Lack of a Digital Law Exposes India to Chinese Cyberthreats

By Aishwarya Jagani

India is in dire need of a data-privacy law, experts told Digital Privacy News, but they continue to raise concerns about a 2019 proposal that is being studied by a joint committee of Parliament.

“India, as of today, neither has a dedicated law on data-protection and privacy — nor has extensively adopted any international guidelines on privacy or data-protection,” said Saikiran Kannan, an open-source intelligence analyst in Singapore and a writer for India Today and Zenger News.

“There are some specific provisions on privacy listed in the Information Technology Act of 2000 (IT Act),” he added. “But these are very basic laws when compared to countries like U.S.A., Singapore and U.K.

“They can so easily be subverted — and the judicial proceedings in such cases take a long time to prosecute,” Kannan said.

Experts cited the banning of more than 220 Chinese-built apps last year by Indian Prime Minister Narendra Modi’s government out of fears they threatened national security.

Modi officials did not return requests for comment from Digital Privacy News.

China’s growing cyberpower makes it a viable threat to many countries, but Beijing is menacing particularly to India because of its sparse data-protection laws, Kannan said.

“While the internet and smartphone-penetration rates in India are the fastest-growing numbers in the world, the understanding on data privacy and security is greatly lacking,” he told Digital Privacy News.

“Chinese mobile applications have always looked to misuse this globally.

“In India too, there are hundreds of Chinese mobile applications that collect more data fields, when compared to their non-Chinese counterparts.”

“While the internet and smartphone-penetration rates in India are the fastest-growing numbers in the world, the understanding on data privacy and security is greatly lacking.”

Saikiran Kannan, intelligence analyst, Singapore.

Kannan added: “Given the history of how cyberattacks originating from China affect countries across the globe and the industries they target, it is important to acknowledge and recognize the threats associated with cyberattacks.”

The absence of a national data-privacy law also leaves Indian citizens open to possible government surveillance, experts said.

Further, tech giants like Facebook and Google easily are able to collect and access the data of millions of users, without attracting huge lawsuits as in the U.S. or Europe.

“Very soon, tech giants would be able to access biographic data — which, in addition to behavioral and web-activity data — would give tech giants access to more personal data than an individual consciously knows about themselves,” Anup Srivastava, associate professor at Haskayne School of Business at the University of Calgary, told Digital Privacy News.

“No single organization should be allowed to access so much data, least of all, for commercial purposes,” he added. “This is no different than signing off an individual’s most important property rights to a few American capitalists.”

Supreme Court Ruling

India’s digital space currently is governed by the IT Act and an August 2017 decision by the Supreme Court of India ruling that declared privacy a fundamental right, protected by the Constitution of India.

After the decision, a committee chaired by retired Justice B.N. Srikrishna, was organized and charged with drafting stronger data-protection laws.

Using Europe’s General Data Protection Regulation (GDPR) as a model, Srikrishna’s panel drafted the Personal Data Protection Bill, releasing it in July 2018.

It would bar the processing of personal data by companies without a clearly defined purpose and would give consumers the right to give or deny consent to process the data.

The draft also would require digital companies to store sensitive data — financials, health, sexual orientation, genetics, transgender status, caste and religious beliefs — and critical data, categorized as military or national-security information, only on servers within India.

Revised Bill in 2019

After soliciting comments from the public and other stakeholders, a revised bill was introduced to India’s lower house of Parliament in December 2019.

The bill was referred to a Joint Select Committee, composed of members from the lower and upper Parliament chambers, and was presented to the full lower chamber, Lok Sabha, for consideration last February.

However, the final bill — which would impose maximum penalties of more than $2 million and three years in jail for company executives violating privacy laws, was expected to be tabled for discussion by Parliament in the upcoming budget session, according to news reports.

Ravi Shankar Prasad, India’s minister of law and justice, who introduced the revised bill in Parliament, did not return requests for comment from Digital Privacy News.

But while privacy experts welcomed legislation to create a comprehensive data-protection in India, they also have pointed out flaws in the bill.

 “Such a bill is really important to streamline data-collection and enforce data governance,” Kannan told Digital Privacy News. “Plenty of good things will happen when this happens.”

He also noted that the Srikrishna committee “only asks companies to store a ‘copy’ of Indian citizen data within India. It does not say the data ‘only’ has to be stored within India.

“One cannot rely on American commercial organizations to act totally in India’s national interests.”

Anup Srivastava, University of Calgary.

“This means the data can still go back to the U.S., Singapore or China.

“This looks like an attempt to go easy on biggies like Facebook or Twitter, unlike other nations,” Kannan said.

Government Gets a Pass

Calgary’s Srivastava noted that the proposed legislation would allow the government to bypass certain restrictions.

For instance, he cited: “All or any of the provisions of this act shall not apply to any agency of the government in respect of processing of such personal data.”

The collected data could be used for political surveillance, Srivastava argued, and digital companies could be asked to provide anonymized data to the government without user consent.

“On one hand, the government would have more access to data than any commercial organization, which can be misused or abused for political gains,” he told Digital Privacy News.

“On the other hand, India must protect its sovereignty and use its citizens’ data for more targeted welfare programs.

“One cannot rely on American commercial organizations to act totally in India’s national interests,” Srivastava observed. “They don’t even pay their share of taxes, despite earning billions in profits.”

But he acknowledged, “There is no perfect solution.

“In an age where data can be used to wage war and undermine national interests, I would side with the government,” Srivastava said, “while hoping that checks and balances imposed on the government would work to prevent the misuse of data by the government.”

Aishwarya Jagani is a writer based in India.