India’s digital economy is increasingly important for the country’s future. According to NASSCOM, India’s technology industry grew 15.5% in the last year of the pandemic, with $227 billion in revenues in 2021-22. Technology that digitizes financial services[1] – fintech – leads this surge. Since 2016, when real time payment system Unified Payments Interface, or UPI, was introduced, more than 304 banks have signed on.
In March 2022,[2] around 5.4 billion transactions were made worth $128 billion, an astounding number. This will only increase, given India’s 86% tele-density and nearly 800 million broadband subscribers.
The breakneck speed at which the digital economy is being adopted in India brings challenges, particularly in data security.
Privacy and data breach:
By 2024, 40% of large enterprises will expand the use of AI across all business-critical functions like marketing, legal, HR, procurement, and supply chain logistics.[3] This will increase collection and usage of data, including critical and sensitive information. As more data is stored, potential breaches increase the risk of identity thefts, bank fraud and even destabilisation of the economy with ensuing economic losses and political instability.
Cyberattacks and loss of intellectual property (IP):
IP is the heart of every business operation; historically, cyber attackers have stolen strategic information and sensitive financial plans, but they have recently attacked critical infrastructure and stolen intellectual property (IP), especially trade secrets. Theft of IPs of critical infrastructure could have devastating effects on the global economy and countries’ national security. Hence, a comprehensive data security policy with data protection regulation is urgently needed.
Existing regulations and need for a comprehensive policy framework:
In the absence of a comprehensive data protection law, regulators and agencies have been issuing sector-specific data privacy rules, regulations, standards and best practices, as under:
- The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
- Transfer of data outside India by government officials/departments is punishable if it is in violation of the Public Records Act 1993, the Official Secrets Act 1923, the Email Policy, or the Policy for Usage of IT Resources of Government of India.[4] Ministries and departments may host their servers with third parties, but only within the country, in accordance with guidelines issued by the Ministry of Home Affairs and CERT-IN).[5]
- The Reserve Bank of India (RBI) has authorised formation of an Account Aggregator framework, a leak-proof conduit for financial data built on the Data Empowerment and Protection Architecture to ensure secure portability of data between stakeholders.
- In March 2020, RBI issued guidelines requiring payment aggregators to implement data security standards, including framing IT policy, cyber security audits and reports.
- In September 2021, RBI issued a circular mandating that, from January 2022, (a) no entity other than card issuers or card networks be allowed to store card data, and (b) all such data stored prior to that date be purged.
- The Insurance Regulatory and Development Authority of India (“IRDAI”) has put in place guidelines on information and cyber security for insurers.
- Similarly, the Securities and Exchange Board of India maintains guidelines for data and cyber security for stockbrokers, stock exchanges and depositories.
In December 2020, India’s Ministry of Electronics and Information Technology (MeitY) issued a report on the Non-Personal Data Governance Framework. The framework seeks to unlock the economic, social and public value from data to create incentives for innovation and new products, services and startups in India, and to address privacy concerns emanating from re-identification of anonymized data.
An exhaustive data protection bill focused on data localization, introduced by MeitY, is under consideration. India’s first such regulation is along the lines and pattern of General Data Protection Regulations (GDPR) of the European Union with certain provisions reflecting the directions followed in the California Privacy Act. Apart from classifying data into three broad categories namely- personal data, sensitive personal data, critical sensitive personal data, it has provisions on explicit consent with respect to sharing of data, data processing and its safeguards, including penalties to prevent misuse. It also defines the government and regulatory role, making it easier for firms to formulate policies. And it addresses the on-going global discussion on the “Right to be Forgotten” rule that gives individuals the right to their own data, including erasure of personal data.
