TECH
30/07/2018 8:56 AM IST | Updated 30/07/2018 8:56 AM IST

Srikrishna Report: Dissent Notes Point To High Stakes Battle To Control Data of 1.2 Billion Indians

Lawyers and policy researchers voice concerns about loop holes.

Digital Security and data protection. Conceptual illustration with advanced technology digital display.
Getty Images/iStockphoto
Digital Security and data protection. Conceptual illustration with advanced technology digital display.

BENGALURU — Two dissent notes at the end of the 213 page BN Srikrishna Committee report on data privacy reveal the high-stakes battle between global technology giants to process the personal, and financial data, of India's 1.2 billion citizens.

"Data localisation", or the requirement that "sensitive information" —particularly financial data — be stored on servers within India's geographic boundaries, has been a subject frenetic lobbying pitting American finance and technology makers who oppose localisation, against Chinese majors like Alibaba who owns a majority stake in Paytm, as per a recent Reuters report.

The Srikrishna report recommends that a copy of sensitive data be stored in India, prompting push back from committee members Rama Vedashree, the CEO of NASSCOM's Data Security Council of India, and Professor Rishikesha T Krishnan, an IIM Indore professor, have both dissented against the committee's recommendation that a copy of all personal data, termed "data-localisation" in common parlance, be stored within India's geographic boundaries.

Vedashree's dissent note terms data localisation regressive, against the fundamental tenets of the liberal economy, and a possible trade barrier. She also found issue with the categorisation of passwords and financial data as "sensitive" — a classification that mandates that a copy of the data be retained in India, under the provisions of the draft bill.

"The guiding principles as mentioned in the report under chapter 3, for determining sensitivity are broad and can possibly be used to justify the inclusion of any type of data to this category of personal data," she said.

READ:Srikrishna Report Recommendations: Data Protection Authority, Consent Is Key, Data Collection To Be Minimal And Time Bound

Like Vedashree, Prof. Krishna noted that the requirement to store one live, serving copy of personal data in India is against the basic philosophy of the Internet, and imposes additional costs without a proportional benefit.

"This bill provides a strong foundation of protection for Indians' privacy, but it is not without loopholes. In particular, the requirement to store a copy of all personal data within India, creating broad permissions for government use of data, and the independence of the regulator's adjudicatory authority," said Amba Kak, Mozilla's Policy Advisor in India. "We welcome the Government's commitment to a public consultation process, which we hope will rectify the cracks in this foundation."

Industry body BSA The Software Alliance (whose members include Adobe, Apple, IBM, Intel, Microsoft, Symantec and more) also raised concerns about the data localisation requirement. Many BSA members have made significant investments in cloud-computing and storage.

"Including data localisation requirements in such legislation is contrary to the goals of promoting a Digital India, as global data transfers are critical to cloud computing, data analytics, and other modern and emerging technologies and services that underpin global economic growth," said Venkatesh Krishnamoorthy, Country Manager India, BSA The Software Alliance. "BSA recommends that India's Personal Data Protection Bill avoid imposing undue restrictions on the ability to securely transfer personal data outside of India."

Describing the report as a "positive start," Mishi Choudhary, Managing Partner at Mishi Choudhary Associates said there is need for further wide-ranging and in-depth deliberations.

However the right to be forgotten lacks clearly defined exceptions, and has an overly burdensome process, she noted.

"Withdrawal of consent by those of us who are called Data Principals is not simple and makes us responsible for all the legal consequences that follow," she added. "We have grappled with the problems of criminal punishments, for almost a decade with the IT act. Making all offences cognizable and non-bailable with enforcement that happens in fits and bursts will only make it tougher for businesses. With little understanding of technology, sections are slapped forcing companies and executives to deal with the criminal machinery, the effectiveness of which need no mention."