The localization of privacy – observations from India

Pat Walshe, Principal Consultant, Privacy, GSMA

Pat _Walshe2Digital ‘identity’ is becoming evermore crucial to ensuring people can have safe and secure access to digital services and to helping protect their personal and private information online. A key to digital identity is data. Data not only helps prove that people are who they say they are but it also ensures only the right person gets access to services and accounts. To achieve this, ‘data’ needs to flow freely across technologies, services, and devices in ways that are privacy respective and protective. Sounds simple – it’s anything but.

Since the early 1980s, many countries have introduced data protection laws to help ensure peoples’ personal and private information is used responsibly and securely. There are now 109 comprehensive data protection laws in the world. A cornerstone of data protection law is to facilitate the flow of data between countries. This flow of data has proved crucial to helping drive online services and to creating economic opportunities for many countries. However, some countries have sought to ‘protect’ the privacy of citizens by preventing the transfer of people’s data overseas, either through data protection laws or, as in the case of India, through telecommunications licences.  This can pose significant challenges for companies trying build global solutions.

The GSMA recently held a Mobile Connect workshop in Delhi for mobile operators in India to discuss data protection and privacy regulation. A key challenge is that India currently lacks a unified legal and regulatory approach to data protection and privacy and instead imposes privacy principles and practices through no less than 50 laws for different verticals such as finance, health, e-governance, identity and telecommunications. For mobile operators, another key challenge is that ‘user privacy’ is regulated in ways that ‘Over the Top’ (OTT) Internet companies are not (even though OTTs may provide equivalent messaging and VOIP services).

Mobile operators can only provide services if they obtain a telecommunications licence from the government. A breach of a ‘licence condition’ can have serious implications for operators. The workshop discussions focused on a key licence condition that prohibits operators from transferring ‘user information’ to ‘any person/place outside India’ – something that doesn’t affect OTTs. Though ‘user information’ is not defined in Indian telecommunications law, operators believe it includes a users’ mobile numbers.  This clearly has implications for an identity service that is built on the verification of a user’s mobile number and that involves the flow of data between multiple parties across geographic borders!

The implications for Mobile Connect are that equipment would need to be located in India or that operators should adopt a process where they do not disclose a mobile number, but verify a tokenised value.   What this ‘localisation of privacy’ demonstrates is that laws seeking to protect privacy may have a number of unintended consequences. For example, it may impose additional legal and operational burdens and costs that do not enhance privacy or user experiences, it may place one sector at a competitive disadvantage to others (such as MNOs v OTTs), and it may distort the value in data and identity services.

Challenges? Yes. But there is hope on two fronts. The Indian government commissioned a review by a panel of experts on privacy and has agreed a Privacy Act is required and that harmonisation between laws and sectors is needed[i]. A Privacy Act will help strengthen and foster trust among Indian consumers – something needed according to recent research into the privacy attitudes of more than 10,000 individuals[ii].

But perhaps more importantly, the current Prime Minster of India, Narendra Modi, believes that a mobile number should be the defacto identity of a person[iii]. The government of India has also created a Digital India initiative moving from e-governance to m-governance. A government white paper on ‘Mobile as Digital Identity’ also gives a key role to mobile operators in providing ‘reliable’, ‘trustable’ and ‘privacy protected’ consent based authentication of Indian citizens[iv].

While its clear there are challenges, now is the time to place privacy as a value and opportunity, for individuals, business and government.

[i] Report of the Group of Experts on Privacy http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[ii] http://precog.iiitd.edu.in/research/privacyindia/PI_2012_Complete_Report.pdf and http://www.slideshare.net/bbw1984/global-privacy-research

[iii] http://indianexpress.com/article/india/india-others/modi-attends-e-governance-conference-via-twitter/

[iv] http://cdn.mygov.nic.in/bundles/frontendgeneral/pdf/white-paper-mobile-as-digital-identity-v0-2.pdf