India needs a data security law more than ever before
Recent media reports that Chinese mobile phone giant Xiaomi has been sending users’ data to China for analysis has brought the issue of privacy and the security of users’ data into sharp focus.
An old, and unresolved issue, got a fresh lease of life recently when it recently emerged that Chinese mobile phone maker Xiaomi was collecting data on users’ browsing behaviour and sending it to its servers in China for “analysis”. This has particularly grave security implications for India as Xiaomi and its sub-brand Redmi have a 30 per cent share of the Indian mobile phone handset market. More disturbingly, Chinese mobile phone brands collectively command a dominating 70 per cent-plus share in this country. This problem becomes all the more acute as India does not yet have a data security law.
The Forbes report
In a sensational recent report, international business magazine Forbes has reported that cybersecurity expert Gabi Cirlig found that the Mi browser on the Redmi Note 8 phone was collecting its users’ browsing behaviour. This included data on Google searches and on websites visited, i.e., a user’s entire browsing history, music and news preferences, app usage, places visited and locations searched on maps. This cyber-spying did not stop even when the browser was set on the incognito or private mode.
Chinese tech companies an extension of the state
The very real fear: This data can be used by Chinese security agencies, corporate rivals or others to identify individual users, steal personal data and identities, indulge in cyber espionage, blackmail and various other crimes.
The Chinese state has armed itself with a law called the National Intelligence Law 2017 that obliges every Chinese company to “support, co-operate with and collaborate in national intelligence work”.
This gives the Chinese government the legal right to demand that technology companies such as Xiaomi, Huawei and others give it access to all data collected by them in the course of their operations anywhere in the world. In effect, this means Chinese technology companies, which have large market shares in mobile phones, apps and other technology products, are effectively arms of the Chinese intelligence agencies. Any data they have is readily and legally available to these agencies. It is this fear that has led to the US and Australia to ban the use of Huawei’s 5G equipment on their networks and other governments such as India, the UK and others to tread cautiously on this subject.
Jio-Facebook deal also raises privacy concerns
Chinese espionage is not the only reason why India urgently needs a data security law. The multi-billion-dollar deal between Reliance Jio and Facebook, both of which generate humungous amounts of data on Indian internet users, is also raising privacy and data security concerns among analysts.
This comes barely six months after some miscreants hacked into the WhatsApp accounts of several people in India and elsewhere using an Israeli software called Pegasus. Indian IT Minister Ravi Shankar Prasad had demanded that Facebook, which owns WhatsApp, should share material on this breach but the US social media giant has not yet obliged.
That is just one of the reasons why India is rightly thinking of mandating that Indian data be stored in India. Companies such as Facebook, Amazon, MasterCard and other mostly US companies have been quite vociferously unhappy with this provision of the proposed law on the subject. And in the light of the examples of Chinese companies cited above, it is quite obvious that they, too, will spare no effort to thwart any move in this direction.
Within the next few years, India’s universal health insurance scheme Ayushman Bharat will have data on various ailments afflicting Indians. With a target size of 500 million users, this database can be spliced by data scientists in multiple ways to come up with medicines and medical solutions for various sections of the Indian population. In the hands of pharma and medical device companies, or on the hands of a malevolent foreign power, such data can become a source of huge competitive advantage or diplomatic and strategic benefit.
Work from home and the Zoom conundrum
With the Covid-19 pandemic forcing most companies worldwide to impose at least a partial work from home (WFH) routine for its employees the use of apps such as Zoom, Teams, etc., has grown exponentially. It came as a shock to analysts when it was revealed that Zoom had routed some calls through Chinese servers. Though it is registered in the US, its founder-CEO is of Chinese origin. It had clarified then that this was a one-off to deal with an emergency arising out of a sudden spike in traffic.
But it proved to be a repeat offender and its innocent-sounding explanation has begun sounding like a ruse when it emerged in the second week of June that it had blocked the access of pro-freedom activists based in the US and Hong Kong at the request of the Chinese government.
As more and more Indians share trade secrets and discuss confidential company matters over social media apps they believe to be secure, they will need the protection of a data security law to ensure their privacy and to prevent forces inimical to them from spying on their conversations.
Until this law is enacted and comes into force, Indians are largely at the mercy of the goodwill of the big US or Chinese corporations. How they use and share this data is mostly governed by their individual privacy policies, which vary widely and are invariably skewed in their own favour.
For example, Xiaomi had initially claimed that Cirlig’s research as fake, its “claims are untrue” and that “privacy and security is of top concern,” and further that it “strictly follows and is fully compliant with local laws and regulations on user data privacy matters.”
Why the data protection law will help
India’s proposed data protection bill, which has got delayed by the outbreak of the Covid-19 pandemic has stringent provisions on the unauthorised sharing of personal data and proposes strict penalties, of up to $2 million or 4 per cent of a company’s global turnover, for breaches thereof.
This is largely in line with the EU’s General Data Protection Regulation (GDPR), with which the proposed Indian legislation is largely compatible.
As the amount of data being generated every day in India explodes exponentially, companies across the world and security agencies in some countries will want unfettered access to it for commercial gain or strategic advantage.
Data is widely accepted as the newest equivalent of a gold mine. It is to regulate the flow of data, to prevent its misuse and to identify the owner of that data, with associated rights and duties, that India needs to urgently take on board all objections, reconcile the differences of opinions and pass the law at the earliest opportunity.