BN Srikrishna is a genial, 77-year-old former Supreme Court judge who recites Shakespeare and Sanskrit scriptures with equal facility. But he’s making the likes of Google, Amazon and Facebook more than a little nervous.
As per a report in Bloomberg, Srikrishna is leading the effort to draft new data-privacy law for India that will regulate how tech giants from the US and elsewhere operate in the nation of 1.3 billion. His recommendations carry particular weight because India is already the biggest market for companies like Facebook and offers enormous potential for dozens more. The committee Srikrishna helms will send its bill to the government this week.
The committee was formed in July-August 2017 by the Government of India.
They’re going well beyond the hands-off American approach that preceded fiascoes like the Facebook breach, which facilitated Russian meddling in the 2016 presidential election, or the Equifax hack, which exposed personal information of about 145 million people. He and his colleagues are determined to modernize the country’s standards and protect all citizens.
“India has accelerated from a ‘bail gaadi’ economy to a silicon-chip economy,” said Srikrishna, using the Hindi expression for ox cart. “But privacy and data regulation rules are still far behind.”
India has been careening into the digital age. The number of people with smartphones soared to 370 million users at end 2017, from 25 million in 2012, according to Counterpoint Research. The government has also developed one of the world’s most ambitious biometric identity systems, called Aadhaar, which assigned unique 12-digit numbers to 1.1 billion Indians and registered their fingerprints, iris scans and demographic details. That data is now used for everything from tax returns and property purchases to welfare disbursals and WhatsApp payments.
But this flood of data — and an absence of regulation — has fuelled concern among privacy activists and citizens groups. These concerns have not been without reason.There has been recent cases of data breach. The first instance being a recent data leak in where demographic and bank details about 2 crore Aadhaar card holders were inadvertently exposed from Andhra Pradesh State Housing Corporation website. This was followed by a similar security breach from another AP government website, the Benefit Disbursement Portal of the state’s Wages & Social Security Pensions (Mahatma Gandhi National Rural Employment Guarantee Act or MGNREGA) system. In this case, details of 89 lakh MGNREGA workers, their IDs, names and Aadhar numbers were exposed.
“Data-poor India is rapidly becoming a data-rich economy so having a data protection law is critical,” said Srikanth Nadhamuni, chief executive officer of startup incubator Khosla Labs and former chief technology officer for Aadhaar.
The diminutive, grey-haired Srikrishna discussed the debate during an interview in his Mumbai office. He wants to chart a middle path” between the ‘do-nothing’ U.S. approach and the stringent General Data Protection Regulation just imposed in Europe. “India is India, after all,” he said.
The 10-member committee he heads — comprising academics and government officials — is putting the finishing touches to their bill. The draft will need parliament approval to be enacted.
Currently, foreign companies and hundreds of home-grown startups collect, aggregate, store and process Indian user data unhindered.
The Google-backed delivery app Dunzo, for instance, requires access to a customer’s contact list, location, messages, media files and call information at the time of installation. The company has said that such information is gathered “only to improve the user’s experience of initiating/running a task on the Dunzo App.”
Srikrishna’s framework would rein in such practices. It will detail what is fair use, whether technology giants can transfer data across the border, and how to enforce accountability and penalties for violations. It will also establish whether users can access and control their own data, like with the EU’s GDPR.
Srikrishna retired in 2006 from the Supreme Court. Since then, he has headed several high-profile commissions, including one investigating government salaries. He believes the average Indian has no idea how much data they’re generating or how it’s being used. He contends a mere click of an English-language consent form is inadequate in a country with almost two dozen official and hundreds of other languages — and low literacy.
“Should we then have pictograph warnings for consent, like they have on cigarette packs?” he asked. The country has no culture of privacy either: Only last year did the Supreme Court rule that privacy is a fundamental right.
The biggest challenge according to Srikrishna is not drawing up laws but enforcing them. His own job ends when he submits the draft this week, but he knows that won’t be the end of the debate.