IFF has submitted it's comments on the Ministry of Electronics and Information Technology's Draft Data Centre Policy 2020. In our comments, we specified four issues that we felt the draft policy must address: firstly, that data centres must implement robust security protocols; secondly, that data centres must ensure that the digital rights of users are not violated; thirdly, firm and unambiguous regulatory oversight must provided; and lastly, that data centres should not be brought under the ambit of the Essential Services Maintenance Act, 1968 (ESMA).
Draft Data Centre Policy
As the modern indian economy moves further towards digitalisation, upgrading the country's data capacities and enabling the rapid growth of data facilities takes on vital importance. However, to ensure that this truly done in a manner that best serves the nation, it is crucial that rights of the users (i.e. citizens) be safeguarded.
Several leaks have plagues the country in recent times. According to the Indian government, 2019 witnessed 1,05,849 cyber security incidents in just the first five months. 2019 and 2020 (til August) saw 54 and 37 Central and state government websites hacked respectively. Leaks in Aadhar data, banking data, and credit card information have also increased. Even nuclear plants, such as the one in Kudankulam, have been shown to be vulnerable. Furthermore, as the COVID-19 pandemic driven move towards working from home proceeds further, enterprises too feel that digital infrastructure has to be upgraded to deal with new security challenges, as 66% of Indian firms have reported at least one data breach since they shifted to working from home. Given that organisations faced a cost of Rs. 14 crore on average per data breach in 2019-20, it is clear that data security processes need further tightening and regulation.
An additional factor to be considered here is Personal Data Protection Bill, 2019, as the regulation of the operations of data centres will certainly come under the ambit of this bill. The bill faced multiple criticisms both inside and outside Parliament, as certain clauses of the Bill proved to be contentious - especially since they differed from the recommendations of the Justice Srikrishna Committee - and so the bill was sent to a Standing Committee for review. The key issues in the bill included the exemptions given to the government for the processing of data, the composition of the proposed Data Protection Authority, and the non-consensual processing of data. A private member bill introduced by MP Dr. D Ravikumar, for example, is an alternative that addresses these issues.
In light of this, it is imperative that strict guidelines for ensuring the security and privacy of users be protected, as these will ensure that the data of swathes of citizens is safe. Additionally, a firm and strictly defined regulatory framework should be laid down, and the fundamental right to expression of data centre workers not be tampered with. Doing will so will not only ensure that the growth of India's digital infrastructure benefits citizens but also cement India's position as a global hub for digital infrastructure.
- Security: The draft policy does not specify any security standards that data centres must adhere to, or may be prescribed in future by the Data Protection Authority. There is a tangible need to address this given the several big data leaks that have plagued the country recently. This is a situation exacerbated by the fact that due to the COVID-19 pandemic many companies have moved towards a work-from-home set-up, which has meant a greater degree of digitalisation and so a greater need to ensure digital security. In light of this, we feel it is important for the Policy to firmly lay down, at the very least, a broad framework for ensuring the protection of data.
- Privacy and digital rights: The policy does not mention the method in which data centres will ensure they protect the digital rights of users. If it is contemplated that such issues are to be covered under the proposed Data Protection Bill, 2019, then a method for ensuring compliance with the same must be specified.
- Need for firm regulatory oversight: There should be a clear and unequivocal acknowledgement within the policy for oversight by the Data Protection Authority contemplated by the impending Personal Data Protection Bill, 2019. Here ideally the primary mandate of the Inter-Ministerial Empowered Committee (along with the Data Centre Facilitation Unit) should be confined to facilitating the ease of doing business and any overlap with the Data Protection Authority should be limited.
- Imposition of Essential Services Maintenance Act: While we recognise the importance of digital infrastructure for both the modern economy and modern governance, we feel that the inclusion of data centres under Essential Services Maintenance Act, 1968 (ESMA) may be a step too far. The draft policy does not provide sufficient arguments for why data centres should be considered essential. Additionally, employees’ right to freedom of expression is fundamental, and ESMA puts significant curbs on it. The Act has already faced criticism, especially for its granting of the power to arrest without a warrant.