During consultations about the bill, corporations and the political opposition objected to the localisation of data. The opposition also raised objections on Clause 35, which allows any agency to be exempted from all or any provisions of the law, especially public order, sovereignty, friendly relations with foreign states. The U.S. Trade Representative, in its latest “Special 301” report, raised concerns over India’s Personal Data Protection Bill and the draft of its non-personal data governance framework, claiming these could threaten India’s innovation and economic growth.[6]
The bill is expected to result in a good balance between localising data and enabling cross-border data flows. The path to interoperability is a work in progress, especially with the Data Protection Bill still under discussion. At present, all corporations in India are free to store data anywhere in the world. The proposed change in the law would keep data local, restricting both Indian and foreign companies from taking data outside Indian jurisdiction. For the most part, the data localisation provision is being viewed positively, as it can create an opportunity for Indian entrepreneurs to develop an Indian data centre industry.[7]
Data localisation:
The Russia-Ukraine crisis has made economies realise the importance of data localisation, that is, restricting the flow of information from one country to the other. In the past, through Chinese apps embedded in Indian phones, China collected vast amounts of data on Indian consumers that it used for security and commercial purposes. This is relevant as the Chinese government mandates its companies share all data with its official entities.[8] As a consequence, these apps were banned from Indian jurisdiction.[9]
Crypto currency:
There is no ban on the use of crypto assets, public or private, nor are there regulations to govern its actual usage. The pending Cryptocurrency and Regulation of Official Digital Currency Bill 2021 is expected to provide a framework for an official digital currency issued by the RBI. Should the bill pass in its current version, it will ban all private crypto currencies, but allow the use of its underlying technology.[10],[11]
Recommendations:
Policymakers and regulators may deploy measures to safeguard against potential threats and address key concerns:
- Encryption to ensure the confidentiality and integrity of data flowing over networks.
- Dynamic data masking tokenisation and other technical measures to protect against cyber threats.
- Development of an overarching data protection act that moves beyond the piecemeal and incorporates principles of notice, choice and consent, collection and purpose limitation, access and correction, disclosure of information, security, openness and accountability and creates an enforcement mechanism to ensure compliance. The proposed law mandates companies store data within the boundaries of India.
India can benefit from Japanese solutions to protect consumer privacy and implement cybersecurity measures. Besides India, countries around the globe are increasingly moving towards adopting data localisation norms. Africa may consider this a top priority, opening avenues for a closer collaboration between Japan and India, as localisation norms will necessitate state-of-the-art cyber security tools, techniques and practices that both India and Japan can facilitate.
China has been the world’s toughest censor of internet freedom. Numerous signs suggest Chinese surveillance on the African continent is pervasive; India and Japan should take this opportunity to help Africa regulate towards competitiveness and safety in digital economies. This can be done by jointly investing in digital public goods[12] such as fintech platforms developed under the India Stack[13] umbrella.
In addition, India and Japan’s partnership could benefit those fighting for online freedom of expression and political pluralism in Africa’s transitional democracies. China’s presence on the African continent has raised concerns that it may be imposing internet censorship as it imports digital technology. The risk of technical failure fades in comparison to the risks to national security and the data privacy of individuals.
Khushbu Jain is Partner at Ark Legal
This essay is part of a paper ‘Analysing India’s Economic Security Challenges’. Read the full paper here.
The views and opinions expressed in this paper are solely those of the authors. The view expressed in the paper do not necessarily reflect those of NEDO
For permission to republish, please contact outreach@gatewayhouse.in
©Copyright 2022 Gateway House: Indian Council on Global Relations. All rights reserved. Any unauthorised copying or reproduction is strictly prohibited.
References:
[1]https://nasscom.in/sites/default/files/media_pdf/India-set-for-the-rising-techade-as-industry-revenues-soars-past-dollar-200-billion.pdf
[2]https://www.npci.org.in/what-we-do/upi/product-statistics
[3] https://www.idc.com/getdoc.jsp?containerId=prAP48910222
[4] https://thedailyguardian.com/privacy-and-security-of-video-conferencing-apps/
[5] https://www.hindustantimes.com/india/no-pvt-servers-for-govt-sites/story-yc1xCDww7ZEV7rj57FevfP.html
[6] https://www.business-standard.com/article/economy-policy/india-s-personal-data-protection-bill-may-threaten-innovation-growth-ustr-122042800477_1.html
[7] https://www.sundayguardianlive.com/legally-speaking/data-localisation-way-world-headed
[8] https://yespunjab.com/chinese-app-ban-essential-to-protect-indias-data-sovereignty-by-khushbu-jain/
[9] https://yespunjab.com/chinese-app-ban-essential-to-protect-indias-data-sovereignty-by-khushbu-jain/
[10] In 2013, the Reserve Bank of India warned the public against investing in cypto-currency, and in 2018, prohibited its regulated entities from dealing in virtual currencies. Finance ministry neither accepts this virtual asset as legal tender nor to criminalise it.
[11] https://www.sundayguardianlive.com/legally-speaking/crypto-laundering-challenge-regulators