India takes its first serious step toward privacy regulation – but it may be misguided
This blog post by Simon Davies was published in the Privacy Surgeon on April 9, 2013. The Centre for Internet and Society recently published a draft Citizens privacy bill which is mentioned in this post.
Well, maybe this is a slightly optimistic view. A more accurate portrayal might be “the Indian government appears ready to accept the principle of some form of regulation”.
There is actually no agreed policy position across government on the question of privacy and data protection, but the Planning Commission last year established an Expert Group under the chairmanship of the former Chief Justice of the Delhi High Court, A.P.Shah. Justice Shah’s subsequent report is being considered and a draft Bill has been created.
Shah’s report provided a convincing body of evidence – both at the domestic and the international level – for the creation of national regulation.
It called for the formation of a regulatory framework and set out nine principles that could form a foundation for the next stage. These principles – reflecting the basis of law in other countries – have been generally accepted by Indian stakeholders as a sound frame of reference for progress.
However although the nine principles are supported, the precise nature of any possible regulation is still very much in flux.
There’s a long way to go before consensus is established on a overall type of regulatory framework. Having said that, India is closer than ever to seeing real legislation – and the international community needs to put its weight behind the activity.
Debate over the merits of data protection and privacy law stretch back beyond a decade but reform was constantly hampered by perceptions that regulation would stifle economic growth.
Some industry lobbies have been as keen as government to ensure that privacy proposals are stillborn.
Even with the nine principles as a bedrock the path to privacy law must overcome two extremely difficult hurdles.
The first of these is that a substantial number of Indian opinion leaders continue to express an instinctive view that there is no cultural history for respect of privacy in India. That is, people don’t want or expect privacy protection and Western notions of privacy are alien to Indian society.
In support of this assertion these critics often cite an analogy about conversation on Indian trains. It is well known that many Indians will disclose their life story to strangers on the Indian rail network, discussing their personal affairs with people they have never before met. This trait is construed as evidence that Indians do not value their privacy.
I spoke last week at an important meeting in New Delhi where this exact point was repeatedly made. The meeting, organised by the Data Security Council of India and ICOMP India was well attended by industry, government, academics and NGOs. Speakers made constant reference to the matter of public disclosure of personal information.
In response, noted commentator Vickram Crishna expressed the view that the train anecdote had no relevance and was a convenient ruse for people who for their own self interest opposed privacy regulation.
“In reality this circumstance is like Vegas”, he said. “What happens on Indian trains, stays on Indian trains. People will talk about their lives because they will never see these passengers again and there is no record of the disclosures.”
“What we are dealing with in the online world is a completely different matter. There is no correlation between the two environments”.
A substantial opinion poll published earlier this year also debunked the myth that Indians don’t care about privacy. Levels of concern expressed by respondents was roughly the same as the level of concern identified in other parts of the world.
A second hurdle facing privacy legislation is the perception - particularly prevalent in the United States – that legislation will be a burden on industry and people do not want yet another cumbersome and costly government structure.
There are perhaps some grounds for considering this perspective, given the vast scale and complexity of India’s economy.
Government intervention does not enjoy a history of consistent success in the marketplace, though in many instances intervention has been the only means to bring industry into compliance with basic safeguards.
I made the point at the meeting that support for a purist model of industry self regulation was simplistic and misguided. Most systems of a similar nature fail unless someone is mandated to ensure compliance, transparency, enforceability and consistency. It’s a question of finding a way to embed accountability in industry self regulation – and this is where legislation and government could help.
Justice Shah’s report reflected this widespread concern by recommending a co-regulatory framework in which a privacy commissioner would oversee industry self regulation. However – as last week’s meeting exemplified – even this compromise solution is not acceptable to many industry players. They oppose the idea of an appointed commissioner and believe that industry self regulation alone will be sufficient.
This is an influential view that cannot be brushed aside. However in a special programme aired on19th April on India’s main parliamentary television network – RSTV – I repeatedly make the point that such a view, if successful, would put Indian industry in danger of winning the battle but losing the war. Europe is unlikely to accept a model of sole industry regulation, and the crucial flow of data between the two regions could be imperiled.
Conscious of all these challenges the influential NGO Centre for Internet and Society has published a draft Citizens privacy bill and has commenced a series of consultation meetings across the country. These initiatives will provide important input for the emerging legislation.
This is an important moment for privacy in India, and one that will require careful thought and sensitive implementation. However no-one in India should be in any doubt that the current unregulated situation is unsustainable in a global environment where nations are expected to protect both their citizens and the safety of data on their systems.