The ‘terms and conditions’ of data protection

Data has become one of the most valuable resources in present times and is being positioned as the catalyst for future innovation and growth. With India moving towards digitisation and 451 million monthly Internet users, it offers digital providers a sea of opportunities to engage in its data economy. Ease of access, expanding Internet penetration and growing demand for smartphones/digital devices have played pivotal roles in transforming the Indian digital ecosystem and promoting digital inclusion. However, irrespective of the huge user base, a large swathe of the population has not embraced digital due to traditional barriers, lack of trust on the digital landscape, the fear of privacy leakage and low awareness of technology.

On the one hand we have burgeoning possibilities of the digital economy, and on the other we have grave concerns of privacy and security of our people being compromised. To address these concerns and bring regulation in the digital realm, the government introduced the Draft Data Protection Bill (DDPB) in July 2018. Aligned to the European Union’s General Data Protection Regulation (GDPR), the government introduced the Personal Data Protection Bill (PDPB) last year with an aim to protect personal data of individuals. Recently, the Union Cabinet cleared the PDPB Bill to be tabled in Parliament for discussion, debate, and approval.

Welcoming the change

The Personal Data Protection Bill is a progressive move in regulating how a user’s data is protected without compromising data sovereignty. A report by the Digital Empowerment Foundation indicates that 90% of the Indian population lags in digital literacy. This Bill will prove to be a blanket cover for safeguarding their rights.

It will also represent a huge shift in the way enterprises handle data. Organisations will be expected to overcome several unique regulatory and compliance challenges to meet the requirements of the regulation. The GDPR was a big movement and made everyone take security more seriously. However, there is scope for full compliance and by focussing on the principle of ‘data protection by design and default’, this Bill will encourage organisations to make privacy and data protection a part of core business values, instead of a casual afterthought.

Since most organisations now will collect, store, and process the data within the country to avoid any complications, it will also make India a processing hub. It will also allay data privacy fears, thereby giving us as well as the global players the added confidence to actively participate in our growing digital economy.

The proposed Bill will encourage businesses to process data in India, making it a data processing hub. In addition, due to the enhanced security features required to secure individual data, businesses will be upgrading or investing in new security tools. On the other hand, people should embrace the solutions offered by the PDPB as it will not only bring transparency in terms of data privacy but also help simplify and ease the communication process between user and entity. In the long run, this Bill will dissuade stealing individual information as the usage and value of the stolen data will be insignificant without individual consent.

The fine print of “terms and conditions”

Feeling positive, right? Now read the last line of the above paragraph again. ‘Consent’ being the key word in the fine print, has the power to make or break it. Studies in India indicate that most Internet users neglect best practices of cybersecurity. Almost 90% of Internet users don’t know how to protect themselves online and 60% of them download apps without reading terms and conditions.

We must bear in mind that the realisation of the benefits of the Bill can be reaped only if there is a clear roadmap where the process and controls for each step are well defined, easy to understand and adhered to by the end user. The user must be aware of the implications and understand the binding he/she is making by clicking on “I Agree” on a digital document; be it while accepting cookies during web browsing or granting access to other areas of the phone when downloading apps. According to the Guardian, only 7% of people read the entire terms and conditions document, clearly showcasing the attention paid to legal details by readers. Further, it is imperative for users to question and verify each step of the process or understand the right and obligation before committing to the agreement. As per the new Bill, acquisition of data will be done with consent, for a defined purpose, to be stored and processed during a specific timeframe only and discarded thereafter. Moreover, the user has the capability to revoke the consent. These measures will help if the end user whose data is being collected is aware and questions or verifies each of these steps.

Unfortunately, due to a lack of digital and cyber awareness, and lengthy verbose and jargon-filled digital documents, people do away with reading or understanding the need behind the request for access and give their consent to collect, use, and process their data without thinking about its consequences. Such behaviour will only hinder protection of data. There should be tight governance and security in acquiring, processing, storing and discarding of data. In a world where digital services are being used at single clicks, it is the fiduciary responsibility of digital service providers to protect and guard the interests of the user. This can be managed better with tight governance in the consent process by regulation; and simple, transparent, and concise communication so that “I Agree” becomes meaningful.

Views are personal.

The author is head - Vertical Solutions, NTT Ltd. (India).