We need to use new enforcement tools for responsive data regulation in India.
The New Year has kicked off with another bombshell going off in the minefield of data protection issues in India. An investigative report by the Tribune on 4 January 2018 revealed that unauthorised access to the entire Aadhaar database was effectively “on sale” in Punjab for as little as Rs. 500. The report comes close on the heels of revelations in December 2017 that the Airtel Payments Bank used customers’ Aadhaar details (submitted for SIM verification) to open new bank accounts allegedly without informed consent. Earlier in November 2017, a Right to Information (RTI) query to the UIDAI revealed that 210 government agencies publicly displaying details of Aadhaar holders had been directed to remove them.
Watching these events unfold, I was particularly struck by the variation in the enforcement actions used in the regulatory response to the compromise of personal data. In the Tribune case, a First Information Report (FIR) to commence criminal proceedings was filed by the UIDAI (against the journalist who wrote the story and those reported to be selling access to Aadhaar data) for offences that can attract fines or imprisonment under the Aadhaar Act 2006, Information Technology Act 2000 and the Indian Penal Code 1860. In the Airtel Payments Bank matter, the news reports indicated that a fine of Rs. 2.5 crore was imposed (though this remains unverified by an official statement). As for the government departments that publicly disclosed Aadhaar holders’ information (an offence under the Aadhaar Act), the UIDAI’s press release noted that in addition to directions to take down the material “certain other measures were also taken at various levels.”
There was however one common feature across these incidents—in all cases the unauthorised use of Aadhaar data continued for several months unchecked i.e. enforcement actions took place after the compromise of the personal information of millions of Indians had already occurred. And so in India, we are waking up to one of the foundational difficulties of user data protection i.e. that the after-the-fact imposition of penalties is often too little too late, for the person whose name, email address, home address, phone number and Aadhaar number are now known in combination and being circulated without their control. This is a global problem, as we saw in the Equifax data breach of 2017 that compromised the personal information of more than 140 million people in the US, UK and Canada before action could be taken. Clearly, there is a need to look beyond post-breach sanctions and find new ways to think about the enforcement of data protection laws.
We must call for an expanded regulatory strategy to include ex–ante tools aimed at preventing and mitigating the effects of data breaches in India, especially if we are considering an independent data protection authority in the future. Through various pre-breach tools ranging from mandated audits to informal regulatory guidance to private warnings, both a future regulator and the regulated could proactively engage to reduce the potential harm to users from data breaches, rather than bang on the same broken drum of post-breach fines. We must consider how ‘responsive regulation’ can add new enforcement tools for data protection in India.
A hierarchy of softer and harder sanctions to enforce the law
Central to the theory of ‘responsiveness’ of regulation is the idea that “escalating forms of government intervention will reinforce and help constitute less intrusive and delegated forms of market regulation” (page 158, Ayers and Braithwaite, 1992). This is based on the contention that the achievement of regulatory objectives is “more likely when agencies display both a hierarchy of sanctions and a hierarchy of regulatory strategies of varying degrees of interventionism.” (page 6, Ayers and Braithwaite, 1992). The enforcement “pyramids” used in conjunction with this approach can show these hierarchies of regulatory strategy. For instance, a potential hierarchy of tools in the context of the regulation of medicines (below) shows the various levels of regulatory engagement that could exist, starting from the bottom and escalating upwards until the hardest sanctions of fines or imprisonment are triggered.
Using ex-ante tools for data regulation
Graham Greenleaf’s analysis has fleshed out how the ‘responsive regulation’ approach can be used to build a toolbox for enforcement in the data privacy context (Greenleaf, 2014). Greenleaf (2014) calls out three main categories of:
- reactive measures that respond to breaches or legal requirements,
- systemic or proactive measures that take steps aimed at detecting and preventing breaches, and
- positive or supportive measures like training, awards etc. to support those trying to comply with regulatory goals.
His 2014 analysis of the data protection laws of twelve Asian countries, including India shows that the predominant reliance was on reactive enforcement based on complaints received by the relevant authority or due to media reports resulting in ‘own-motion’ investigation (page 510, Greenleaf, 2014). This chimes in with the recent Indian experience, including the three incidents discussed earlier involving the compromise of Aadhaar information.
In India, we need to go beyond reactive measures and set up a programme of proactive regulation, whereby authorities provide guidance, private warnings, public statements and mandate data audits even in the absence of a data breach to raise the bar for data practices and also create certainty for regulated entities. Side by side, we should consider a programme of supportive measures such as prizes, awards or other incentives to support these ex-ante proactive measures.
Potential tools for use in Indian data protection enforcement actions
A future Indian Data Protection Authority should have a range of regulatory tools through which it escalates regulatory action rising up to hard monetary penalties and criminal sanctions, and use this to inculcate a Rule of Law orientation across the market in terms of data practices. In fact, we can take heart in the knowledge that Indian regulators in other fields are already using some of these tools.
