B.N. Srikrishna is a genial, 77-year-old former Supreme Court judge who recites Shakespeare and Sanskrit scriptures with equal facility. But he’s making the likes of Google, Amazon and Facebook more than a little nervous. Srikrishna is leading the effort to draft new data-privacy laws for India that will regulate how tech giants from the U.S. and elsewhere operate in the nation of 1.3 billion. His recommendations carry particular weight because India is already the biggest market for companies like Facebook Inc. and offers enormous potential for dozens more. The committee Srikrishna helms will send its bill to the government this week.
They’re going well beyond the hands-off American approach that preceded fiascoes like the Facebook breach, which facilitated Russian meddling in the 2016 presidential election, or the Equifax hack, which exposed personal information of about 145 million people. He and his colleagues are determined to modernize the country’s standards and protect all citizens. “India has accelerated from a ‘bail gaadi’ economy to a silicon-chip economy,” said Srikrishna, using the Hindi expression for ox cart. “But privacy and data regulation rules are still far behind.”
India has been careening into the digital age. The number of people with smartphones soared to 370 million users at end 2017, from 25 million in 2012, according to Counterpoint Research. The government has also developed one of the world’s most ambitious biometric identity systems, called Aadhaar, which assigned unique 12-digit numbers to 1.1 billion Indians and registered their fingerprints, iris scans and demographic details. That data is now used for everything from tax returns and property purchases to welfare disbursals and WhatsApp payments.
But this flood of data — and an absence of regulation — has fueled concern among privacy activists and citizens groups. That’s been aggravated by government practices, including a recent misstep by the southern state of Andhra Pradesh that inadvertently exposed the demographic and bank details of more than 130,000 people. “Data-poor India is rapidly becoming a data-rich economy so having a data protection law is critical,” said Srikanth Nadhamuni, chief executive officer of startup incubator Khosla Labs and former chief technology officer for Aadhaar.
The diminutive, grey-haired Srikrishna discussed the debate during an interview in his Mumbai office, which is so compact that chairs for visitors prevent the door from opening fully. He plans to navigate a “middle path” between the laissez-faire U.S. approach and the stringent General Data Protection Regulation just imposed in Europe. “India is India, after all,” he said, seated in front of a MacBook and pile of papers. The 10-member committee he heads — comprising academics and government officials — is putting the finishing touches to their bill. The draft will need parliament approval to be enacted.
Currently, foreign companies and hundreds of home-grown startups collect, aggregate, store and process Indian user data unhindered. The Google-backed delivery app Dunzo, for instance, requires access to a customer’s contact list, location, messages, media files and call information at the time of installation. Such information is gathered “only to improve the user’s experience of initiating/running a task on the Dunzo App,” the startup said in an email.
Srikrishna’s framework would rein in such practices. It will detail what is fair use, whether technology giants can transfer data across the border, and how to enforce accountability and penalties for violations. It will also establish whether users can access and control their own data, like with the EU’s GDPR. “Like we keep diabetes and blood pressure in check, controls are needed for data,” Srikrishna said. “Companies like Amazon, Google, Microsoft, and Flipkart are extremely nervous.”
Srikrishna retired in 2006 from the Supreme Court. Since then, he has headed several high-profile commissions, including one investigating government salaries. He believes the average Indian has no idea how much data they’re generating or how it’s being used. He contends a mere click of an English-language consent form is inadequate in a country with almost two dozen official and hundreds of other languages — and low literacy.
“Should we then have pictograph warnings for consent, like they have on cigarette packs?” he asked. The country has no culture of privacy either: Only last year did the Supreme Court rule that privacy is a fundamental right. The biggest challenge according to Srikrishna is not drawing up laws but enforcing them. His own job ends when he submits the draft this week, but he knows that won’t be the end of the debate. He quotes from Shakespeare’s Julius Caesar, when Mark Antony warns that an act of mischief will disrupt the power of government: “‘Now let it work. Mischief thou art afoot, take thou what course thou wilt!”