IT is baffling that legislation to ensure protection against data mining for commercial purposes in violation of privacy laws has not seen the light of day. It was expected that there would be swift developments on that front in the light of the Cambridge Analytica matter in March — Facebook and Google claimed to have taken corrective measures to protect data of 87 million people globally that was shared with app developers. Only the other day, facebook chief executive Mark Zuckerberg apologised to the British parliament for failing to protect personal data of British citizens and misuse of financial information. In full-page advertisements in American and British newspapers, Facebook conceded that there had been inadequacies in management.
Earlier last week, the European Union (EU) adopted the General Data Protection Regulation (GDPR) that allows citizens across 28 member countries absolute privacy rights. Even entities outside the union that deal with data of EU citizens will have to comply with norms under the GDPR or face the consequences. Notably, the EU was quick to come up with GDPR.
European law imposes restrictions on collection and usage of personal data. Social networking sites, and internet platforms like Google and Facebook cannot take umbrage at the ‘fine print’. Instead, they will have to seek the consent of internet users for even collecting one’s name and personal address on their data banks. By contrast, the response to such data theft — both financial and personal information — has either been meek or just inadequate in India. Information Technology minister Ravi Shankar Prasad had promised to come up with a robust law on data protection by June this year. However, not much seems to have moved on the front.
Why is the Narendra Modi government going slow on data protection laws? There is hardly a plausible explanation for this. The committee of experts headed by Justice BN Srikrishna had put together a white paper on data protection framework for India. This paper should have led to a draft law especially defining the scope of data protection, applicability, exemptions; grounds for data mining explaining the purpose of collecting such data and end use.
A wider political consultation is warranted on a sensitive issue like this in view of the fact that both the Congress party and the Bharatiya Janata Party had traded charges over compromising user data in the wake of the Cambridge Analytica scandal. Open platform-based android phones have only hastened the need for protecting data of individuals, companies, governments and autonomous entities. Secondly, storing data within the country will be critical to minimising the misuse or abuse of personal and financial information. For long, both IT and telecom companies have opposed this idea of locating their data servers in India. Thirdly, both government and private companies may have to be covered under the data protection laws.
Now that the European Union provides a wide-angle template for data security, India needs to frame its own law and take Parliament’s consent on the issue in the next six months. Otherwise, all political parties will get into election mode and the data protection issue may bring into question the sanctity of polls as in the US, Russia and the UK. Private telecom companies, IT or information technology-enabled services firms and social networking platforms cannot be taken at their face value. Their profitability depends on data mining, and leveraging that for commercial use. Under the circumstances, there should be little to contest the need for hard work to ensure safety from data sharks and even governments.