Why India is Still Not Ready for Breach, Privacy LawsSecurity Leaders Debate Potential Influence of EU's GDPR
After almost four years of debate, the European Union passed the General Data Protection Regulation, with the objective to strengthen and unify data protection for individuals within the EU and deal with exporting personal data outside the region.
Believed to be a pioneering piece of legislation in the world of data privacy, global security leaders say the GDPR, which will enforced in two years, will impact nations throughout the world (See: Australia-New Zealand Still Mulling Data Breach Laws ).
But what difference - if any - will it make specifically in India?
The Indian security fraternity questions whether there will be any direct impact on India and its privacy and data protection laws, given that Article 21 of the Indian Constitution (which maintains an individual's right to privacy of information and data) is already underway, and the Indian government is adding the final touches to its Right to Privacy Bill 2014.
And many practitioners believe India is not ready for data privacy and data breach disclosure, given that the nation does not have a strict regulatory enforcement mechanism.
The directive does impact the Indian IT and business process outsourcing industry, as it caters to U.S.-based enterprises and processes personal data of EU citizens.
"If enacted, it will lead to opportunity loss for the Indian IT/BPO industry, as it further increases the threshold for data transfer outside EU/EEA," says Mumbai-based Sunder Krishnan, chief risk officer, Reliance Life Insurance Company Ltd.
"It will also significantly increase compliance costs for service providers - which are already higher when serving EU-based clients, as compared with markets like USA," he adds. However, GDPR also may remove any misgivings about the Indian industry and data security standards in India, he says.
Is India Ready?
Privacy practitioners do not believe India is ready to crack down on privacy and breach disclosure, as existing privacy laws and information protection laws are not adhered to now.
"It's tough, as there is no holistic legal framework/regulator in the form of data protection authority, data quality and proportionality, data transparency, etc., which addresses and covers data protection issues in accordance with the principles of the EU Directive, OECD Guidelines or Safe Harbor Principles," says Krishnan.
Bangalore-based Naavi Vijayashankar, attorney and cyberlaw consultant, says the directive is a reiteration of the principles recommended by privacy practitioners to their clients under Section 43 A of the Indian IT Act.
"No new regulation is required for India regarding data protection or data breach disclosure," he says. "The government needs only revisit its existing IT Act 2008 and impress data protection obligations upon Indian companies and find a way to help them adhere to them."
But EU's regulation could make a positive impact on the Indian government in making a mandate.
Shashidhar, CN, founder of SecureiT Consultancy, says Indian regulation suffers from laxity in enforcement and implementation of privacy regulations. "I wouldn't see major impact on Indian enterprises, as the existing IT rules of 2011 of India, which mandate reasonable security practices and procedures and sensitive personal data or information by organizations, is not adequately implemented."
Data Privacy and Breach Disclosure Dilemmas
Most observers agree that the volume of online transactions, the explosion of e-commerce opening up multiple financial gateways and growth in digital infrastructure have resulted in data traversing in all directions. This has only increased data privacy issues, showcasing the trouble that users have to establish the authenticity and privacy of the data they share.
However, they also claim that most individuals and organizations are ignorant about privacy and data protection laws and regulations. Some argue there are misconceptions about data privacy, protection and data breach disclosure.
Shashidhar observes that the government has set certain constraints on data privacy that spell great ambiguity.
"It's difficult to balance and handle trade-offs between data privacy and security," he says. "And key technologies including cryptography are tightly controlled by governments, as they want to intercept the data/metadata exchanged between terror groups, criminals and money launderers. This means less scope for implementation."
Naavi argues that India does not currently view privacy protection as a right of an individual. "The Constitutional remedy is too laborious for ordinary citizens to use," he says. "However, when breach of privacy occurs through breach of electronic data, it becomes a cyber crime, and the provisions of ITA 2008 kick in."
Reliance's Krishnan lists out concerns hindering privacy and breach mandates:
- Information flexibility in providing dynamic access to sensitive customer data to clients, employees, and external partners;
- Proliferation of social media challenging data security;
- Sophisticated external hackers outsmarting traditional security methods;
- Data leaks despite deploying DLP solutions.
Critics say that most often, privacy and protection rights vary in different contexts and must be balanced against the other rights of citizens.
They say a fine balance between what the consumer wants and what the country needs is most essential, as it would ensure the policy framework is transparent and guidelines are followed.
Krishnan suggests that the government appoint a regulatory body to govern data confidentiality across public, private and individual parties.
Naavi argues that since Indian IT Act sections 43A and 72A both support the EU directive by recognizing the contractual obligations as defining the reasonable security requirements, the government should roll out a strict mandate for organizations' adherence.
"Further, by making negligence or non-compliance punishable under Section 85 and 79, companies and intermediaries will have to follow it in letter and spirit," Naavi says.