Policies should ensure free flow of data across borders: BSA Country Head

“We support the aim of giving individuals the choice and control over their data," says Venkatesh Krishnamoorthy, Country Head, BSA.


Cyber attacks are the new nightmares of countries and companies alike. If recent industry reports are anything to go, cyber attacks have had an alarming 11 percent jump to 84 percent as opposed to that of 73 percent in 2016. And the effects are far and wide, as each year, cybercrime drains hundreds of billions of dollars from the global economy, disrupting business services, innovation, and stifling job growth.

Governments around the world, including India, confront an increasingly complex and diverse array of cybersecurity threats. These cyber attacks are vibrant and may be distributed across numerous government agencies and private businesses, however, identifying a single government body will be the key. 

In an exclusive interview with CSOonline, Venkatesh Krishnamoorthy, country head, BSA | The Software Alliance shares how its Guiding Principles for Cybersecurity Policy highlights: How one cybersecurity organization can ensure clarity, coherence, and coordination in the government’s preparedness for and response to cybersecurity threats and challenges.

Based in New Delhi, Venkatesh leads BSA’s India charter, contributing to the advancement of BSA members’ policy priorities: data protection, privacy, cloud computing policy and digital trade.

With the growing demand for India to write laws on data protection and privacy in the wake of the Supreme Court ruling privacy to be a fundamental right, concerns over cybersecurity, data protection and privacy have increased manifold, leading the government to release a whitepaper on data protection inviting comments from industry stakeholders. 

Krishnamoorthy shares BSA’s recommendation on data protection legislation and perspective on efforts BSA is making towards advancing discussions that will support positive legislative change.

Edited excerpts: 

What are BSA’s recommended principles for the development of effective privacy and personal data protection regimes internationally?

We are committed to protecting consumers’ personal data across technologies and business models. The following five data protection principles are designed to help advance the development of effective privacy and personal data protection regimes internationally and in India:

•    The definition of ‘personal data’ should be reasonably linked to an identified or identifiable natural person and the scope of information included within the definition of personal data is information, that if mishandled, would have a meaningful effect on an individual’s privacy
•    The legal bases for collecting, using, processing and disclosing (collectively, ‘handling’) personal data should be sufficiently flexible so that they both ensure appropriate safeguards for personal data and allow businesses to continue to provide innovation services and stimulate economic growth
•    Responsibilities of ‘data controllers’ and data processors’ should be clearly defined
•    The law should ensure the free flow of data across borders and avoid requirements that impose unnecessary or burdensome restrictions on global data transfers
•    Personal data breach notification requirements should be reasonable and appropriate and cover only situations where there is a material risk of harm to affected individuals 

BSA hopes these principles will assist governments worldwide in the development and implementation of effective personal data protection policies and privacy rules that protect consumers’ personal data while also shaping the growth of an emerging data-centric economy. 

What are BSA members’ recommendations for future privacy rules for protecting consumers’ personal data? What would be the role of consent in a data protection framework and scope of personal data?

BSA believes that data protection laws should safeguard consumer information, that, if mishandled, would have a meaningful impact on an individual’s privacy. The legal bases for personal data protection should provide protections that meet, and are appropriate to, consumer expectations, without unnecessarily stifling economic growth through the data economy. 

We support the aim of giving individuals the choice and control over their data. However, consent should be contextual to determine the level of consent that is required and companies should have flexibility in determining the timing, standard and mechanism for obtaining consent. 

Here are a few suggestions which we have considered: 
•    For example, consent dashboards could enhance consumer control, but imposing requirements on how the dashboards should be implemented would be overly prescriptive.
•    Presenting privacy notices in a public document would also foster consumer trust. This also affords the space and flexibility to offer translations in multiple languages especially in a country like India, to reflect the diversity of individuals who use a product or service.

Consent is an important basis for collecting, using, processing, and disclosing (collectively, ‘handling’) personal data. However, there must be other legal bases for handling personal data, including for the legitimate interest of companies handling the data where obtaining consent may not be suitable or practicable, the performance on contracts with the data subject, and compliance with legal obligations, among other things. According to international best practices, when consent is used as the legal basis for handling personal data, context is important to determine the level of consent that is appropriate.

The Facebook fiasco could have led to some of the Indian profiles to be manipulated as well. Should there be a policy in such cases? What should be the regulations on cross-border data flows?

MeitY has issued a notice to the two companies about their involvement and their response to the notice is still pending. Therefore, we are unable to comment on any details.  

We strongly support robust data protection and believe data controllers must be held responsible for the compliance of data entrusted to them, while the data processors should comply with the controllers’ instructions and ensure the security of the data they process. Organizations that collect personal data should be responsible for its protection, no matter where or by whom it is processed. This clear allocation of responsibility and liability is critical and ensures that the increasingly widespread practice of outsourcing does not insert confusion in the system. The allocation of responsibility enables legal authorities to know who to turn to in case of a problem, and companies to have clarity on their roles and responsibilities.

On data flow, BSA believes that policies should ensure the free flow of data across borders and avoid requirements that impose unnecessary or burdensome restrictions on global data transfers. Seamless cross-border data flows are important in areas like cybersecurity, cloud computing, artificial intelligence and other emerging technologies.

How data privacy regulation can impact BSA member companies?

BSA supports a balanced approach to privacy that respects and encourages informed consumer choices while ensuring industry can continue delivering value to consumers by providing services tailored to their specific needs. Our members have a deep and long-standing commitment to protecting consumers’ personal data across technologies and business models. An effective privacy regime will protect consumers without hampering innovation and will leverage the power of the digital economy to support governments and businesses alike.   

How are the companies in the BSA alliance tackling GDPR as the deadline approaches?

BSA recognizes the importance of fostering trust and confidence in the online environment and advocates for appropriate data security measures integral to data protection. Moreover, it is essential to evaluate data protection elements that would advance the concept of accountability. For example, the use of processes such as Privacy by Design can provide an effective means of protecting personal data throughout the data lifecycle. 

The EU GDPR is an important development in the international privacy law. We are already gearing up to fully comply with the requirements of the law. 

What is your take on data localization and its impact on software industry? 

BSA encourages the free flow of data along with effective personal data protection laws. It does not recommend the adoption of data localization requirements, for both the public and private sectors, as it can frustrate efforts to implement security measures, impede business innovation, and limit services available to consumers.

Data localization measures can have a negative economic impact on the GDP of several countries, it also can disproportionately impact small and medium-sized enterprises that do not have the resources to meet burdensome regulatory requirements. Furthermore, it also may prevent companies from offering services within a country because it may be too costly or impractical to do so. Lastly, companies subjected to data localization requirements may not have unfettered access to innovations in other companies, thus hampering the development of domestic innovation that would otherwise occur by accessing foreign solutions and services. 

Edited By : Vaishnavi J Desai