Data Protection – From A National Security Perspective
Excerpts of A Workshop Conducted at CSRC PEC
As India moves towards a digital future, the importance of personal data of its citizens is becoming crucial to protect national interests. Much of the debate on this subject is centred around an individual’s right to privacy. As the Supreme Court observed in Puttaswamy, “Informational Privacy is a facet of right to privacy. The dangers to privacy in an age of information can originate not only from the state but non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state.”
In order to formulate a data protection law, the Government of India has constituted the Justice Srikrishna Committee that has drafted a white paper, which outlines some important issues, which require incorporation in the law. The White Paper has sought public comments on the shape of the data protection law. The White Paper is an extremely comprehensive compilation, which not only brings out the key facets of data protection but also studies provisions from laws of other countries to evaluate best practices.
Most of the analysis in the White Paper has looked at data protection from the prism of protecting an individual’s right to privacy, while ensuring that it does not become so overpowering that it hinders freedom of expression, research, artistic rights, law and order requirements etc. However, if there is one area that the White Paper has not focused on, it is on the national security implications of personal data.
In the current digital era, and the forthcoming explosion in the Internet of Things and Big Data Analytics, each individual is generating a vast amount of data. Taken individually, this data may seem unimportant, but when aggregated and analysed through advanced algorithms, it can reveal crucial information, which have important national security implications. A recent example is the details released by Strava, a fitness-tracking app, showing activity of its users on data visualisation map. The map was detailed enough to show the activity of U.S. soldiers in their bases including Afghanistan, Syria and Djibouti. This revealed sensitive information about the layout of bases. Firms like AggregateIQ and Cambridge Analytica have been credited with using personal data of individuals to generate targeted advertisements on social media to help swing the Brexit referendum and the US presidential election. There are many consequences to personal data collection, which we have not fully grasped till now.
In order to bring in the national security perspective into our proposed data protection law, the Cyber Security Research Centre of the Punjab Engineering College, Chandigarh in collaboration with the Times of India, organised a two day workshop which brought together experts from the national security, cyber security, academicians, information technology, military, law enforcement and legal fields. The deliberations of the workshop and its recommendations are being put forth for consideration by the Government of India. There was unanimity among the members of the workshop that national security implications be given due consideration while drafting the data law. Absence of any legal provisions about protection of individual data has already resulted in sensitive data of Indians having possibly been utilised and processed in an unregulated manner. There is uncertainty about what national security problems it could create in the future but let us now begin the corrective steps.
The deliberations of the workshop have raised many crucial issues with regard to the linkages between unfettered processing of individual data and matters of national security. We have kept in mind the individual’s right to privacy, particularly the vulnerabilities of children and underprivileged class. Due consideration has also been given to digital commerce and the need to ensure that innovation and entrepreneurship in India is not disadvantaged. However, we are also conscious that economics cannot override national security. As John J. Mearsheimer points out in his book, The Tragedy of Great Power Politics, “(In) matters of national security, because concerns about survival are invariably at stake…they are more important than worries about prosperity.”
Some key recommendations are summarised below.
Our discussions revealed the territorial limits of jurisdiction. It is extremely difficult to protect data which resides in other countries, particularly where the data controller does not have any presence in India. U.S. courts are even asking technology companies registered in the country to provide data, which is located outside the U.S. borders. One way suggested was to have bilateral treaties with various countries but this a protracted process.
The only solution lies in localising the sensitive data of Indian citizens within the boundaries of India. While currently the infrastructure for this may not exist, it would come up if the data controllers wish to continue to take advantage of the size of the Indian market. The advent of the IoT would exponentially increase the volume of data being generated. Any new infrastructure being created for IoT should also make arrangement for data to be stored in India. We understand that cross-border flows of data cannot be completely stopped. However, no sensitive personal data should be permitted to go outside the country. There should be legal restrictions on transfer of data to controllers who have no presence in India.
The White Paper has given a comprehensive definition of sensitive personal data. However, this definition is based on the sensitivity of the information from an individual perspective and not from national security. As an example, should the data of intelligence officials or military officers, stored in one place, be considered sensitive, even though it has only basic personal data? There could be many such cases and therefore there is a need to classify such data also as sensitive. Also, in the new connected world where IoT devices are penetrating into the personal lives, the sensory raw data does not indicate anything but it is the processed data leading to sensitive inferences so drawn about an individual which will pose a greater risk.
Individuals are generating data vast amount of data each time they carry out any electronic activity. This information is automatically stored by data controllers. It is difficult to keep a check on this activity but the processing of data must be for a specific and limited purpose. With aggregation of data and advanced algorithms for processing, it is possible to build up an accurate profile of an individual which reveals many traits of his character. This knowledge could be used to influence opinions or even stir up trouble and strife between communities. Such analytical profiling can be checked if the processing of data is strictly controlled. Sale of personal data to data brokers must also meet stringent legal criteria.
By having greater control and visibility over their data, individual can indirectly contribute towards national security. The white Paper has correctly identified Individual Participation Rights like confirmation, access to data, right to object and the right to be forgotten. These will strengthen individual privacy. In addition to these it is important that an individual is aware of all the data controllers who have access to his personal data. This is important because data is regularly being shared between various entities without the individual coming to know. This will also put some check on the practice of routinely asking for personal data even when not essential.
A reading of the White Paper shows that there is some apprehension that a stringent data law could have an adverse financial impact. In our discussions, we did not find any fact that could support this apprehension. In fact, in the long term, data localisation and development of Indian Standards will help the indigenous industry. Foreign Investment firms will need to set up their data centres within the territory of India and this will mean newer opportunities for the Indian IT skilled professionals. The government will be motivated to setup an in-house IT industry and start-up sector focusing on development of Indigenous technology. With Data Localisation a lot of personal data of the Indian Residents will return to Indian borders. There will be a large scope for domestic data transformation projects. Many MNCs will be compelled to start with migration projects which in turn will fetch a lot of capital.
The need for a data protection law was triggered by the debate on individual privacy. However, the importance of this data for national security must not be overlooked. It is for this purpose that the workshop held at PEC focused on the how the proposed law must also strengthen India’s national security.