Informal guidance, whereby entities can approach the regulator for non-binding advice on the position on existing rules or law, could be a valuable way to improve communications in the early days of the new law coming into force. The Securities and Exchange Board of India (SEBI)’s Informal Guidance Scheme has been in force for some time now (SEBI, 2017).
Private warnings could be issued to entities in the market that appear to have weak data practices. The draft Financial Sector Legislative Reforms Commission had recommended this as an enforcement tool in the financial sector (page 35, FSLRC 2013). Public statements could follow for offenders who do not respond to private warnings, leveraging social and reputational pressure to improve data practices.
Investigative powers could be included to allow authorities to request audits, information or initiate investigations proactively where data protection breaches are suspected. These investigations could be preceded by issuance of show cause notices, which in themselves are a mechanism to engage entities and elicit details of their data practices. We know that Directorate of Enforcement under the Department of Revenue, Ministry of Finance and the Directorate General of Income Tax dealing with Intelligence have investigative powers and use them regularly to support their functions.
Finally, bringing users complaints’ data into the picture could help regulators immensely. By mining data from complaints databases and using the insights to target softer ex-ante regulatory tools at particular entities is one solution ripe for use, relying on Regulatory Technology “RegTech”. A future Data Protection regulator could track data from trigger existing complaints made by citizens— especially in cases where there is a spike in complaints against a particular provider or agency, to ask for information or issue private warnings. In some sense, this is already relevant for the Aadhaar system given the several channels that exist to take complaints and address grievances. Improved analysis of these complaints and grievances could act as a “radar” function for the UIDAI to take note of agencies or providers misusing Aadhaar information, running authentications without permissions, and disclosing information among other matters.
Ex-ante regulation needs transparent, communicative regulatory leadership
The key when it comes to using this approach however is transparency on the use of the sanctions. The public communication of the level and escalation of regulatory measures play an important role in signalling to the market that there are still high costs of non-compliance (Greenleaf, 2014). In other words, the regulatory system has to be seen to speak softly but carry a big stick. Such an approach deploys high fines and imprisonment at the end of a chain of escalation allowing a longer period to develop a Rule of Law orientation when it comes to managing personal data without going straight to the “nuclear” option. Needless to say, in particularly egregious cases or where significant breaches occur, the regulator would be free to exercise the maximum penal sanction.
The White Paper of the Committee of Experts on Data Protection unfortunately fails to consider the potential for these kinds of tools in India. Not to incorporate these tools would be a missed opportunity. They can give a future data regulator the crucial tools necessary when overseeing a vast market, and crowd-in to regulation those entities will be caught under the new regime. We must focus attention on what we can do before the proverbial horse has horse bolted to avoid and mitigate large scale breaches of personal information.
- Ayres, I., & Braithwaite, J. (1992). Responsive Regulation: Transcending the Deregulation Debate.
- Financial Sector Legislative Reforms Commission. (2013). Report of the Financial Sector Legislative Reforms Commission. I. New Delhi. Retrieved from http://finmin. nic. in/fslrc/fslrc_report_vol1. pdf.
- Government of India (2017) White Paper of the Committee of Experts on a Data Protection Framework for India, New Delhi. Retrieved from http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_171127_final_v2.pdf.
- Greenleaf, G. (2014). Asian Data Privacy Laws: Trade & Human Rights Perspectives. OUP Oxford.
- Khaira, R. (2018, January 4). Rs 500, 10 minutes, and you have access to billion Aadhaar details. http://www.tribuneindia.com/news/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details/523361.html
- Press Trust of India (2017, December 20). Airtel pays Rs 2.5 cr fine for opening payments bank without user consent. Retrieved from http://www.business-standard.com/article/companies/airtel-pays-rs-2-5-cr-fine-for-opening-payments-bank-without-user-consent-117121900915_1.html
- Press Trust of India (2017, November 19). 210 govt. websites made Aadhaar details public: UIDAI. Retrieved from http://www.thehindu.com/news/national/210-govt-websites-made-aadhaar-details-public-uidai/article20555266.ece
- Securities and Exchange Board of India (2017) Securities and Exchange Board of India (Informal Guidance) Scheme 2003, Retrieved from https://www.sebi.gov.in/informal_guidance.html.
- Venkatnarayanan, A and Lakshmanan, S. (2017, December 21). Aadhaar Mess: How Airtel Pulled Off Its Rs 190 Crore Magic Trick. Retrieved from https://thewire.in/206951/airtel-aadhaar-uidai/
- Unique Identification Authority of India. (2017). Aadhaar data is never breached or leaked: UIDAI [Press release]. Retrieved from https://uidai.gov.in/images/news/Press_release_on_210_Websites_issue_ver_1_1_07122017.pdf