Data privacy has been a hot topic in India of late in the aftermath of the Facebook-Cambridge Analytica controversy, the release of a draft data protection bill and a push by the government to get foreign firms to store data of Indian citizens locally.
As an industry lobby, National Association of Software and Services Companies (Nasscom) has been watching these developments closely. In an interview with TechCircle, Nasscom’s senior director for public policy Ashish Aggarwal said that some of the proposed regulations with regard to privacy, localisation and e-commerce need to be reconsidered as they could potentially prove detrimental to the interests of Indian companies.
There are plenty of concerns about privacy globally. The Indian government has come up with a draft bill too. Where do you stand on the issue and what would you consider a fair middle ground?
Even before the European Union’s General Data Protection Regulation (GDPR) came into force this year, there were privacy laws through various other legislations across the world. But India did not have any framework for domestic privacy laws other than sections in the Information Technology Act.
For empowering IT-enabled services and cross-border trade dependent on data, a data protection bill is a great initiative where we can give confidence to other countries for a strong domestic framework.
We are moving towards a model where a lot of customer data is actually getting captured through the Internet of Things (IoT) and a privacy bill will strengthen customer rights. It is good to know what kind of personal data is stored or being used.
Even for ease of doing business, it is positive to have clarity on these rules and regulations.
Do you think India has struck the right balance on this front? Will data localisation create bottlenecks for companies to work seamlessly across borders?
Yes, there is a legitimate concern that if the existing proposals of the bill related to cross-border flow of data and conditions for transfer become law, then how can we enforce it?
The report of the Committee does not clarify how localisation will improve privacy for consumers or help protect their data. In fact, it glosses over the cost to the industry. Moreover, the Bill does not recognise that different types of data fiduciaries might pose different risk - for example, a messaging platform and a movie platform and a service aggregator platform may all have very different implications from a data protection risk while they all may collect similar personal or personal sensitive data. In the proposed bill, they all could be given the same treatment as a significant data fiduciary.
Nasscom does not see that as a balanced approach in terms of localisation. It is a challenge and we would like to work with the government to come out with a solution which meets the requirements of the need to access the data for legitimate reasons.
How will companies differentiate between personal data and platform data? All the aggregated personal data becomes platform data - who owns that? Can firms collect or store platform data? Is it technically feasible?
At some cost and effort, everything is or should be technologically possible today. But a lot of firms will have to change their business models and operating models. The idea is while you have a global footprint you store data where it is most cost- effective and of the highest quality in terms of the services that can be offered on top of it.
In the present form, the regulations are anti-competitive and will call for a review of the business operations of several firms and will be costly. So is it a proportionate cost? We are asking our members to evaluate this internally and tell us the implications and only then we can come up with a balanced approach to our stand.
We should not restrict cross-border data movement because a lot of Indian tech companies, whether IT services or product companies, are growing on the back of this data transfer.
But does this seem rational for an important area like digital payments?
Payment transaction data might be important and it may need to be guarded, but it is not clear why it should be sensitive. So we need to ensure that payment data is stored securely. The product and engineering teams of the companies look into that and Reserve Bank of India has the power to ask for disclosure of measures in place. It might not be easy to segregate the platform data from personal data. Therefore, an RBI directive can cause unintended difficulties for payment firms.
For global players to create subsystems for India, it certainly becomes a concern from the point of view of the profitability and business model. Not every payments business has sensitive data. The conditions must not be sweeping and we should clearly define what should be localised and this should not be all data.
We also need to understand from companies as to what kind of infrastructure, time and effort is required to do it. This should not hamper growth.
Many large enterprise tech companies have their global R&D centres here. Do you see this model under threat over the long-term, when all countries start demanding that their data should not be transported to foreign countries?
India is a large market and has a large talent pool. So these companies are here for the long run. I don't want to speak on their behalf on this topic but what I can say is such norms will create obstacles and raise the cost for consumers too.
For smaller companies whose data is stored in the overseas cloud now, this will matter more.
There is even a proposal for an e-commerce regulator...
The idea of a regulator for e-commerce should be revisited because it is difficult to have a separate legal framework for everything. We have several sectoral regulators and we need to strengthen those for protection.
A lot of offline players are getting into e-commerce and consumers might not have enough recourse to challenge any failures on the part of the companies.
What we need to do is increase consumer confidence in e-commerce platforms and their merchants. We should let free markets work as long as they are working.
Do you think nationalism has been a primary consideration rather than consumer protection or prevention of market manipulation?
We don't want to imagine whether the intent was from the nationalism perspective or not. From our perspective, we see a set of provisions which are not balanced. A lot of these regulations will play an important role and need to be debated and discussed. Some of the ideas might not be good for promoting industry and business and e-commerce.
The role of the government is to promote a level playing field for everybody. We have not seen the original draft and hence it might be a bit early for us to deliberate at length. These issues are evolving as we speak. It raises concerns for those parties who could be affected and we should minimise those sorts of outcomes.
Everything has to be seen with the original objective in mind and we have to constantly evaluate the policies in light of the objectives. Creating high-quality regulatory authorities can be challenging and it takes time. For capital markets, Securities and Exchange Board of India (SEBI) is considered a good regulator but it took many years and had to overcome many challenges for it to reach that status. A data protection authority has an enormous challenge as it is dealing with an abstract concept. It would be wise to invest in its capacity.