Indian companies, however, have different compliance protocols, answerable as they are to the Indian state.
Courtesy Aadhaar, the demand for an appropriate privacy law in India has come to the forefront. The privilege of an individual citizen’s data is extremely important, not just because of Aadhaar but because large Internet companies are among the world’s leading hoarders and miners of user data.
Directly obtained data, information derived from usage patterns — it could be something as simple as your mobile phone company knowing your route to work and where you stop every evening for a drink — and the ability of technology to draw upon ambient noise and learn habits about your consumption and lifestyle that you may not quite have shared: the risks to privacy are both innumerable and inevitable.
In much of the world, the real debate about data is not so much about a national identity card used for accessing public services — or indeed the creation of an identity platform such as Aadhaar on top of which service providers, public and private, can build and base their apps. The real debate is about large Internet companies — whether Facebook or Google, Amazon or Microsoft — that are repositories of enormous data.
The more we use these Internet services, the more data we share with them. The more we share with them, the better they tailor products and user experience for us. The better they tailor products and user experience for us, the more we use them. Since many of these companies happen to be American, the data about users from other countries usually lies in servers in the United States. Access to them is controlled by US law.
There is a perception — and to be honest, this is often a contested perception — that US law enforcement agencies have easier access to this data than other jurisdictions. In particular, the theoretical likelihood of the data of a non-US citizen — say an Indian or a South Korean — being more easily accessible to the US government than to his or her home government has exercised both privacy activists and diplomats. What if, as is commonly understood, the US government is less sensitive about the privacy rights of aliens (non-citizens) than its own citizens?
Different countries have responded differently to this challenge. In China, international Internet companies have virtually been driven out by policy and regulatory norms that actively discriminate against them. Whether Twitter, Facebook or Amazon, the Chinese have promoted their own alternatives and have kept user data at home. In parallel, the availability of such data has become an instrument of the surveillance state.
Yet, this is not a black-and-white model. Take WeChat, a Chinese messaging app that is roughly the equivalent of WhatsApp. Recently WeChat was banned in Russia, a country that is politically friendly to China. This was part of a clampdown on international social media companies and the desire of the Russians to control user data. Ironically, while targeting a Chinese company, the Russians were borrowing a surveillance policy that had been inspired by China.
The European discussion is more complex. The battle with the American Internet giants is slowly moving from an obsession about privacy to a need for governments to access data to anticipate and punish acts of terrorism. This shift in nuance has been very marked since the Paris attacks of November 2015 and has gained ground with every subsequent terror strike.
Governments in the United Kingdom, France and Germany are believed to be coordinating an effort to get American Internet companies, particularly encrypted messaging apps, to part with data of suspected terrorists, if the request is backed by a court order in these three countries. How such a request and court order will play out in the US and what role if any the American government will have remains an imponderable.
In Germany concerns about consumer privacy and data being “exported” are growing. New regulations make “opting out” the default, and this is relevant if a user does not want his search history shared or mined by a search engine for collateral purposes. It is worth noting the US Congress has just permitted Internet service providers in that country to sell subscriber data, including websites visited and products bought online.
Consumers have to specifically opt out if they want their data not to be sold. Of course, in turn ISPs may end up offering differential tariffs to those who opt in and those who opt out.
How does India respond? End-to-end encryption in messaging apps is welcomed by users but has law enforcement agencies paranoid. Seeking information from an American company currently requires approval from the department of justice in Washington, DC, federal courts in the US and the Federal Bureau of Investigation. Only then can the home ministry in India get the user data it wants. This may seem fair if you don’t trust the government as an entity — but it does amount to trusting US government agencies more than Indian government agencies. That is obviously illogical.
Indian companies, however, have different compliance protocols, answerable as they are to the Indian state. They cannot take recourse to privacy and encryption policies that their international competitors do. This creates an unfair advantage for the latter and is not sustainable for a healthy, home-grown Internet start-up space.
Related to data access and data privacy is the phenomenon of data security. To protect sensitive personal data, such as medical histories, financial records and biometric information of citizens, should such data be stored in servers located in India — free from the physical jurisdiction of a foreign government? Today, most of the Internet economy’s giant data centres (encompassing many thousands of individual data servers) are located in the US.
It is not feasible to have data centres in several countries — that would not be cost effective — but India, with a large Internet user base, could make a strong case. Locating data centres in India would also be a magnet for investment and make India a backbone of the global Internet. Social media and e-commerce companies with substantial Indian users could be incentivised to use these data centres. This would apply equally for Indian and American owned companies.
Having said that, such an approach requires policy clarity and recognition of a degree of encryption and user privacy as a general norm for the Internet — across domestic and international companies. It requires a privacy law that is fair and contemporary, given our data-rich age. It requires legal and policy assurance from the Indian government that Internet companies, irrespective of ownership, will not be answerable to casual and informal requests, or even bullying, by police and government officials. The example with telecom companies is there for all to see.
Without that certainty, the Indian data debate will not make much progress. Without that certainty, large-scale investment in and relocation of data centres to India will not happen. Without that certainty, Indian Internet and tech start-ups will not have a level-playing field.