India's Digital Policy Paralysis

INDIA RANKS fourth in military strength and is the sixth-largest spender on defence, according to Global Firepower Index 2022. The size of India's military on active duty is around 1.4 million and combined with reserve and paramilitary forces there are more than 5 million defence personnel in the country. Yet such a mighty defence force could not protect lives of those who committed suicide because of Chinese loan apps!

The frontiers of war have changed terrain. Despite having a powerful military force, the safety of a nation's infrastructure, the lives of its people, and financial stability are compromised when a nation's cyber defence comes under threat.

Digital sovereignty demands the same seriousness on the cyber front as is given to its physical counterpart. Protection of the nation and its people, regulating the entry of foreign businesses, restricting and monitoring the entry of foreign citizens, regulating international commerce and transactions, and safeguarding key infrastructure are as important in the digital domain as they are in the physical world.

Ironically, policymakers in India are more focused on data privacy issues while digital sovereignty attracts less attention.

Data privacy and data sovereignty are intertwined, but they are very different, says Vineetha M.G., partner, Samvad Partners law firm. "Data privacy is the right of a data principal to control the processing of personal data. However, data sovereignty is the right of a sovereign to exercise control over the data of its citizens in a way similar to the rights exercised by them over other natural resources," she adds.

How Digitally Vulnerable Is India?

Most Indian businesses rely on foreign IT infrastructure. Cloud service providers such as AWS and Google Cloud have their servers in the U.S. Any international incident leading to service sanctions can potentially paralyse Indian businesses. The U.S. also has the authority to access data at any point.

Not only businesses, data shared by Indian citizens on social media are also housed in foreign jurisdictions.

The Indian Computer Emergency Response Team (CERT-In) reported over 6.7 lakh cyber security incidents in the first half of 2022. The average cost of data breach in India is $2.32 million, according to an IBM report. It means a business loses an average ₹17.4 crore in a single data breach.

In fact, cyber attacks and crimes pose a far bigger threat to government entities and institutions, whose malfunctioning can have far-reaching consequences on a much-larger scale.

Exodus of money through crypto exchanges, trading apps, gaming apps and NFT platforms is another serious threat that can hit financial stability. World over, efforts are on to counter these through various measures.

China, for example, started imposing various bans on cryptocurrency business in 2013 and totally outlawed it in 2021. It is now strengthening homegrown Ali Cloud as a global Cloud services provider.

The Chinese data protection law — Personal Information Protection Law (PIPL) — ensures any organisation across the world, processing the personal data of Chinese citizens, comply with the provisions of PIPL, says Abhishek Malhotra, managing partner, TMT Law Practice. But processing of data of Indian users overseas has continued since there is no comprehensive data protection law in India, he adds.

Arun Prabhu, head, technology, media and telecom division, Cyril Amarchand Mangaldas, highlights the recent European Union measures that ranged from hard localisation requirements and walling off the Internet, to broader policy initiatives around artificial intelligence, creation of content-specific Clouds and attempts to regulate Big Tech.

The E.U. has proposed a new Cyber Resilience Act, which aims to improve security of Internet-connected devices. The E.U. Parliament is also planning to bring NFT trading platforms under anti-money-laundering law. The Union is the pioneer of data privacy laws through its GDPR (General Data Protection Regulations).

Policy Problems

India has been proposing various legislations on the digital front, but none has been tabled in Parliament yet. The legislation on cryptocurrency has gone through two iterations since 2019. The legislation on data protection has been proposed in many avatars since 2012. The country relies on existing laws like the Indian Penal Code and IT Act 2000 to tackle cyber assaults.

Since a large part of cyber threats are financial in nature, institutions such as the Reserve Bank of India (RBI) have the regulatory power to identify and mitigate them. However, of late, RBI's diktats have been challenged in courts and dismissed due to lack of relevant legislation. The entire gamut of crypto businesses is operating in the domestic market by defeating RBI in the Supreme Court case — Internet and Mobile Association of India Vs Reserve Bank of India.

In fact, there seems to be an over-reliance on regulatory bodies to come up with guidelines. For instance, CERT-In issues cyber security regulations for operation of IT systems, but there are no statutory standards for setting up tech infrastructure.

Legislation Issues

There seems to be a dichotomy between threat to the nation and that perceived by the government when it comes to formulating legislation for data privacy and protection. Free speech seems to be the pivotal threat perceived by authorities, which appears to give unequal importance to user-generated content within regulatory frameworks. The current regulations for social media intermediaries framed by the Ministry of Electronics and Information Technology are largely aimed at containing social media posts, which are against public decency and public policy. The Centre also has the authority to dictate a social media intermediary to remove any posts or block any individual from accessing his/her social media account without giving prior notice.

