information circulating on Whatsapp as it is, think of the danger of content that purportedly shows politicians or others saying things designed to inflame emotions.

NFTs will be key to the evolution and growth of the metaverse, providing owners of physical assets such as paintings and IPR such as rights to music, movies etc. new avenues to monetize them at scale. Cryptocurrencies and tokens are likely to form the principal currency in the metaverse, powering commerce and payments. As of now, cryptocurrencies are anonymous and independent of mainstream banking and financial systems. 

In the absence of regulations that are uniformly enforced globally, such parallel payment systems can be easily misused for illegal and immoral activities and transactions, including child sexual abuse. It is likely that fraud and crimes will increasingly crisscross between the current digital world and the metaverse (and perhaps the physical world), making them harder to detect and bring the perpetrators to book.

Addressing the Issues Surrounding Metaverse 

 

A multipronged approach is key to addressing the potential dangers of the metaverse. It is vital to frame appropriate legislation and arm various regulatory agencies with the power to catch and punish violators is vital. The basic premise around legislation has to be this: if something is illegal or against the law or generally accepted social mores in the “real”, physical world, it must be treated the same way in any parallel “virtual reality” based universe.

However, legislation alone cannot secure the metaverse. It will be essential to hold creators of content and platforms that enable distribution and access responsible for violations. The metaverse infrastructure needs to be designed with more intent to put in place appropriate safety mechanisms right at the beginning. As a global society, we must learn from our experiences with the downsides of social media platforms (false information, cyber-bullying, digital fraud etc.) and take preemptive actions that can prevent problems before they become common. This is significant because changing processes after people have grown accustomed to them is never easy; also, some damage may have already occurred. It may also be necessary to think of ways to incentivize good behaviour in the metaverse.

The metaverse is expected to surge ahead quickly on its evolutionary path. Its trajectory cannot be predicted in advance, therefore, what is needed is constant vigilance and for global action to be taken in a concerted manner. The UN system is supposed to be the primary keeper of international order. A number of events over the past couple of decades have painfully driven home the point that the UN architecture needs an urgent and major overhaul. As part of this exercise, it may be useful to establish a new global body tasked with the responsibility of overseeing and governing the metaverse. Regional political/economic blocs must be encouraged to ensure that their members comply with rules and regulations related to the metaverse.

The metaverse is expected to surge ahead quickly on its evolutionary path. Its trajectory cannot be predicted in advance; therefore, what is needed is constant vigilance and for global action to be taken in a concerted manner.

POST A COMMENT