As the old saw goes- Data is the new oil. It, therefore, needs no stretch of the imagination to extend the idea of oil wars to data wars. The stakes for data wars have rapidly escalated as Cloud Behemoths battle for supremacy across international turf. In response, Governments have their hackles raised to combat what they perceive to be a grave threat to their sovereignty.
Consider the case of the PDP (Personal Data Protection) Bill in India. It is an attempt by a non-partisan Joint Parliamentary Commission to ensure that the Personal data of Indians adhere to the strictest norms of privacy protection. An ask of this nature has no precedent in the pre-SMAC era. However, Governmental action to this end is an imperative that can no longer be shelved. In this light, it is only fair to ask- Whose Data is it Anyway?
In the seminal sitcom ‘Silicon Valley’, the show’s lead character agonizes over data ownership and envisions a ‘new internet’. Data privacy and ownership are not merely staple fodder in a trillion-dollar company’s legal minutiae, but a living, breathing reality that empowers individuals to truly own their data.
Such a utopian vision may indeed someday become our new digital reality. However, in today’s complex ecosystem of tech titans who have long quartered data goldmines, reactive reclamation of ownership may be the first pragmatic step in a long-drawn-out battle for data privacy.
Therefore, although draconian, PDP Laws enacted to bring violators to heel is a welcome step towards Data Emancipation.
The Law of the Land
So what does the proposed bill actually entail? Apart from stressing the importance of user consent for data collection and processing, there is strict penalization for non-conformity. The PDP draws the virtual net around geographical boundaries for data control and storage. PII data are often stored outside India- an arrangement that can threaten the underpinnings of a functioning democracy.
Regulatory authorities like the RBI have long held that sensitive data leaving Indian shores raises the specter of a national security breach. While that view may have seemed uncommonly hawkish in the days of digital teething in India, it has taken on a definite air of prudent justifiability in the era of Data privacy.
It is perhaps fair then, to have an Act that has teeth and is capable of being enforced swiftly (and harshly) to create an environment that fosters true respect of data privacy.
What lies yonder?
As of November 2020, the bill in its proposed form has met with fresh disapproval from the JPC. The ask now is to include any form of sensitive and critical data to the mix. This may well engender a discussion on just where the contours of the virtual safety net extend to.
Not all forms of anonymized data strictly fall under the umbrella of ‘sensitive customer data’. It is however worthwhile to note that third-party cookies are aggressive ambassadors of advertising revenues. While third party cookies have had their day under the sun, new-fangled ‘mad techniques’ that compromise netizen security has become the norm.
Pondering on ideas of this nature brings us right back to the core ask- Whose data is it anyway? Firms that deal with customer data will have their work cut out if the PDP act makes it impossible to violate or circumvent regulatory and compliance strictures that impact data control, storage and processing.
Re-evaluating their Cloud Partnership agreements to ensure compliance by the book will therefore be the mantra for discerning CxOs today. Data Privacy, Data ownership and contending with the battles that ensue appears to be what lies yonder.