The world is rapidly upgrading data privacy regulations. In that regard, European Union is admittedly at the forefront, with its General Data Protection Regulation. It somewhat permeates outside, spreading the good P-rays (privacy rays).

India is a very importan country, the largest democracy in the world. So it is not a surprise that India is also boosting its privacy regulations. The latest draft has been made public recently (find it here). In this post, I am providing a quick summary of the new law, as it contains very interesting content (also, worrying too).

[Update 11/12/19]. The final project is now filed to be proceed in the Parliament. It contains many controversial elements, among them ban on reidentification. All the comments below apply. This is a dangerous clause for research and security/privacy in general.

Fines

Maximum fines for breaches of the regulation in India will be up to fifteen crore rupees (150 000 000 Rs; about 2 million dollars), or 4% world annual turnover, whichever is higher. This penalty is thus similar to the one in the European GDPR.

DPIA

India will deploy a system of data protection impact assessment for certain types of data processing. It is defined somewhat similarly to the European one, so I invite you to read my analysis on DPIA.

Of particular interest is that all concerned companies will be required to submit their DPIAs to the Authority. I'm not sure how scalable it is since DPIAs may typically be technical and complex. So this immediately creates a challenge for the newly established Authority. In other words, how to cope with the flood? That would certainly be an interesting experiment to observe. Even European DPAs can't know the answer to this question, since GDPR, as new as it is, contains no such requirement.

Data Protection Authority

India will get a fully-fledged data protection authority. It will have similar powers to those in Europe. Interestingly, the head of DPA of India does not need to be a lawyer (experience in data science, data security, etc. also in line). This puts the focus on technical knowledge.

Together with the previous point, it is clear that quite a lot of qualified people will be needed, especially in the beginning. Let's hope the new DPA will have the right advisors to know how to move forward with that.

Data localisation

India is implementing cyber-sovereignty rules in its data privacy regulation, explicitly stating that copy of data needs to be stored on Indian servers. Furthermore, some types of data may need to be stored in India, exclusively. This means more control in hands of the state, but also additional requirements for local companies, and those foreign providing cloud storage service.

Banning privacy research

Wait, what? Apparently, India plans to penalize reidentification, which is one of the major parts of privacy research. Research that makes us all safer. This is admittedly a major problem. In 2017, the United Kingdom had a similar proposal in the draft Data Protection Bill. I analyzed and described the issue here, so feel free to have a read, as it stands here entirely.

Fortunately, the UK has fixed the issue by implementing a reasonable compromise, allowing research made in good faith (read about it here).

I am not sure how the same idea arrived in the India proposal. Perhaps it came from Australia, which also considered similar regulation?

That said, it is not too late for a suitable update, and let’s hope this will happen. Banning privacy research is not only a counter-productive non-solution that will lead to more harm than benefit. It is also an example of not-the-best technology policy. Finally, banning reidentification will not magically fix broken designs or vulnerable systems.

Summary

Indian data protection regulation implements a lot of great ideas. Among them are DPIAs, Right to Be Forgotten, Privacy by Design, and others.

Unfortunately, in the current version, there is a substantial problem. Risking the banning of parts privacy research is not a good idea. This is a dangerous idea. Especially considering the risk of the idea flowing further to the potential regulations of other countries (for example, in the region). It is furthermore a viable question to ask how the European Union should proceed with a potential future “adequacy” (equivalency with respect to GDPR) decision, considering the impact on research.