Fixing data protection laws

Five years since the govt's first attempt, the goal of an all-inclusive data protection statute remains elusive

WhatsApp, the over the top (OTT) communication platform, recently got a reprieve from the country's apex court. However, there might yet be trouble brewing on the horizon for these immensely popular internet-based messaging services.

A new petition against WhatsApp sought to ban the company from continuing its operations in the nation on grounds of a potential threat to national security, after it introduced end-to-end encryption on its services earlier this year.

These events have again raised pressing questions regarding India's data protection regime and attitudes toward encryption-based technologies. The data protection scenario has had ups and downs in the past, often leading to criticism about its unconsolidated and potentially regressive approach.

"Data protection has not been given much priority. Our societal backdrop and joint family orientation have not prioritised the need for privacy till very recently," said Pavan Duggal, cyber law expert and advocate, Supreme Court.

At present, the only data protection measure in force may be found in the Information Technology Act of 2000 (IT Act). These cursory provisions merely outline a compensatory approach against body corporates for failures to protect already acquired data, and penalties for hacking of computers and breaches of personal data in specified circumstances.

It was only in 2011, alongside the proposal of the Aadhaar data collection initiative, that an attempt was finally made to create a comprehensive data protection framework. Unfortunately, the resulting draft of the much-awaited law was strongly opposed by intelligence agencies, over several concerns relating to national sovereignty. This resulted in the initial Bill being significantly re-moulded by the government.

The modified proposal, then, met with severe resistance from citizens and activists, due to the disproportionately wide powers sought to be given to the government for digital surveillance and espionage.

This longstanding deadlock resulted in implementing the Aadhaar scheme without a dedicated data protection mechanism. There has since been no appreciable movement on the subject and the goal of an all-inclusive data protection statute remains highly elusive.

According to Rahul Sharma, senior consultant, Data Security Council of India, not having a comprehensive data protection system is costing the Indian outsourcing sector a little over $7 billion every year. He says these figures could escalate, as other Asian countries such as the Philippines, South Korea, Japan, etc, are rapidly upgrading their own data privacy regimes.

India's current approach towards data encryption has been equally irregular. The country had failed to introduce any specific laws dealing with this technology till as recently as 2008. That was when the first regulatory mechanism on the topic was finally introduced as part of an amendment to the already present IT Act. The additions provided broad powers to the government for monitoring, intercepting and decrypting data, on several prescribed grounds.

Further authoritarian provisions mandated compliance requirements on companies and individuals to assist the government in all decryption efforts and prescribed harsh penalties for failures to do so.

In pursuance of these empowering provisions, the government introduced a draft national encryption policy in 2015. This drew sharp almost criticism from several factions, which considered the proposal a move to curtail technological advancement, in the guise of providing clarity on the encryption scenario.

Another significant concern was related to the possibility of fixation of maximum encryption standards, an unprecedented move, never undertaken by any other nation. According to Rahul Matthan, partner, Trilegal, encryption is now hardwired into the internet and essential for activities like online banking and web-based communication. "If a government prescribes a maximum threshold of permissible encryption, it will cripple the development of these technologies," said Matthan. In the backdrop of the furore, the government finally succumbed to the extensive public disaccord and eventually withdrew the draft proposal in its entirety.

In the present setting, only sector-specific encryption standards must be followed by entities operating in India. Even among these, there are incongruities with regard to maximum and minimum requirements between sectors. These highlight the pressing need for conformity in the Indian encryption regulation situation.

According to Sharma, a new committee has been constituted to re-draft the earlier withdrawn policy, with changes as required. "The objectives and limits of the future policy must be clearly defined. Prescribing minimum and maximum standards both have significant challenges that must be carefully considered,".

INDIAN DATA ENCRYPTION STANDARDS

• Reserve Bank of India: All internet-based transactions must be authenticated using a user ID and password. 128-bit SSL (secure socket layers) encryption must be used as the minimum level of security
   
• Department of Telecom: In line with the mandatory licensing requirement for Internet Service Providers (ISP's), the use of bulk encryption is not permitted. However, encryption up to 40-bit key length in the symmetric key algorithms is allowed. Any encryption higher than this may be used only with written permission of the government
  

 

Securities and Exchange Board of India: Prescribes 64-bit/128-bit encryption for standard network security