MY friends have been asking me off and on: what this fuss really was all about on the personal data protection Bill 2018? Well, in my over 45 years in finance and analytics I can say that data has never been of so much importance and value as it stands today. I think the issue of data protection and privacy in the 21st century is one of those subjects which is of vital importance – everything now happens through data in an electronic, readily copiable, easily transferable and analysable form.
Your are interlinked
In fact, you are no longer ‘you’ – you are an Aadhaar number. And these harmless 12 digits carry behind them the sea of information that is you – your incomes, your tax payments, your credit cards, your properties, your investments et al. And remember these data are all interlinked through the process called the KYC (know your customer). Can this harm anybody? For example, whether a child is a possible target for a Momo game or a Blue Whale round could be as easy to gauge as reading an SMS. Precious young lives are being lost, rampant blackmailing and depression related symptoms seen in youngsters. Now let us say a foreign intelligence agency is privy to somebody’s personal assets and liabilities, his financial information and economic behavioural patterns; the agency knows whether he could be ‘useful’ for the purposes which could also be antinational in nature. Or your data can through processes of big data analytics point out to your preferred political choices. So that is how important the subject is.
So, anything that is so very important requires regulations for its protection and privacy. Most developed countries – the EU countries, North American nations and most South American countries, Australia, South Korea and New Zealand – have well-structured data protection laws in place. In view of the fact that the right to privacy has been acknowledged as a fundamental right, the Union government which happens to be the implementor and chief complier of the Constitution has it upon themselves the task of ensuring two things – data protection and data privacy.
The first alarm bell rang when a whistleblower blew off the lid on a certain company called Cambridge Analytica having used data of 87 million Facebook users – Facebook admitted that the data of about half a million Indian users were compromised. It is serious! The government had appointed a committee which has now given their report and prepared the draft personal data protection bill 2018. The draft bill is open for public discussion till September 30 and I thought I will discuss here a few ideas which I have already advanced as public comments to this bill.
Dissecting the bill
I plan to look at a) the basics of our bill; b) the pros as I see them; c) the cons as I see them and finally a set of new points from my side.
There are four basics of the bill. Data fiduciaries: here the party collecting, holding, processing the data – the government, or say your cell phone operator, or say Amazon – will hold such data in trust. They would ask your informed consent for collection of data from the users including from children through parental acquiescence. You have a right to know how the data will be processed and used. Encroaching on your privacy is forbidden, for example from profiling you, tracking your movements, monitoring your choices and behaviours. You may be targeted for undisclosed motives. And finally it deals with your right to be ‘forgotten’ like erosion of your past data from the fiduciary’s servers on your behest.
Data localisation: Sensitive data has to be stored in servers in India; other data can be stored elsewhere with a copy in an Indian server. A data protection authority has been proposed to oversee the entire process.
Violations: invite fines ranging from Rs 5 crore or 2 per cent of global turnover to Rs 15 crore or 4 per cent of global turnover for companies and three to five years imprisonment for individuals.
I think this is an excellent step reinforcing a citizen’s privacy.
But I have a few points now to share. As on date we as a people have to have a lot more respect for data and data-based analytics rather than ‘hunches’ – this fact is simply borne out by the poor quality of data that one faces in any meaningful exercise he gets into, almost as though there was an Edward de Bono in the corner with his ‘How To Think Critically Using Sun Tzu’s Art of War Stratagems’ giving out a gem: “… Most executives, many scientists, and almost all business school graduates believe that if you analyse data, this will give you new ideas. Unfortunately, this belief is totally wrong. The mind can only see what it is prepared to see.”
My second point is on the proposed data protection authority. Can the government, which in most cases is the data fiduciary, itself be also appointing the DPA. I think independence would be severely compromised – I suggested that the appointment should be done on recommendation from the judiciary only.
My third point is on phone-line tapping. Should it not be brought under the ambits of data privacy regulations as well? Unless of course, heinous offences are prima facie suspected.
My fourth point is on inventions and innovations – the bill in its present form, I think, lacks protection of ideas and innovations.
And my last point is on amendments to the Aadhaar law which the bill acknowledges but does not clearly dwell.
The importance in all of this is that the three parties – the citizen, the government and commerce and business – should be facilitated, not slowed down. And we should never be seen as putting one more hurdle in the way of commerce to grow.
I think that we must go ahead fast; we can evolve better as we proceed ahead!