"India should come up with a framework which is not restrictive, but consent based and sustainable like a licence-based framework where the data processer/fiduciary pays a certain amount to the government to harvest data, with the consent of the data subject," says Vineetha.

The biggest issues with both legislators and businesses operating in the digital domain is the steering of policy focus towards civil legislations and regulating established domains like social media. Criminal legislations, corporate or financial regulations for new domains like crypto-trading etc. are largely ignored by both legislators and industry stakeholders.

Data Breach

The Data Privacy Bill due to be tabled in the Winter session of 2021 was allegedly withdrawn because it imposed heavy compliance on companies regarding collection, storage, and use of citizens' personal data, while providing unlimited powers to government authorities to access the same data under the clause of protection of national security. Users' data from private entities such as Amazon, Flipkart, Jiomart, SEBI, SpiceJet and SBI has been stolen and sold on the darknet. Government sites have been hacked as well.

Microsoft's Global Tech Support Scam Research based on sample size of 2,100 Indians reveals 70% of digital Indians were targeted by cyber scams in 2021, 31% of whom lost money. The average monetary loss per victim was ₹15,334, the report said.

Foreign Cyber Offenders

The key ingredient missing in India's cyber defence strategy seems to be the unbridled entry of foreign entities in its cyberspace. Crypto exchanges — WazirX, KuCoin, Kraken, Binance and Huobi — operating in India belong to entities of Chinese origin. The main reason for the rise in cyber crimes in the country is the ease with which money can be laundered through crypto exchanges.

Similar unchecked access was given to Chinese fintech companies who entered into agreements with defunct Indian NBFCs to gain licence to distribute loans through apps. These instant loan apps stole private data of debtors and extorted them for paying illegally high interest rates through blackmailing tactics such as creating pornographic content using pictures stored in debtors' phones and threatening to publicise them.

Forex trading apps such as OctaFx and gaming apps like Garena Free Fire have also set shop in India due to lack of regulations. They not only exploited people through illegal means but also siphoned off the loot money by sending it to parent entities based outside India, which the Enforcement Directorate (ED) is now trying to recover.

The Supreme Court ruling against RBI in crypto exchanges' case has probably made the central bank wary of restricting dubious entities from starting businesses in India. The RBI appears to have waited for the commission of an offence before taking regulatory measures to ban foreign entities, like it has done in the case of foreign fintech companies entering into agreement with Indian NBFCs.

Lack of legislation not only allows foreign entities to commit crimes in India but also restricts authorities from taking action against them unless it is a threat to the public.

One can argue there is regulation in crypto-related activities since the police or ED will register a case and investigate it. But if laws were in place, crimes would not have happened in the first place, says a criminal lawyer.

Data Protection, Or the Lack of It

Data breaches and theft of data from entities such as banks, airlines, e-commerce platforms, healthcare IT systems, payment gateways, etc., are largely responsible for cyber crimes from abroad.

According to global cyber security firm SurfShark, India ranks seventh among countries most affected by data breaches. The country loses 3.8 data points per breach, whereas the global average is 2.3. A data point is a single point of information about any Internet user that gets extracted in a data breach. Username, password, contact number, age, gender etc. individually comprise a singular data point. SurfShark claims Indians lose more data points per breach because CERT-In directive calls companies for extensive data collection within Indian jurisdiction, and storing it for five years even after closure of an account, making users' data even more vulnerable.

Cryptocurrency: The Cash Cow

The crypto landscape has become the wild-west of the Indian business world where crimes ranging from money laundering to abetment to suicide, con schemes, and misleading marketing thrive in the absence of regulations.

The UN Conference on Trade & Development (UNCTAD) Policy Brief No. 100 states that cryptocurrencies may become a widespread means of payment and even replace domestic currencies unofficially, a process called cryptoisation, which could jeopardise the monetary sovereignty of countries.

Indians are the second-largest crypto owners globally with 27.5 million — around 2% of population — according to September 2022 data released by Triple A, a Singapore-based cryptocurrency payments company. A 2022 report by community platform NFT Club says the country is home to the third-largest number of NFT companies globally. It has lost at least $9.1 billion due to fraudulent NFT wash-trading, according to U.S.-based blockchain analysis firm Chainalysis.

Ironically, in India, the only regulation on digital assets is the 30% tax on income.

Lack of regulations coupled with lucrative marketing by crypto businesses have made India a hot bed of crimes related to crypto. The ED is investigating multiple cases of money laundering using crypto exchanges.

In July this year, Vauld, a crypto-lending platform suspended its operations and froze all transactions. Social media influencers, including Ankur Warikoo, Akshat Srivastava and others, who promoted Vauld are now drawing public ire. So far, neither Vauld, nor the influencers have had any tryst with the law in this regard.

It is ironic that despite being deemed as the IT powerhouse of the world, Indian citizens' wealth, and their lives continue to be affected due to lack of digital legislation.