India is following Europe down the data protection path, with draft legislation criticized as a mixed bag of good and bad laws being proposed on Friday.
Under the proposals, there will be a data protection authority with the ability to impose fines; individuals get some new rights over how their data is handled, but not as broad as granted by Europe's GDPR; and local storage requirements are criticized as being at odds with the rise of the cloud.
On top of that, India has followed other countries in proposing restrictions on research into the potential re-identification of people in supposedly anonymized datasets. The Ministry of Electronics and Information Technology, MEITY, published the draft legislation on Friday here.
UK Data Protection Bill tweaked to protect security researchersREAD MORE
The proposed law bill would expand regulations on data collection by requiring organizations conduct data-protection impact assessments, which would be submitted to a data protection authority. There's also a right to be forgotten in the bill; a requirement that data be made portable between organizations (for example, to make it easier for someone to move from one bank to another, and take their data with them); and rights to view and correct data.
A “data fiduciary” – anyone collecting the data – is required to take a “privacy by design” view of their systems, the law states. This puts the onus on data collectors to protect the subjects of data collection in a way that will “anticipate, identify and avoid harm to the data principal.”
That goes beyond technology design and implementation: organizations collecting data would be required to implement “managerial, organizational, business practices and technical systems” that protect privacy, be transparent in how they collect and process sensitive personal information, and implement “de-identification and encryption” as part of their protection of sensitive data.
However, the legislation stops short of Europe's privacy-safeguarding regulations in the matter of individuals' right to object to collection and/or processing.
Cyber sovereignty under attack
Similarly to Europe's privacy rules, though, India's Personal Data Protection Bill proposes penalties sufficient to sting most organizations: up to around $2m for a database security breach (150 million R), or 4 per cent of a company's global turnover, whichever is higher. There's also a “cyber sovereignty” clause in the bill, requiring that organizations collecting personal information must maintain a copy in India, and for some types of data, overseas storage would be banned.
The bill has had a mixed reception in India and internationally, however. Speaking to The Hindu, Mozilla Foundation executive chairwoman Mitchell Baker said she was concerned at the exemptions granted to government in the bill.
While the act requires law enforcement use of personal data to be “necessary and proportionate,” disclosure in legal proceedings carries very broad exemptions, as does processing personal data for research or archival purposes.
In a blog post, Mozilla welcomed biometric protections in the bill, which the organization said could close “lax limitations on the handling of Aadhaar data.” Aadhaar has been criticized for data security breaches dating back at last to March 2017.
The Data Security Council of India has outlined its responses to the bill here (PDF). The DSCI welcomed the bill's child protection measures, but CEO Rama Vedashree told The Hindu localisation requirements were “regressive”.
The other serious criticism of the legislation is over its ban on re-identification research, since the proposed clampdown would treat academic researchers as harshly as it would treat “black hat” hackers. To protect the anonymization requirements imposed by the bill, India proposes that re-identification be criminalized unless the research is conducted in cooperation with the organization that collected and holds the data. Here's the relevant passage:
Any person who, knowingly or intentionally or recklessly— (a) re-identifies personal data which has been de-identified by a data fiduciary or a data processor, as the case may be; or (b) re-identifies and processes such personal data as mentioned in clause (a) without the consent of such data fiduciary or data processor, then such person shall be punishable with imprisonment for a term not exceeding three years or shall be liable to a fine which may extend up to rupees two lakh or both.
The fine is equivalent to around $3,000.
The problem with requiring organisational consent to conduct re-identification research is that a company or government department that's worried about the quality of its anonymisation may not agree to have it tested.
Privacy researcher Lukasz Olejnik blogged that privacy research “makes us all safer,” remarking that “banning reidentification will not magically fix broken designs or vulnerable systems.”
In January, UK researchers dodged the same bullet, permitting such research on the condition that boffins are acting in the public interest, and inform the Data Protection Commissioner of their work.
Under now-retired Attorney-General Senator George Brandis, Australia had the dubious honour of leading the world in re-identification research bans, in the form of legislation first tabled in October 2016.
Brandis has since left parliamentary politics to take up the post of High Commissioner to the United Kingdom, and the legislation has so far stalled. ®