Mozilla says India's planned data harvest law is 'blunt' and should be caste aside

Warns that plan could lead to 'dangerous inferences' about user identity, suggests GDPR is a better model


Mozilla has strongly criticised India’s draft plan to allow companies to harvest non-personal data.

India's plan [PDF], proposed in July 2020 by a committee chaired by Infosys co-founder Kris Gopalakrishnan, recommended companies be allowed to use non-personal data generated in India for commercial purposes. The committee also suggested that the Indian government establish a new authority to monitor how such companies use the data.

But some of the “blunt strategies” the committee proposed will do more harm than good, Mozilla said in its comments on the report [PDF] .

“Ultimately, a maximalist focus on boosting domestic industry could hurt the very businesses it is meant to serve, while limiting competition, and diminishing the choices of user," the organisation wrote.

In particular, Mozilla said the report underestimated privacy concerns around the sharing of non-personal data. As an example, it cites that sales location data from e-commerce platforms can be used to “draw dangerous inferences and patterns regarding caste, religion, and sexuality.”

A maximalist focus on boosting domestic industry could hurt the very businesses it is meant to serve.

The browser-making organisation also warned that the laws would replace “the fundamental right to privacy with a notion of ownership akin to property, vested in the individual but easily divested by state and non-state actors, leaving individual autonomy in a precarious position.”

Overall, Mozilla warned enacting the proposed laws could “harm Indians, isolate companies from their global counterparts, and cause other countries to retaliate with similar ‘data nationalism’ measures that would be counterproductive to India’s interests.”

Instead, it recommended India instead focuses on instituting comprehensive data protection laws to match the standard set by the European Union. As an example, the organisation that India has “some of the weakest regulations around government surveillance in the world” and that these laws need to be reformed.

"Rather than viewing this as a zero-sum game, there is much for India to gain by leveraging the interconnectedness of the global digital economy while respecting the fact that privacy is a fundamental right guaranteed to all," Mozilla said. ®

Similar topics

Broader topics


Other stories you might like

  • Another VPN quits India, as government proposes social media censorship powers
    New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations

    India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.

    One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.

    On Tuesday, another VPN – Surfshark – announced it would do likewise.

    Continue reading
  • Indian government signals changes to infosec rules after industry consultation
    Reports suggest SMBs will get more time, but core elements including six-hour reporting requirement remain

    Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

    The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

    The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Continue reading
  • BSA kicks multiple holes in India's infosec reporting rules
    Strongly suggests extensive re-writes and consultation - backed up by Microsoft, Intel, AWS, and friends

    Lobby group The Software Alliance (BSA)* has written to India's government, pointing out impractical requirements, inconsistencies, and flaws in the nation's recently announced infosec reporting rules. The organization says the problems can only be addressed with extensive consultations and a delay to implementation.

    The BSA has already co-signed another letter that eleven tech and finance lobby groups sent to India's government, which requests changes to requirements such as extensive logging of user activities and reporting of even trivial infosec incidents within six hours of detection. That multi-party letter states that these rules will harm the nation's economy by discouraging foreign investment.

    The Alliance's own document [PDF] raises issues not addressed in the multi-party letter – such as an argument that requiring cloud providers to supply logs of customers' activities is futile as clouds don't log what goes on inside resources rented by their customers.

    Continue reading

Biting the hand that feeds IT © 1998–2022