Data, Data Centres, Data Protection: India
This is a collection of articles archived for the excellence of their content.
Availability of data
As in 2019
The government made a strong pitch for using data and analytics for social welfare and citizen empowerment, and also made a case for greater engagement with the private sector in processing non-sensitive information. However, it said a focus on user consent and privacy should be the cornerstone of the effort to make it a safer process.
“In the spirit of the Constitution of India, data “of the people, by the people, for the people” must therefore become the mantra for the government,” the survey said. “… economic theory predicts that economy should have, by now, seen a surge in efforts to harness and use data. This has indeed happened, but only partially.”. It said while private companies have harnessed user data as a profitable business model, a lot still needs to be done in many social-welfare areas where the government should step in. “… government intervention is required in other areas where private investment in data remains inadequate. The social sectors of the economy, such as education and healthcare, have lagged the commercial sectors in exploiting data… To ensure that the socially optimum amount of data is harvested and used, the government needs to step in, either by providing the data itself or correcting the incentive structure faced by the private sector, depending on the nature and sensitivity of data.”
Privacy of data, however, needs special focus as efforts towards harvesting information get stronger, the survey said.
The survey also said while there is a fair amount of information that is already collected about citizens, such as birth and death records, tax statements, census data, and health and education information, they are not harmonised and collated together to bring out confirmed trends. “Data collection in India is highly decentralised… if these different pieces could be put together, we would find that the whole is greater than the sum of parts.”
On fears that government may misuse and get unbridled powers through the huge citizen database, it said, “… this is far from the truth. First, large quantities of data already exist in government records, and the objective is only to use this data in a more efficient way.”
As existing paper records get digitised, there is a need for a parallel initiative to convert very process of data collection into a digital one, as agsinst collecting on paper first and converting to a digital format later.
On giving certain kinds of data to private companies, it said this should be done with all necessary security safeguards.
Average Data usage in India, 2015-21
General Data Protection Regulation
Salient features: 2018
Come May 25, and internet and tech companies that handle user data of any sort will have a new legal provision to comply with. The General Data Protection Regulation or the GDPR is a new law that came into force in the European Union in May 2018.
What does the GDPR do?
What does the law say?
The EU law comes into force on May 25, and decrees that consumers or “data subjects” have right to erasure of their data and a right to port their data from one place to another. It also places a premium on the data subjects’ consent to collection and processing of data. Although the law is being introduced in the EU, its ramifications extend the world over. That is because it is not focused on regulatory measures for tech companies, but rather on the protection of EU citizens and their data. Since internet and tech companies the world over handle data from across the globe, the consequences of breaking the law extend to them. The law was introduced in 2016, with data controllers and processors the worldover given two years, until this year’s May deadline to comply.
What is at stake?
In April, a Goldman Sachs report said that Facebook, which got 24% of its global revenue from EU, could suffer a negative impact of up to 7% because of GDPR. That month, Facebook recalibrated its operations in such a way that non-EU users, who earlier fell under Facebook’s Ireland incorporation, were shifted to the US-based counterpart.
What's the status of Indian companies when it comes to compliance?
Experts and industry watchers say Indian companies are still behind when it comes to GDPR compliance. “We have been speaking with organisations for the last 18-24 months. Most companies have woken up to this only six months ago. Some of the Fortune 500 companies and other MNCs have done good work in data discovery and information flow mapping. Smaller organisations are not well-prepared. They feel it is a distraction from core business,” says Shree Parthasarathy, national leader for cyber risk services, Deloitte.
Industry bodies in India are attempting to handhold companies through the regulatory maze. Nasscom and the Data Security Council of India held familiarisation workshops in March in Delhi, Mumbai and Bengaluru. “Nasscom has also launched a GDPR Helpdesk for member companies to have their questions resolved,” says Gagan Sabharwal, senior director for global trade development, Nasscom.
What does it mean for Indian users of internetbased services or products?
You will continue to use online products and services the way you did. The EU law is not designed to protect citizens outside of it. Indian businesses handling EU user data, however, will have to take another look at the way they collect and use data or face massive fines.
THE DATA BUSINESS
The revenues of the Indian Data Centre industry, 2014-19
City-wise share of data centre inventory, as in June 20 22
India and the world
Data Centres in India and the world, presumably as in 2020
Data Centres in India and the world, presumably as in 2021
Verified registration on social media
The data protection bill aims to come out with social media hygiene that may ask firms such as Facebook, Twitter or Instagram to enable individuals voluntarily identify themselves before registering, giving them the status of verified users. This will help platforms sift out, and make public, unverified individuals who troll people, including personalities & women.
Bill wants users to identify themselves before registering
The data protection bill aims to come out with a new social media hygiene that may ask companies such as Facebook, Twitter or Instagram to enable individuals to voluntarily identify themselves before registering, giving them the status of verified users. This would help the platforms sift out unverified individuals who generally troll people. Also, the bill may specify certain registration conditions that may ask social media companies to identify those who are registering on their platforms abroad, but posting in India. “The idea is to make the platforms more responsible,” an official source said, adding that the architecture of verification will need to be worked upon. “Also, any verification has to be voluntary.” TNN
Bill allows storage of non-crucial data abroad
Your personal data, such as what you order online, or where you shop online or destinations that you go to, can be freely taken abroad and stored and processed on international servers by internet giants. They do not need to keep a mirror copy of the information in India, as had originally been stipulated in the draft bill that created the architecture of India’s personal data protection law.
The Cabinet gave the nod to an updated version of the data protection bill that aims to protect the rights of an individual over data he or she generates, especially erecting safeguards against the flow of sensitive information such as a person’s financial or health statistics, passwords, sexual orientation, biometric details, religious and political beliefs. The bill proposes that firms mandatorily store sensitive personal information on servers located only in India, with no mention of provision for non-sensitive data.
Data bill proposes ₹15cr fine, jail up to 3 yrs for violations
The data protection bill proposes that firms mandatorily store sensitive personal information on servers located only in India. The same diktat applies to ‘critical data’, which the government may define/notify from time to time and may include information that, for example, has a bearing on national security, or is military data, sources said. However, the bill does not make any special mention of the provisions related to cross-border movement of ‘non-sensitive and non-critical’ data, which includes information around what you do when online. Earlier, the draft bill had said that companies will need to keep a ‘mirror copy’ of such information on Indian servers, mainly to keep a track of what data is being collected.
For violations (which will be monitored by a proposed Data Protection Authority), the bill mandates a penalty of Rs 5 crore or 2% of global turnover (whichever is higher) for certain offences, while for data leakage or illegal processing, it stipulates a top penalty of Rs 15 crore or 4% of turnover. For serious breaches, senior officials from the top management of the violating company also face the prospect of arrest and jail terms ranging up to three years.
An official source said that the “government is mindful” of any concerns around usage of personal data – even if it is nonsensitive. “Consent is the backbone of the proposed data protection law, and there are clearly-specified checks and balances to ensure that personal data of citizens is not violated, or illegally used or processed,” the source said.
Another source said that in drafting the bill, the government also had to “keep the concerns of the Indian IT industry” in mind. “If any wideranging condition was stipulated on international internet companies to compulsorily store ‘all the data’ in India, a reciprocal condition could have been sought against Indian IT companies doing outsourcing/ business abroad, impacting our over $100 billion exports that happen mainly to the US. Any similar condition on Indian IT companies to compulsorily store data on foreign servers would have increased their costing, and priced them out of many large deals.” The bill also tackles other important issues such as giving an individual the ‘right to be forgotten’, which means that a person can petition internet companies to remove information about him from the web.