In March, the Indian government’s relatively new ID database, Aadhaar, suffered a major data breach. Aadhaar stores a plethora of identity and biometric data on 1.1 billion of India’s just over 1.3 billion citizens, including their fingerprints and iris scans, making this breach a major concern. The data is accessible with a 12-digit ID number, which is assigned to each registered citizen and is essential for many daily activities: citizens must present their ID number to open a bank account, receive food rations, or be accepted into a hospital. It is thus no surprise that so many citizens have opted in to this technically optional program, even though these citizens will find themselves very vulnerable if someone gets a hold of their ID number.
Of course, this revolutionary database serves an important purpose: to increase efficiency and reduce corruption. For example, corrupt officials often can no longer add fake names to welfare databases to steal money from the poor. Unfortunately, the March breach was Aadhaar’s second major data breach this year. The first one happened in January.
Privacy has recently become a hot-button issue in India, a country which has passed very little online privacy legislation, despite its powerful centralized ID database and reputation for technological prowess. Within the last year, India has been trying to catch up with the international surge of stronger privacy laws.
The Global Drive for Privacy
The most significant global privacy development in the last year was the EU’s new General Data Protection Regulation (GDPR), which requires companies to eliminate fine-print loopholes, and instead provide privacy policies with clear, concise explanations of what users are signing up for. Furthermore, consumers now have the right to access data that companies store about them and correct that information if it’s inaccurate.
Most importantly, these laws apply to any corporation with users in the EU. Even if the corporation is based in the US or India, as long as it has clients in the EU, it will face a severe fine it if does not comply with these regulations. Publishers, banks, and tech giants have already started working to adapt their policies to meet the expectations of GDPR.
China also recently released a new data privacy law, partially modelled on the GDPR, which will shift power from companies to consumers. One Chinese businessman summed up the gist of the law well, reportedly asking “wait, do we now need to get consent from all of our users on our privacy policies?” Now, despite China’s extensive censorship, Chinese citizens’ data is likely better protected from corporate loopholes than that of Americans.
A number of other South Asian countries have also been working toward improved data protection. A new Vietnamese law requires foreign internet companies like Google and Facebook to keep data on Vietnamese citizens in open local offices and hand the data over to the Vietnamese government if suspected of “anti-state activity.” Australia just introduced mandatory data breach reporting, and Canada will do the same in November.
Data Protection in India
Indian companies that operate in the international arena have been forced to reform their privacy policies and data protection measures so that they align with the GDPR. But the Indian government has also been taking actions to secure the privacy of all Indian citizens, actions that are long overdue.
In March 2017, India increased security of personal information stored by Prepaid Payment Instruments, which are online cash transfer services like PayPal. This was one of the first direct actions India has taken to protect privacy online. Soon after, in August 2017, the Indian Supreme Court declared that privacy was a fundamental right (although it did note that, like other fundamental rights, privacy could be denied if it was competing with compelling state interests). Additionally, the Ministry of Health drafted a law in March to secure personal digital health data, and the Reserve Bank of India (RBI) issued a notification in April requiring payment system operators to store data within India so it would be subject to RBI supervision.
Last November, India created the Srikrishna Committee, a committee of experts asked to develop a national framework for comprehensive data protection. The committee released a draft later that month focusing on 7 key principles, including Informed Consent (consumer consent must be expressed in an “informed and meaningful manner”) and Data Minimization (only necessary and required data should be collected). The committee is expected to submit its full recommendations for a bill by the end of July.
Although national sentiment is in support of greater privacy laws, the private sector is concerned about a boom in individual privacy legislation. Of course one of the events that triggered the drive to update privacy laws was the Facebook breach, which exposed personal information of as many as 87 million people worldwide, including more than half a million Indians. The laws developed based on the Srikrishna Committee’s recommendations will likely serve as a barrier to international internet companies like Facebook, as well as Google and Amazon. For example, India’s Google-backed delivery app Dunzo requires access to customers’ contacts, location, messages, and more “to improve the user’s experience.” This likely will not fly once India imposes stricter privacy laws.
Although data privacy laws could reduce efficiency among large companies in India, they are necessary to keep citizens safe from corporate overstretch and malicious hackers. It will be interesting to see what precise regulations are created in the wake of the Srikrishna Committee’s report, and how they affect both multinationals and the Aadhaar system. Regardless, such laws are certainly in the best interest of Indian citizens and cannot come soon enough.