It's about time India put into law policy on data protection: Nader Henein

Nader Henein, VP Analyst, Gartner
India's Personal Data Protection Bill, which has been in the making for about five years, is delaying business decisions because of lack of clarity, said Nader Henein, Vice President Analyst at Gartner. In an interview with Neha Alawadhi, he spoke about the difficulty organisations and governments face when it comes to issues like lawful access to information and breaking encryption.

Edited excerpts from the interview conducted over video:

What do you think of the current privacy frameworks in India?

In terms of privacy and personal data protection, I've been tracking the Indian legislation since the formulation of the Srikrishna committee... (and) it seems like it's dragging. It's about time something was put into law or at least put it down for a vote, and it can perhaps be fixed if there is something broken with it.

When you're doing business with international organizations, you're expected to maintain a certain standard, and that standard has been set by the European Union's General Data Protection Regulation (GDPR), it helps businesses when you have local legislation that aligns with that. 

In South Africa, something similar happened with the Protection of Personal Information Act (POPI) Act, which was proposed in 2013 and [was] just passed this year. Potentially, there's nothing to stop India from introducing their own legislation, and achieving adequacy with the EU a few years later. So Japan did that a few years ago, passing their own privacy legislation, and they achieved adequacy with GDPR. What that means is that information can flow between Europe and Japan without restriction. So, when a European company is looking to invest or work with a Japanese company, the risk for them is far lower because of that adequacy agreement. 

How did businesses manage in South Africa during the time the POPI Act was passed?

A lot of organisations put in a lot of effort to prepare for the POPI Act, because they didn't want it to pass overnight and then have a very limited time for compliance. Eight years later, a very different law is amended and passed. Instances like these erode organizations' faith in the value of compliance or early compliance, and they transition to this wait and see type of company where they don't care until the next time a proposed legislation passes.

Do you think there is over regulation in India with regard to data that causes overlap across different sectors?

You try to apply regulations to either a sector or the actual information. For example, the GDPR applies across every single sector; there are no exemptions. There are certain things called derogations but they're defined within the regulation. Any other law that passes needs to align itself with the GDPR. 

So for example, in the US, California has the California Consumer Privacy Act. It creates carve outs for healthcare, and it creates carve outs for finance. This has to be done because otherwise, organizations will challenge laws in court saying they're contradictory. So for example if the privacy legislation says you have to delete information after three months, and other legislation says you have to maintain the information for up to six months. That's very confusing for organisations. 

There is a view that companies' privacy policies should not supersede Indian law. Recent examples are WhatsApp's updated privacy policy and Twitter's pushback in the face of takedown requests from the government.  How do you see a good solution?

There is no easy answer. On one hand, a company the size of Twitter that has global coverage, would have a very difficult time operating if they had to apply different rules in every different country. In some instances, you can change your product from one country to the other, but sometimes you don't have that option. In the case of Twitter, maybe you can make rules based on IP addresses, but let's say for example in the case of Apple or Android, when you're building devices, and those cannot easily be changed. 

Regulation needs to hold companies responsible to a certain extent, but this is going to be a big debate. 

Is it more complex in the case of encryption and lawful access?

It continues to be a big debate, and this has been a big subject since the mid-90s, if you remember the clipper chip and key escrow. This is when the US government was trying to get encryption providers to introduce a backdoor into their product, so then the government can gain access to information. Their argument was terrorism or child abuse. The counter argument to that is, you're then putting everyone else at a disadvantage to target a minute portion of the population. Balancing that is very difficult and it changes.

As long as there is privacy, and as long as there are bad people doing things, there's going to be a point in the middle where the government's right to gain access to information is going to always push against the rights of an individual to maintain their privacy.

Business Standard is now on Telegram.
For insightful reports and views on business, markets, politics and other issues, subscribe to our official Telegram channel