The Supreme Court’s decision in the Puttaswamy case established the right to privacy as a Fundamental Right under Article 21 of the Constitution. Given the rampant data leaks and unauthorised tapping of users’ data, the court’s decision was applauded by citizens and privacy activists alike.

That’s not surprising. According to a recent research by AudienceNet, a social and consumer research company, for most urban Indians, irrespective of their age or gender, privacy and safety of personal data remains a major concern. That may explain the popularity of end-to-end encrypted messaging platform such as WhatsApp.

However, critics argue that fully encrypted social media platforms are prone to misuse, and a tool to spread fake news especially during elections that calls for corrective actions. It’s heartening to note social media platforms are increasingly taking steps to mitigate such risks. Nevertheless, India’s data protection regime remains a concern. The existing privacy framework under the IT Act 2000 and Telegraph Act 1885 is inadequate when it comes to providing protection to data or remedies in case of data breach. Besides, there are no effective safeguards against excessive state surveillance under the existing rules.

India’s draft Data Protection Bill 2018 emphasises on the need for data localisation to ensure data privacy and prevent foreign surveillance of Indian citizens. Undoubtedly, the Bill provides far greater protection to privacy than the IT Act, its grievance redressal mechanism is better, and punishment for data breach harsher.

Yet it has several flaws. The scope of non-consensual processing of data is too wide: consent will not be needed for data processing on grounds such as national security and legal proceedings or for any other reasonable purposes specified by the proposed Data Protection Authority (DPA).

The exceptions granted to the state by the proposed law do not inspire confidence as they allow unwarranted intrusion into citizens’ privacy. Besides, the degree of data privacy will depend on the effectiveness of the country’s data-protection regime and not where data is located. Moreover, domestic enforcement agencies may pose a greater threat to an individual’s privacy than suspected foreign snoopers due to local storage of data.

India’s proposed data protection law in its current form is not effective enough to safeguard data principals against unchecked state surveillance.

Thus, imposing a sweeping data localisation regime on the country without an effective mechanism to protect (personal) data may encourage intrusive data gathering by state agencies.

Besides, there are adverse side-effects of localisation that are not being fully appreciated. For instance, localisation may drive up the infrastructure cost of IT firms, tech start-ups and SMEs that currently rely on storing data abroad that costs less.

India’s software and IT-enabled services sector is export driven and deals with data of non-national citizens and corporations. Mandatory data localisation could be perceived as a protectionist trade barrier and may prompt retaliation. Moreover, consumers will have to bear higher charges for digital services arising out local data storage.

The way forward

Trust remains a major concern for social media users given widespread data leaks and unauthorised use of users’ data. Thus, tougher privacy norms — either self-imposed or enforced by government — are needed. Encryption by ensuring safety and security of the data will improve trust.

However, social media and messaging platforms must take responsibility to check the misuse of their platforms. In this context, WhatsApp has taken several pro-active measures to prevent misuse. For instance, it has stopped forwarding of a message to more than five people in one go in India. It has also started a helpline that users can use to verify any message or news being circulated.

Encryption strengthens privacy while localisation may weaken it. There is a potential danger that allowing state unrestricted access to users’ data through regulatory moves such as data localisation will dilute privacy protection and may lead to state intrusion into citizens’ personal lives, undermining the spirit of Supreme Court’s decision in the Puttaswamy case.

A far better alternative to data localisation would be bilateral and multilateral data-sharing agreements that will keep India’s digital economy open and yet expedite criminal investigation without diluting the protection to privacy.

The writer is CEO of Indonomics Consulting, a policy research and advisory start-up.

Related Topics
comment COMMENT NOW