Data is one of the most valuable assets in our current global economy. The data revolution is similar to the game-changing industrial revolution in spurring innovation by leaps and bounds. Data-based services encroach upon every realm of our existence and their impact is significant. Just 15 or 20 years ago, the innovations of today would have been inconceivable except in the heads of research scientists or sci-fi fiction writers.
The innovation boom can be attributed to the freedom that the internet granted by breaking down global barriers. Data-sharing across continents in the blink of an eye, and storing and processing data using cloud-based technology proved cost-effective and permitted small-businesses to compete on an equal footing with big corporations.
Unfortunately, together with the freedom and innovation we enjoy, governments and corporations have to contend with data breaches, cyber-security and data misuse. This, therefore, leads to the need for an appropriate structure and guidelines around data protection and security while promoting an environment for progress and honouring free trade agreements.
Keeping this in mind, there are different policies being developed around the globe and they reflect the changing landscape around data protection and privacy. Take the example of the European Union, for instance. India and the EU have had a long-standing history of beneficial co-operation and partnership which needs to be developed and nurtured. The EU is, in fact, India’s largest trading partner comprising 12.5 per cent of our overall trade governed by an EU-India treaty. Over two-thirds of our population is under the age of 35 while the EU has a relatively ageing profile. In the near future, the EU, in particular, can continue to leverage the younger, working-age cost-effective, labour force in India for their needs.
The European Union recently released its GDPR — General Data Protection Regulation — that aims to standardise data privacy laws across the EU. The GDPR is an essential update to an older 1990s’ regulation — and addresses how data is collected, stored and processed in the world today.
The GDPR aims to provide EU citizens with greater rights and transparency over their personal data. Any organisation that deals with EU citizen data, in any capacity, is covered under the GDPR — even if the data is stored outside the EU or in a cloud. This takes into account the fact that in today’s times of multinational corporations and cloud-storage, the location of the data should be irrelevant to whether it is protected by law.
Protectionist policy
The GDPR adopts a more protectionist policy through the ‘Adequacy Principle’. There has been widespread debate about how the GDPR affects developing countries in particular since it stipulates that EU citizen data can only flow to countries that also implement a similar level of data protection and those the EU deems “adequate”. The European IT market is growing at three times that of the US’ and there is a large potential for Indian IT to leverage opportunities in those regions. Since the EU is a large bloc of 500 million customers, countries that do not comply with GDPR requirements risk affecting their data-sharing and cross-border flow. With data being one of the most valuable assets traded in this era, how does that affect our free trade agreement with the EU?
Before the EU GDPR was finalised, a Deloitte study estimated its economic impact on the European economy: reduction of GDP by €173 billion (1.34 per cent of GDP in EU-27) leading to a loss of 2.8 million jobs — combined effect from only four sectors: web analytics, direct marketing, online behavioural advertising and credit information.
In direct contrast, the US has formulated sectoral regulations to protect privacy without hindering cross-border data flows. This benefited growth in our Indian IT industry. The industry may not have scaled if the US did not allow data to flow to India, including financial data of US citizens.
The US ensured privacy obligations with Indian companies through contracts. The US protects and ensures its cross-border data flow with the EU in spite of failing the EU “adequacy” requirement as well through a negotiated ‘privacy shield’ to maintain free trade objectives.
Both approaches are attempts to achieve data protection However, the US approach continues to encourage and promote free market growth while making organisations accountable for privacy violations. It’s not surprising that the world’s most innovative companies have emerged from the US and not the EU.
What could be the most effective data privacy policies for India? The understanding and expectation around notions of privacy and data protection differ across jurisdictions and societies. Clearly, any regulatory framework must necessarily contextualise international practices within national goals and priorities.
More flexibility needed
Let’s consider where India currently stands in the global markets. India is one of the fastest growing economies and a large portion of it is due to the outsourcing market or IT-BPM (Business Process Management) services. The Indian IT sector contributes a tremendous two-thirds of the $120-130 billion market. Our growth opportunities will need to be kept in mind while formulating data privacy laws and complying with global regulations.
India will need to be flexible and adapt to greater demands for data processing. Global requirements for data processing are only bound to increase with the advent of Internet of Things (IoT). With IoT, large amounts of data will be generated on a regular basis from consumers and corporations alike.
Real-time processing demands will increase in order to make sense of the data and glean meaningful business insights. Restricting this growth in India will only increase the risk of losing business to other developing countries and reduce our competitive advantage. Long-term data policies will provide a greater advantage to India-based corporations and increase employment of our working-age population.
Innovation and privacy are compatible — innovation cannot be scaled without adequate privacy safeguards and gaining users’ trust. It is critical to empower users, without over-regulating data collection.
The Indian government is focussed on reducing the risk of data breaches, cyber-fraud, and other security issues. Recently, in the draft National Data Communications Policy (NDCP), a whole section, called ‘Secure India’, is dedicated to data protection — of the rights of Indian citizens while recognising data as an economic resource.
India is on the brink of a data revolution — both from the outsourcing market and a boom in India-based start-ups — and to secure our exciting future in the global economy, we will need data policies that permit growth while protecting personal and sensitive data. After all, as the Minister for Law and IT, Ravi Shankar Prasad, recently said, “We shouldn’t kill innovation in the name of privacy.”
The author is president of Broadband India Forum. Views are personal. Research inputs from Chandana Bala and Kartik Berry.