Ensuring security and the protection of privacy in data centres

IFF has sent its comments to the MEITY on the Draft Data Centre Policy. In our comments we highlighted four issues we feel the policy must address: adequate security standards, safeguards for user privacy, firm regulatory oversight, and the unecessary imposition of ESMA.

19 November, 2020
4 min read

Tl;dr

IFF has submitted it's comments on the Ministry of Electronics and Information Technology's Draft Data Centre Policy 2020. In our comments, we specified four issues that we felt the draft policy must address: firstly, that data centres must implement robust security protocols; secondly, that data centres must ensure that the digital rights of users are not violated; thirdly, firm and unambiguous regulatory oversight must provided; and lastly, that data centres should not be brought under the ambit of the Essential Services Maintenance Act, 1968 (ESMA).

Draft Data Centre Policy

As the modern indian economy moves further towards digitalisation, upgrading the country's data capacities and enabling the rapid growth of data facilities takes on vital importance. However, to ensure that this truly done in a manner that best serves the nation, it is crucial that rights of the users (i.e. citizens) be safeguarded.

Several leaks have plagues the country in recent times. According to the Indian government, 2019 witnessed 1,05,849 cyber security incidents  in just the first five months. 2019 and 2020 (til August) saw 54 and 37 Central and state government websites hacked respectively. Leaks in Aadhar data, banking data, and credit card information have also increased. Even nuclear plants, such as the one in Kudankulam, have been shown to be vulnerable. Furthermore, as the COVID-19 pandemic driven move towards working from home proceeds further, enterprises too feel that digital infrastructure has to be upgraded to deal with new security challenges, as 66% of Indian firms have reported at least one data breach since they shifted to working from home. Given that organisations faced a cost of Rs. 14 crore on average per data breach in 2019-20, it is clear that data security processes need further tightening and regulation.

An additional factor to be considered here is Personal Data Protection Bill, 2019, as the regulation of the operations of data centres will certainly come under the ambit of this bill. The bill faced multiple criticisms both inside and outside Parliament, as certain clauses of the Bill proved to be contentious - especially since they differed from the recommendations of the Justice Srikrishna Committee - and so the bill was sent to a Standing Committee for review. The key issues in the bill included the exemptions given to the government for the processing of data, the composition of the proposed Data Protection Authority, and the non-consensual processing of data. A private member bill introduced by MP Dr. D Ravikumar, for example, is an alternative that addresses these issues.

In light of this, it is imperative that strict guidelines for ensuring the security and privacy of users be protected, as these will ensure that the data of swathes of citizens is safe. Additionally, a firm and strictly defined regulatory framework should be laid down, and the fundamental right to expression of data centre workers not be tampered with. Doing will so will not only ensure that the growth of India's digital infrastructure benefits citizens but also cement India's position as a global hub for digital infrastructure.

Our submissions

  • Security: The draft policy does not specify any security standards that data centres must adhere to, or may be prescribed in future by the Data Protection Authority. There is a tangible need to address this given the several big data leaks that have plagued the country recently. This is a situation exacerbated by the fact that due to the COVID-19 pandemic many companies have moved towards a work-from-home set-up, which has meant a greater degree of digitalisation and so a greater need to ensure digital security. In light of this, we feel it is important for the Policy to firmly lay down, at the very least, a broad framework for ensuring the protection of data.

  • Privacy and digital rights: The policy does not mention the method in which data centres will ensure they protect the digital rights of users. If it is contemplated that such issues are to be covered under the proposed Data Protection Bill, 2019, then a method for ensuring compliance with the same must be specified.

  • Need for firm regulatory oversight: There should be a clear and unequivocal acknowledgement within the policy for oversight by the Data Protection Authority contemplated by the impending Personal Data Protection Bill, 2019. Here ideally the primary mandate of the Inter-Ministerial Empowered Committee (along with the Data Centre Facilitation Unit) should be confined to facilitating the ease of doing business and any overlap with the Data Protection Authority should be limited.

  • Imposition of Essential Services Maintenance Act: While we recognise the importance of digital infrastructure for both the modern economy and modern governance, we feel that the inclusion of data centres under Essential Services Maintenance Act, 1968 (ESMA) may be a step too far. The draft policy does not provide sufficient arguments for why data centres should be considered essential. Additionally, employees’ right to freedom of expression is fundamental, and ESMA puts significant curbs on it. The Act has already faced criticism, especially for its granting of the power to arrest without a warrant.

Important Documents

  1. MEITY's Draft Data Centre Policy 2020 (link)
  2. IFF's comments on the Draft Data Centre Policy 2020 (link)
  3. The Personal Data and Information Privacy Code Bill, 2019 as introduced by Dr. D Ravikumar, MP (link)

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Summary: A Global Witness and IFF report documenting YouTube and Koo’s ineffective response to flagged hate speech

With endorsement from civil society organisations and individuals, we wrote to electoral candidates, political parties, and parliamentarians, urging them to publicly declare that they will not use deepfake technologies to create deceptive or misleading synthetic content for the 2024 Elections.

3 min read

2
No place for tech: How digital interventions in NREGA are undermining rural social security

Mandatory digital ‘solutions’ introduced in the NREGA scheme by union and state governments, like Aadhaar-based payments, mobile monitoring apps, facial authentication and surveillance tools, are impinging on workers’ statutory rights and poking holes in the rural social security net.

8 min read

3
Into IT Standing Committee’s review of action taken by MeitY following its recommendations on citizen data security and privacy

This post breaks down the 55th report of the Standing Committee on Communications and IT, in which the Committee assesses the extent to which its recommendations on citizen data security and privacy were accepted and acted upon by the Ministry of Electronics and IT.

11 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!