Now that the election is over and we have heard about India’s upcoming Data Protection legislation, it’s time to recap what we expect from this framework. India is writing its data protection legislation on a clean slate. It has the advantage of the experience of the European Union (EU) in the creation of its General Data Protection Regulation and the dithering of the United States Congress on the issue, with California taking the lead. But, the national opportunity for India is not to follow in any other society’s footsteps. We have the technical knowledge and the social commitment to build a new pathway of our own that will be important as an example to others throughout humanity.
The last draft we saw was a result of the report submitted by the nine-member expert committee headed by Justice BN Srikrishna, titled The Personal Data Protection Bill, 2018. That draft was not cast in stone, but what gets passed by the Parliament will be.
We should begin by understanding that the purpose of the legislation is not to protect data, but to protect people. This simple shift of focus affects the details of drafting, for we are making a statute to protect people, not to regulate the general data economy. It affects the scope of application, which must be as transnational as necessary to protect every person to whom digital services involving data collection or processing are offered, no matter where in the world the data is actually stored or how it is processed, aggregated or modified. Protecting people means concentrating attention on the harm that can flow from data collection and retention, and providing remedies against them. An architectural mistakes India does not want to copy from the EU is the attempt to centre the legislative design around types of data, rather than types of harm against which law should provide remedy.
What we are making, then, is data safety regulation, protecting not data but people, drawing its categories from the harms against which people should be made safe, and the remedies for failures of safety, not primarily legislation for the protection of data as a basis for industrial activity. Therefore:
*Data safety legislation should define the harms that people can suffer, against which the law’s remedies are directed. Harms of disclosure, harms of unpermitted aggregation or use for impermissible inferences or discrimination, harms of facilitation of crime or civil wrong—all should be given specific definition and characterisation.
*In general, the principle of safety is control—people should know when data about them is being requested, how that data is being processed, that the results of aggregations and combinations of their data with others data are being returned to them, as well as being used by others.
*In addition to rules giving people control over their data, there should be rules of accountability and safe handling. Parties responsible for the management of personal data on a large scale should be required to give people real-time access to information about the use and handling of their data—who has requested it, what was provided, what rules or agreements govern how it can be used downstream, and how long it can be retained there. Safe storage practices (concerning encryption to protect against accidental or criminal disclosure, and access by judicial process in India or abroad, requiring accountability for all disclosuresincluding disclosures to government) should also be defined by regulation and updated by ongoing government administrative process.
*Remedies must be provided that give swift recourse for people whose data is harmfully disseminated or mishandled. Indian legal system is notorious for the prolonged delays to decide matters, any recourse cannot work effectively if it is not swift and urgent. Large-scale processors of information should be required to post bond or otherwise ensure prompt recourse. We should not expect multi-tier litigation, following on administrative action, by a "data protection commission" or agency to provide realistic remedies for injured parties unless it has a fund for compensation based on taxation of the affected industry, similar to safety regulators in the financial industry around the world.
*A primary goal of data safety regulation should be to inform people of their risks and available remedies. It is crucial that the law itself, as well as the subordinate legislation to which it gives rise, be as simple as possible. Data protection legislation is often devised to hide all the trees in the complexity of the forest. That must not happen here.
*Abandon the misguided obsession with data-localisation while recognising the realities of a cloud-to-mobile architecture.
*Penal provisions, if necessary, must not be all non-bailable, otherwise they would lead to a scenario similar to arrests under Section 66A of the IT Act.
Data safety regulation is not a barrier to India’s role as a global destination for data processing. On the contrary, our current success in that competition for global data service business has come despite international customers’ concerns about unsafe Indian data practices. Making India a global leader in data safety will expand rather than reducing our attractiveness in the world market.
Similarly, Indian data safety can be a strong value for start-ups and innovative small businesses, which can operate with certainty that their own reputations and market access will not be undermined by data safety crises and exposure episodes of the kind that are now routinely experienced by companies, large and small, around the world. Data privacy and safety regulations protecting individuals are an export industry for Digital India. Indian companies can provide to consumers around the world a commercial product that guarantees comprehensive privacy and near-complete data safety, unlike the American platform companies. It’s only a matter of smart policy and quick execution.
The author is Managing partner, Mishi Choudhary & Associates
Views are personal