By Pawan Goyal
Ever since GoI mandated linking Aadhaar to PAN (Permanent Account Number), there has been much debate about how the Unique Identification (UID) number invades citizens’ privacy. While there are valid concerns around Aadhaar data, the privacy issues with data collected by pervasive digital services are equally, if not more, important.
It is hard to imagine a life without Google, WhatsApp, Facebook, Uber and Ola, Flipkart and Amazon, Netflix, Paytm, et al. These services have made information ubiquitous, connected the world, and improved the quality of life. However, these services also collect huge amount of data about every individual who uses these services. Your friends and relatives, your intimate conversations, the places you visit, the amount of time you spend at different locations, the things you buy, your interests, your political views — all are pieces of data known to these services.
If one puts all these data together, one can build a better picture of an individual then, perhaps the individual himself. Now imagine all this data of Indian citizens available to, say, an intelligence agency of a foreign government.
The possibilities of using this data are endless. If a policy decision is likely to be unfavourable for a country, the agency can dig up dirt using the digital data on, say, a key policymaker, and make her change the decision.
If a politician or an industrialist is not favourably disposed towards a country, the latter can start targeting him with messages to change his opinion. It can detect troop movement just based on location data change of armymen, and obtain military intelligence. Who needs spies when you have access to digital data?
But Indian laws will protect such information from foreign intelligence agencies and governments, right? Wrong. There is no law that protects Indian citizens’ data getting into the hands of a foreign entity. In fact, the US National Security Agency’s PRISM global internet surveillance programme collects exactly such information. So why do Indian laws not provide protection against such access? The issue has to do with where the data is ‘resident’ (read: stored).
I live abroad, but on server
Data is protected under the laws of the land where it is stored. The data collected by the aforementioned services are resident outside India, mostly in the US. Thus, US data protection laws apply to them.
These laws restrict US government access to US citizens’ data. However, no protection is afforded to non-US citizen data. So, the US government can have as much access as the service providers are willing — or directed by court — to provide.
To allay privacy concerns of the EU, the US passed the Judicial Redressal Act in 2015. This law protects the privacy of a citizen of a country, to a limited extent, if there is a treaty between the US and that country. India is not covered in this Act. Furthermore, the Donald Trump administration has weakened the protection offered under the Act.
So, what should GoI do to protect its citizens’ data and keep it private? It needs to create data residency laws that mandate that services that store personally identifiable information should store them in India so that the data remains under the jurisdiction of Indian courts.
In April, Attorney General of India Mukul Rohatgi promised to bring a data protection law by October. That is great. But without data being resident in India, Indian privacy laws will have little relevance for a vast majority of data collected on Indian citizens that resides outside India.
Data residency laws have already been enacted by Russia and China. The EU is in the process of enacting them. Beijing has an additional draft law out for comment that will require any foreign-owned entity to certify that any data taken out of China’s borders will not impact national security or interests.
India has taken limited steps in this direction. Any data that is part of any government digital service, such as Aadhaar, is mandated to be resident in India. It now needs to extend the same regulation to protect nongovernment-owned citizen data.
One issue often raised against data residency laws is that they will make it hard for new services to gain a foothold in a new country. For example, if WhatsApp was required to have data resident in India, due to costs, it may have never introduced the service here.
This issue can be addressed by ensuring that data residency laws come into effect only once the service has a material number of citizens using it. So, services will incur increased costs of data residency only when they have reached a scale at which they can afford it.
Data is the New Weapon
Currently, Indian agencies are at the mercy of foreign agencies to get data of its own citizens. This isn’t desirable from a security perspective. Indian agencies should be able to get access to citizen data that is permissible by Indian laws.
The next war will not be physical, it will be in cyberspace, and data will be key weapons. We need to protect our weapons, and prevent colonisation — in whatever seemingly benign form it may be attempted by foreign private companies or governments —all over again.
(The writer is general manager in a software firm)