Advertisment

How does India measure up against GDPR?

author-image
Soma Tah
New Update
data

Gaurav Kapoor

Advertisment

The EU General Data Protection Regulation (GDPR), which comes into force on May 25, represents a seismic shift in the way enterprises gather, store, and process personal data. Under the regulation, all entities in the EU, as well as those outside it that offer goods and services to EU citizens, will have to ensure that personal data is collected legally, protected from misuse and manipulation, and used in accordance with the data owner’s rights and consent.

From India’s perspective, two things are key. The first is that Indian companies with operations, employees, or customers in the EU will now have to re-examine their data governance measures to ensure compliance with GDPR. Most companies will need to implement data encryption and pseudonymization controls, ensure ongoing security audits and, in some cases, appoint a Chief Data Protection Officer (DPO).

The other point of interest for India is GDPR’s adequacy principles. Article 45 of GDPR indicates that EU personal data can only be transferred to a third country if the European Commission believes that the country can ensure an adequate level of protection. For India, this rule could be a challenge because up until now, the country’s efforts at regulating data protection and privacy have, at best, been lukewarm.

Advertisment

The only data protection laws that exist in India are the Information Technology Act 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Both are far from mature or comprehensive, especially when compared to GDPR. The IT Act, for instance, does not define consent or require that a data controller demonstrate it. Neither does the Act include reference to the rights of the data subject such as the right to restrict processing, or the right to be erased from records.

Without these nuances which put data protection laws on par with internationally accepted standards, India may lose its credibility as a safe place for digital data. More importantly, the personal data of over one billion Indians would be at risk of misuse. Already, the country’s ambitious Aadhaar project has run into controversy over data privacy issues.

The good news is that concrete steps are being taken to strengthen data privacy. In August 2017, India’s Supreme Court ruled that privacy was a fundamental right under the Constitution. Meanwhile, a draft data protection law is in the works. The proposed “data empowerment and protection” act will, according to news reports, make obtaining user consent mandatory for data collectors. Public consultation on the law has already begun.

Advertisment

In the meantime, India has another ace up its sleeve - the electronic consent architecture of the India Stack. For the uninitiated, the India Stack is perhaps the world’s first national digital infrastructure -- an open API based technology with four layers – (a) the presence-less layer which helps individuals verify their identity to anyone, anywhere without having to be physically present, (b) the paperless layer which allows documents to be stored, authenticated, signed, and shared electronically, (c) the cashless layer which supports money transfers over a secure Unified Payment interface (UPI), and (d) the consent layer which allows data owners to regulate how their personal data is accessed.

The consent layer is the piece that has tech mavens excited because when fully operational, it could set a new global precedent for data privacy. Currently, most individuals have no idea where, how, and by whom their personal data is being used. It is this lack of control and transparency that results in the kind of data abuse we saw with the Facebook-Cambridge Analytica scandal. The India Stack’s consent layer, on the other hand, will seek to return control of personal data back to data owners. They will be the ones to decide when, how, and what data to share (e.g. mark sheets, financial statements, health records) and with whom (e.g. bank, credit card agency, recruitment firm). They will also have control over how long their data can be shared, and can use a revocation functionality if they no longer want their information to be accessed.

What’s exciting about the consent layer is that it goes a step beyond regulations like GDPR. Instead of just dictating “what” must be done, it provides the enabling infrastructure to realize “how” to get it done. Coupled with upcoming data protection laws, the consent architecture could put India further ahead than any other country in terms of the sophistication of data protection regimes. It will be interesting to see how things play out.

Advertisment

The author is COO MetricStream

gdpr