Shyamal Ghosh, Chairman, TEPC, and Former Secretary, Telecom and IT, Government of India

Technological progress leads to new multidimensional challenges. In the IT sector, there are security and governance issues, both at the individual and national levels. The increasing use of computers to process and store data and the volume of data generated through such usage at the individual, social and governmental levels have led to new concepts of governance and new regulations. Sweden was the first country to enact a national data protection law in 1973. Nearly 20 years later, in 1995, the European Union (EU) issued its first Data Protection Directive, which was implemented in 1998. In 2012, the all-new comprehensive approach on personal data protection was proposed by the EU and later implemented in 2018, nearly two decades after the first directive. In Ireland, the Data Protection Act was announced in 1985. The 1995 Data Protection Directive of the EU was transposed to the Irish domestic law in 2009. Consent is the key element of the European framework.

In the US there appears to be no comprehensive federal legislation covering all sectors. There are, however, federal laws that are sector specific. In addition, there are state laws. It appears that there were difficulties for the US regulatory regime to be fully compliant with the data protection regime of the EU in respect of cross-border data flows. Hence, the concept of safe harbour arrangements was evolved in the US.

In India, the first comprehensive legislation for the IT sector was the Information Technology Act, 2000, providing a legal framework for electronic governance in the country. It was amended in 2008 to include further IT developments and security-related concerns. It is important to note that the IT and IT-enabled services (ITeS) industry has developed rapidly in India, but had to face data security and privacy issues relating to cross-border data flows, especially in the Indian business process outsourcing/knowledge process outsourcing industry. Consequently, NASSCOM took the initiative to set up the Data Security Council of India (DSCI). It was originally conceived as a self regulatory organisation. It gradually developed a security framework, which when adopted by its members in the IT and ITeS sectors makes them “reasonable security practices” compliant. DSCI was invited by the concerned standing committee of Parliament to present its suggestions regarding the Amendment Bill of 2008. DSCI had suggested that a soft and flexible approach be adopted while prescribing reasonable security practices. These could be prescribed by a subordinate legislation and could be amended from time to time to overcome the challenges related to security. The prescribed security practices were to be adopted by any corporate possessing, dealing or handling any sensitive personal data or information.

The standing committee had also taken note of cross-border data flows. Data could be generated in one country, processed in another and stored in a third country. Privacy and security breaches can happen at any stage in one or more countries. The question was which legal regime would apply. To deal with such cases, the committee had recommended that India could take the initiative of developing a UN convention to establish an agreed platform.

Issues relating to data security and privacy started getting more and more attention, particularly with the explosion of social media platforms. Facebook, WhatsApp, Instagram and Twitter are some of the widely used applications. Issues relating to identity theft, morphing, fraud and stalking proliferated due to security breaches. The data generated by these sites was huge and became valuable for commercial and other purposes.

The Justice A.P. Shah Committee suggested national privacy principles. The right to privacy as a fundamental right was recognised by the Supreme Court in 2017, following which the Justice Sri Krishna Committee was set up. This committee submitted its report along with a draft data protection bill, which seems to have generally followed the EU model. The government thereafter drafted the Data Protection Bill, which was tabled in Parliament on December 11, 2019. Justice Sri Krishna has reportedly observed that the bill tabled by the government has taken away the safeguards that had been suggested in the report submitted by his committee regarding data access by government departments without the consent of the person concerned. This could lead to an “Orwellian State”.

The regulations can have a “hard” approach or a “soft” approach. The European model is fairly strict. One of the reasons for this could be that privacy is a very strong factor in the social framework of many European countries. India has a different social milieu and most private personal information could be shared not only with friends in the neighbourhood but with total strangers during a flight or a railway journey. The sensitivity of certain personal data may not necessarily constrain a person from sharing such data with a total stranger. Will a hard approach be effective in such a socio-cultural environment?

The march of technology is leading to increasing use of computers and devices, which generate voluminous amounts of  data in audio, video and text formats. Social media platforms are liberally used across the board without much concern for  privacy. Only when private data is used to cause harm to the data owner do issues relating to privacy and security of personal data come into the limelight. The digital divide in terms of access may be reducing, but the knowledge of harm that may be unwittingly brought to a person due to the dissemination of sensitive personal information is still rather limited. This will become increasingly complex with new technologies generating a large amount of personal data. For instance, 5G technology, which is at an advanced stage of development, will generate so much data that computers of today may not be able to process it.

IoT, AI, machine learning, data analytics, content streaming, robotics and automation have become buzzwords. When several devices, including consumer devices, will talk to each other, the wide world will be connected 24×7. In this context, another development taking place is quantum computing for dealing with the massive data analysis. The US and China are in the race for developing quantum computers. Regulators all over the world find it difficult to keep pace with technological advancements. One option to deal with the advancements is to have a flexible regime.

IT does not recognise silos. Audio, video, text are being delivered through the same platform to the same devices. Unlike India, very few countries have separate ministries for telecom, IT and information and broadcasting. If the technology is converged, governance and regulations should also converge. Further, if there is a regulator for a sector, is there really a need to have a ministry to deal with the same subject. An attempt was made in this direction by introducing the Communication Convergence Bill in 2000, but it lapsed and was never revived.

Another concern is the manner in which conflicting issues arising between right to privacy, right to information and security could be resolved. The origin of right to information could be traced to 1215, when the powerful Barons of England forced King John to grant the Charter of Liberties called the “Magna Carta”. It was stated that the accused should have the right to know the charges against him. It is contended that the Constitution may not explicitly mention right to information, but it is an integral part of the right to freedom of speech and expression.

There will be situations when the right to information and right to privacy could be in conflict with one another and both could be in conflict with security, and the government could be a party in both situations. While safeguards can be provided, will there be a tendency of national considerations prevailing over individual interest. Of course, parameters could be identified where one could prevail over the other, but what happens when the regulators and the regulatory regime are different. This will be a much more complicated matrix to resolve, and it will be difficult to find a clear path in the “gale of creative destruction” brought about by the march of a disruptive technology. It could become a minefield for litigation. One possibility that could be explored would be to have a common appellate authority under the Telecom Disputes Settlement and Appellate Tribunal.

The ultimate convergence could be between man and machine. Ray Kurzweil, the American author, inventor and futurist, has predicted that humans and machines will merge in physical and mental realms by 2100.