Recognise the technology constraints 

Recognise the technology constraints 

Context

White paper of Justice BN Krishna committee

Missing from the white paper

Author states that an understanding of the many technologies that come together currently to protect data in India is missing from the white paper

• More than 80% of Indian smartphone users today rely on Google’s Android operating system. But the majority of those mobile devices are sold by Samsung, Xiaomi or Oppo
• Does the committee believe an operating system designed in Silicon Valley and a mobile phone manufactured in China’s Guangdong Province have similar rules to protect data? Or better still, can they be made to comply with a single, catch-all set of data protection standards?

Little say of the state

The issue of data protection is one over which the Indian state has, unfortunately, little say

• Abroad based players: Major players in the country’s digital economy are not only based abroad, but also export data to other jurisdictions
• Unwise to demand data localisation: To demand “data localisation” would be unwise (the Srikrishna Committee too acknowledges this). Many of the world’s giant data centres are located in northern climes near water bodies, since they require mild temperatures and enormous quantities of water to cool thousands of servers
  • Not feasible: The U.S. Department of Energy in 2015 estimated that data centres in the country took about 2% of its overall power supply. Can India, with its round-the-year warm climate and scarce natural resources, really afford to divert electricity and water to maintain data centres? State and central governments will also need to spend substantial amounts on physically securing these installations

Trade-off: contradicting policies

• There is, however, a trade-off: India’s inability to localise data means its digital economy is governed by hundreds of “private” data protection policies, some of which even contradict each other
• For this reason, the Srikrishna committee cannot follow the same legal strategy used in the Aadhaar Act, which lays down strict rules for the collection and sharing of biometric and sensitive personal data
• With a data protection statute, this may not be entirely feasible

Issue of sensitive personal data

The Srikrishna Committee has provisionally recommended that current definitions of “sensitive” information be re-evaluated in the light of India’s socio-economic context

• Conflict: The Google Developer Policy — which app developers must comply with if they want their products featured on Android phones — requires “sensitive” data to be collected only for a “core capability”
  • In other words, if such data is absolutely critical for the app’s functioning, it may be sought from a user. Even if India’s data protection law were to determine that some health data is too sensitive to be shared under any circumstance, it is very likely that an Android app somewhere would still permit its collection
  • “Genetic testing” apps – used to predict the kind of hereditary ailments a user may be susceptible to — are becoming increasingly popular and collect precisely such information. Would the Indian state, then, ask Google to block such an app? How would the law be enforced?

Permissions are embedded

Android phones also have “layers” of permissions written into them that determine the kind of sensitive data an application can collect. An app could tap into a phone’s fingerprint authentication hardware with only a “normal” permission, which is automatically given at the time of its download. But to access the user’s location from the phone, the app requires a “dangerous” permission, meaning the affirmative consent of the user

• Were Indian law to prohibit apps from accessing the fingerprints of users without their consent, will it declare the Android system of ‘permissions’ unlawful? 

Transferring data to locations with no data protection

On the other hand, the Chinese smartphone manufacturer Huawei candidly acknowledges it may transfer the data of users to locations with no data protection laws at all. Huawei’s End User License Agreement merely suggests it will provide “similar and adequate” levels of protection as the country of origin. But how would Indian regulators ensure that the data of citizens is treated uniformly, even after it has been exported to, say, China? In this case, the very nature of the data flow is a limit on the implementation of a data protection law

Way forward

• India can and should enact safeguards for data collected through known points of vulnerability in its digital economy: a mobile phone’s camera software, public Wi-Fi spots, firmware updates, QR codes, and so on
• India’s data protection laws should not foreclose options for its own software developers — who need country and community-specific data — as they build products tailored for the digital economy

Problems before committee

The committee will find it difficult to conceive watertight definitions of “sensitive” data, or lay down guidelines to determine what data should be collected, when the user’s consent is required, or even the kind of encryption to protect such data

Solution: A multi-stakeholder agency

A modest solution could be to allow companies to pursue independent data protection policies (guided by baseline norms), but monitor their enforcement through a national, multi-stakeholder agency

• Precedent: There is precedent for such an institution: the United States Federal Trade Commission performs such a role, investigating data breaches often according to best practices within the industry
• In 2013, for example, it found the smartphone manufacturer HTC guilty of circumventing Android’s own installation checks and allowing the download of “insecure” apps

Conclusion

When the Indian digital ecosystem is mature enough, there could be more comprehensive guidelines on the storing, sharing and collection of data