BANGALORE, KarnatakaâItâs more than a year since the Srikrishna Committee submitted its report on data protection, along with a draft personal data protection bill, but India is seemingly no closer to an actual law on the matter. However, the Reserve Bank of India (RBI) has already mandated data localisation norms, which met with a lot of resistance and criticism.
HuffPost India spoke to Barry Cook, Privacy and Group Data Protection Officer, VFS Global, who also spoke about data localisation rules, and sounded a note of caution, adding that the cost to industry is likely to be high.
VFS Global is active in 147 different countries to facilitate visa applications, handling upwards of 20 million applications per year. Of this, around 5 million applications are from India alone, so Cookâpart of whose role is to ensure that the company is compliant with data regulations around the worldâhas paid a lot of attention to the norms that are being followed globally, and talked about the importance of keeping peopleâs information private, while also allowing industry to easily engage with data.
âMy goal, primarily, is to ensure compliance when VFS handles personal data, and that can mean personal data of the visa applicants, or internal employees and so on,â Cook said. âPrimarily thatâs my goal, to ensure that the company maintains compliance.â
âNow, as we operate across 147 countries, [it] wouldnât be a very manageable model to have individual compliance modules models for each of those countries,â he explained. âOur corporate model our privacy program, is based on the current highest level of data protection, globally, which is the European General Data Protection Regulation. Itâs not because itâs better than any other or because itâs European. Itâs currently the highest standard.â
âNow if a new data protection law seems to be a higher standard, then we will look at that and adopt that standard,â Cook added. âThe thinking behind that is that operating across all those countries â 147 countries â itâs very difficult for us to operationalize a privacy program. But by adopting the high standard I know automatically, Iâm going to be compliant in each of those countries.â
For the latest news and more, follow HuffPost India on Twitter, Facebook, and subscribe to our newsletter.
This isnât a one size fits all solution though, and variations are required in different countries, but the goal, Cook said, is that a visa applicant in any country should have the same level of data protection, even in countries where there is no data protection law.
This also extends to the use of data by VFS Global, which, according to its contracts, cannot be monetised. âActually we have quite strict controls on how we can use that data,â Cook said. âWe are not allowed to use data that is used in the visa application process for secondary use, so we canât monetize that data. And thereâs a huge amount of data there which could be monetized but weâre not permitted by the contracts that we have to actually do that.â
Nationalism and data localisation
Similarly, VFS Global would be able to comply with data localisation if required, Cook said, but added that as of now, it didnât look like this would be required.
âIf there is a requirement to localize data, then we will need to consider, but again, itâs not clear on the scope of what localization is going to be,â he said. âIndustry chatter on that at the moment is yes, it may just be health data, financial services, and it very much depends on what the government rolls out.â
A number of people have criticised data localisation requirements. In an article for HuffPost India, Eben Moglen, Professor of Law and Legal History at Columbia Law School, and Mishi Choudhary, a technology lawyer and managing partner at Mishi Choudhary & Associates, wrote that âthe provision related to data localisation will end up increasing the costs for any new company by depriving them the benefits of âcloud computingâ.â
In a submission to MEITY, SLFC.in (a non-profit legal services group that focuses on technology related issues) said that data localisation is likely to hurt the GDP. âMany developing nations look towards India as a role model for creating their own laws and frameworks,â SFLC.in stated. âThe perceived benefits of storing data locally, i.e. generating new jobs, may potentially be offset by an associated increase in the opportunity cost for Indian entrepreneurs that wish to expand their businesses to other countries, only to be faced with data localization costs in those countries.â
Cook also echoed this, and when asked if nationalism was seen as a key reason for such laws, he said it was a part of the rationale.
âI think with all data localization, there is an element of nationalism without a doubt. I get it. I understand why,â said Cook. âItâs the new oil, effectively, and it in itself, the data processing industry is worth billions to the Indian economy. And it makes sense to put some governance or control around that.â
âThat said, data protection laws are now becoming the weapon of choice in governments in geopolitical situations⊠what it effectively does is pushes your borders out,â he added. âIf you have an extra-territorial data protection law, like the European General Data Protection Regulation, in effect, youâre globalizing your countryâs political agenda in some cases.â
âIn summary, it may well protect the individual data, but you have to look at what is the message behind it. Generally speaking, external view of data localization is negative, it is seen as a tool that is used by more oppressive regimes,â Cook said.
He also added that the impact on industry of excessive localisation requirements would be negative. âIn my personal opinion, this is not the opinion of the VFS, in my personal opinion I donât think India should localize the data, I think it will force Indian companies to use Indian-based resources,â Cook said. âOkay that on the surface may seem good, but those resources have to compete with the likes of Amazon, Google, all of the other big cloud based provider and compete on cost as well as service, and depending on the reports you read, the cost to the industry, of localizing data, will be quite high. So my view is that itâs not good for the Indian economy to localize data.â
Privacy by design
Cook again stressed that whatever decision the government took, the company would work to meet the requirements. At the same time, he outlined some of the ways in which VFS works to minimise the risk of compliance issues.
âWe reduce our exposure by minimising the amount of data, and the amount of time we hold that data.â
âWithin the organization we adopt a very much proactive approach between data protection and privacy,â he explained. âSo, for example, we will use privacy by design, privacy by default techniques for any of our newer services or products or technology that we are planning or building to roll out.â
âAs soon as we get the business design requirements, how we can minimize the data that is used,â Cook said. âA classic example here is if weâre trying to ascertain somebodyâs age, the most common way of doing that is to ask for the date of birth. We can simplify that reduce the amount of data we have by simply saying, âhow old are you?â So itâs a very subtle difference, but it means we desensitise the data we hold.â
VFS does handle a huge amount of highly sensitive personal data. Cook said that the company uses automated systems to purge data as soon as it receives delivery reports from the local missions where the information is supposed to go; a similar process is also followed for paper formsâtheyâre sent to the mission with no copies being made, he said.
âWe reduce our exposure by minimising the amount of data, and the amount of time we hold that data,â Cook said.