The recent WhatsApp spygate, which revealed accounts of Indian journalists and human right activists were hacked by unknown entities using Pegasus spyware, has intensified the data protection debate in the country.
Related:
The government has reprimanded the Facebook-owned messaging platform, seeking an explanation into the loopholes which led to the breach. “Government of India is concerned at the breach of privacy of citizens of India on the messaging platform WhatsApp. We have asked WhatsApp to explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens,” tweeted IT and Communications Minister Ravi Shankar Prasad.
However, the fact remains that the country’s data protection framework is still in the works, with the pending Data Protection Act. At present, the draft personal data protection law is still getting ‘final touches’, and could be tabled in the Winter Session in Parliament, according to media reports.
Related: Decoding India's Personal Data Protection Bill with Prashant Mali
Computerworld India spoke to Puneet Bhasin, cyber law expert, who cautions against wasting time ‘debating’ the perfect law in the face of real-time threats to data privacy.
Cyberjure Legal Consulting / Maxkabakov / Getty Images
Compliance in most organizations in India is quite a sidelined area. The main priority is normally finance, marketing or sales – where the revenue happens. Here, compliance means you lose money (when you’re not right).
Puneet Bhasin, Cyber Law Expert
The bill is a brilliant piece of legislation, under which the data localization rule emphasizes the importance of treating data as a national property, explains Bhasin. “Data localization will improve the situation where a cyber-crime investigation needs to happen. Data is of value; why should we give it to external entities? This aspect is extremely important but it might get left out in the final draft – because of the amount of lobbying (against it) – a lot of organizations might not favor something like this,” quips Bhasin.
Dealing with data
She hits the nail on the head while describing the loopholes around data in India and argues that it would not be easily welcomed by a lot of organizations in the country. The reason being that most of them are not used to having this sort of compliance. Data is freely sold in India – the whole concept of digital marketing, business development, business intelligence, and business analytics in India today is one that lacks acute consumer privacy measures, she points out.
Has India missed the bus when it comes to data privacy? The country’s digital transformation happened much later compared to others, explains Bhasin. “Until tech penetration doesn’t happen on a wider scale, it is difficult for a law to actually shape up with respect to the social conditions. You could not have had a law 10 or 20 years ago when this was not an issue at all. We are not late – but if we don’t implement it soon, we are definitely going to be running late.”
A call for policy reassessment
How challenging will it be for Indian companies to reassess their policies once the bill comes into play? Today, everything in an Indian organization is like an open system, which will need to be realigned once the bill comes into effect. “Every process, tech, design should have privacy and access control built into it. This calls for not just a privacy policy, rather an entire implementation from scratch.
Ideally, organizations should start now. Data Protection Law is not a directive like GDPR where you will be given a year to be compliant. The government has given enough time, the draft is out and in the process, and you know it’s the need of the hour, it is going to happen. Digital India, along with cybersecurity is a priority in the government’s manifesto.
Implementation challenges
Indian organizations are not used to stringent compliance measures. “On a lot of levels, it is not there. Ministry of Corporate Affairs, for example, is the one that pushes compliance in India, apart from regulatory bodies such as the RBI, the IRDAI. If you don’t fall into those categories then it is probably just the MCA in the last year where you’ve had strong compliance. In such a scenario, the framework to enforce it on a population that is not used to it – will be a challenge,” highlights Bhasin.
Compliance in most organizations in India is quite a sidelined area, she explains. “The main priority is normally finance, marketing or sales – where the revenue happens. Here, compliance means you lose money (when you’re not right). So, a lot of organizations have not focused on that aspect – they focus more on acquiring and getting more money into the system.” However, this entire dynamics will change under the data protection law as the level of penalties is quite high.
Action over dilemma
“Under the data protection bill, the customer is king. The organization has to comply to ensure the customer is secure with respect to data. This is something that has never happened before. Currently, the bill faces a lot of opposition both ways – a lot of political dilemmas. Even for the common man, it is very difficult to understand the nuances. There are a lot of people lobbying against it, and a lot of people favoring it,” she explains.
According to her, the draft may not be perfect at this point in time; a lot of amendments might have to happen later. But in the face of data thefts - with spyware being installed by every single app on a smartphone – and no legislation to cover it, there is a dire need for this bill to come into effect. “It may not be 100 percent perfect at this stage, but something is better than nothing, which will be perfected over a period of time,” says Puneet Bhasin.