At his testimony before the U.S. Congress, Facebook CEO Mark Zuckerberg spoke about the upcoming elections in India. “2018 is an incredibly important year for elections not just with the U.S. midterms, but around the world. There are important elections in India, in Brazil, in Mexico, in Pakistan, and in Hungary,” he said. “We want to make sure we do everything we can to protect the integrity of those elections.”
But is Zuckerberg’s assurance enough? Can Facebook truly ensure that there is no meddling in India’s general elections; political consulting firm Cambridge Analytica is accused of harvesting Facebook data of millions of people, and targeting them with ads designed to influence the Brexit referendum and the U.S. presidential election?
Instead, shouldn’t India proactively strengthen its data privacy laws?
India’s existing regulation on data protection—the Information Technology (IT) Act, 2000 in its original form, experts say, did not explicitly protect data. And even subsequent amendments were “retrofitting of the law”, says Sunil Abraham, executive director of the Centre for Internet & Society, a Bengaluru-based research and advocacy firm.
One amendment, Section 43-A, makes a “body corporate” possessing, dealing or handling any sensitive personal data or information liable to pay damages if it has been negligent in implementing and maintaining reasonable security practices, and thereby causing “wrongful loss or wrongful gain” to any person. The other amendment, Section 72-A, provides criminal remedy imprisonment of up to three years or a fine of up to Rs 5 lakh or both for disclosure of personal information in breach of lawful contract.
But Abraham says by specifying sensitive personal data, the law excludes breach or misuse of data that aren’t biometrics or the like. “Whenever you produce regulations in this manner those regulations are rarely comprehensive, and, therefore, we are in this situation,” he says. In other words, seemingly innocuous information such as a person’s pop culture interests, political ideology, literary preference, shopping history is not protected.
Under the current law, companies are also not responsible for notifying users if their data are breached. “The entire framework around notification, or how does a user know that their data has actually been affected by a breach; none of these provisions actually exist under Indian law,” says Amlan Mohanty, senior associate, technology and policy, PLR Chambers, a law firm.
Sahir Hidayatullah, CEO of Smokescreen Technologies, a cybersecurity firm, says since Indians are not culturally attuned to the idea of privacy, a comprehensive law is important.
India understands that the existing data protection law is behind the times. Last year, the government constituted a committee of experts chaired by former Supreme Court Justice B.N. Srikrishna to study the matter, make specific suggestions, and suggest a draft Data Protection Bill. In February, speaking on the sidelines of an international conference, India’s electronics and information technology minister Ravi Shankar Prasad said the committee will soon submit its report.
The lawmakers can perhaps take a cue from the European Union’s General Data Protection Regulation (GDPR), which will come into effect this May. Among other things, GDPR gives individuals greater rights to access data on them, correct inaccuracies, erase personal data in certain cases, and to even transfer their data from one firm to another.
GDPR also clearly defines consent. “The request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language,” it says. The law gives the users the right to withdraw their consent at any time. Currently, most Internet companies seek consent to multiple matters at once, usually when a new user registers for or downloads its service and it is often difficult, if at all, to review it. GDPR will change that in the EU.
Supratim Chakraborty, associate partner at law firm Khaitan & Co, says a clear regulation on consent is requisite in India, where many are first-time Internet users or do not understand English or are even illiterate. “When you obtain consent, it has to be understood in a proper manner by the people, and secondly, the people who are receiving the data are also obligated to protect it in a particular manner. That is something that we should gun for in the new law,” says Chakraborty.
Mohanty of PLR Chambers says GDPR also spells out the principles of applicability with clarity by stating the law will be applicable even on a foreign entity if the breach impacts an EU citizen. “The problem in India is ensuring that foreign companies operating in India are held accountable,” he says. “One of the key issues that India has to deal with is ensuring that the law that India passes is going to be applicable to entities that function outside India.”
Sivarama Krishnan, partner and leader, cybersecurity, at consultancy PwC India, says India also needs to address the issue of who or which body will implement the data protection law. “In the Western world, there is usually a privacy commission or authority, and resources to enforce the regulation. In India, there is lack of enforcement capability in the government to implement the existing regulation,” he says.
There is also the matter of the government’s priority. The union government’s biometric identification programme, Aadhaar, does not have a spotless record on data protection users’ data have on multiple times been breached, or even published online, by third party service providers, hackers, and even by government websites.
But India has seen serious consequences of weak data protection: A judge’s report on the 1993 Bombay riots found that voters’ lists and business registers were used by perpetrators to identify victims and their businesses.
Today, there is a lot more data a criminal can get access to, from a government identification programme to your Facebook profile to your smartphone’s GPS signal. No data breach is innocuous.
(The article was originally published in the May 2018 issue of the magazine.)