India is following Europe down the data protection path, with a bill criticised as a mixed-bag of good and bad laws being proposed on Friday.
There's to be a data protection authority with the ability to impose fines; individuals get some new rights over how their data is handled, but not as broad as granted in Europe's GDPR; and local storage requirements are criticised as being at odds with the rise of the cloud.
However India has followed other countries in proposing restrictions on research into re-identification of anonymised data.
The Ministry of Electronics and Information Technology, MEITY, published the proposed legislation on Friday here.
The bill would expand regulation of data collection by requiring organisations to conduct data protection impact assessments, which would be submitted to a data protection authority.
There's also a right to be forgotten in the bill, a requirement that data be made portable between organisations (for example, to make it easier for someone to move from one bank to another, and take their data with them), and rights to view and correct data.
A “data fiduciary” – anyone collecting the data – is required to take a “privacy by design” view of their systems, the law states. This puts an onus on data collectors to protect the subjects of data collection in a way that will “anticipate, identify and avoid harm to the data principal”.
That goes beyond technology design and implementation: organisations collecting data would be required to implement “managerial, organisational, business practices and technical systems” that protect privacy, be transparent in how they collect and process sensitive personal information, and implement “de-identification and encryption” as part of their protection of sensitive data.
However, the legislation stops short of the GDPR in the matter of individuals' right to object to collection and/or processing.
'Cyber sovereignty under attack
Similarly to Europe's GDPR, India's Personal Data Protection Bill proposes penalties sufficient to sting most organisations: up to around US$2 million for a breach (150 million R), or 4 per cent of a company's global turnover, whichever is higher.
There's also a “cyber sovereignty” clause in the bill, requiring that organisations collecting personal information must maintain a copy in India, and for some types of data, overseas storage would be banned.
The bill has had a mixed reception in India and internationally, however. Speaking to The Hindu, Mozilla Foundation chair Michell Baker said she was concerned at the exemptions granted to government in the bill.
While the act requires law enforcement use of personal data to be “necessary and proportionate”, disclosure in legal proceedings carries very broad exemptions, as does processing personal data for research or archival purposes.
In a blog post, Mozilla welcomed biometric protections in the bill, which the organisation said could close “lax limitations on the handling of Aadhaar data”.
Aadhaar has been criticised for data breaches dating back at last to March 2017.
The Data Security Council of India has outlined its responses to the bill here (PDF).
The DSCI welcomed the bill's child protection measures, but CEO Rama Vedashree told The Hindu localisation requirements were “regressive”.
The other serious criticism of the legislation is over its ban on re-identification research, since it would treat academic researchers as harshly as it would treat “black hat” hackers.
To protect the anonymisation requirements imposed by the bill, India proposes that re-identification be criminalised unless the research is conducted in co-operation with the organisation that collected and holds the data.
Any person who, knowingly or intentionally or recklessly— (a) re-identifies personal data which has been de-identified by a data fiduciary or a data processor, as the case may be; or (b) re-identifies and processes such personal data as mentioned in clause (a) without the consent of such data fiduciary or data processor, then such person shall be punishable with imprisonment for a term not exceeding three years or shall be liable to a fine which may extend up to rupees two lakh or both.
The fine is equivalent to around US$3,000.
The problem with requiring organisational consent to conduct re-identification research is that a company or government department that's worried about the quality of its anonymisation might not agree to have it tested.
Privacy researcher Lukasz Olejnik blogged that privacy research “makes us all safer,” remarking that “banning reidentification will not magically fix broken designs or vulnerable systems.”
In January, UK researchers dodged the same bullet, permitting such research on the condition that boffins are acting in the public interest, and inform the Data Protection Commissioner of their work.
Under now-retired Attorney-General Senator George Brandis, Australia had the dubious honour of leading the world in re-identification research bans, in the form of legislation first tabled in October 2016.
Brandis has since left parliamentary politics to take up the post of High Commissioner to the United Kingdom, and the legislation has so far stalled. ®