Brainstorm Think

The Future of Data Protection in India

In which we kick off yet another Brainstorm discussion.

Welcome to the third edition of Brainstorm, Pragati’s discussion segment. This edition will focus on ‘The Future of Data Protection in India’, a subject that is as fascinating as it is timely. Our participants for this discussion are Malavika Raghavan, Nikhil Pahwa, Pranesh Prakash, Rahul Matthan, and Saurabh Chandra. Each of them will gather their thoughts over the next few weeks and bring their considerable experience to the table.

If you want to catch up on our previous Brainstorms, head to ‘The Future of the Indian Republic’ and the ‘Crisis in Indian Agriculture’. For a quick understanding of the modalities of Brainstorm, please refer to this note here.

The Right Time for Data Protection

Last month, nine judges of the Indian Supreme Court delivered a landmark judgment. Over six separate opinions, they unanimously held that a right to privacy is a fundamental right under the Indian Constitution. To all of us wondering where the individual stands in the face of new and complex State action, this judgment reaffirmed her primacy under the eyes of the law.

It is right to celebrate this judgment. It settles years of ambiguity about the status of privacy as a fundamental right, lays down a sturdy precedent for a host of similar issues in the future, and insulates every person against crimes and state actions that until now did not consider privacy to be important at all. That said, the ruling is only a yardstick to measure our progress. The next logical step is the creation of a robust data protection framework. This framework must rely on the principles that the judgment embodies.

The wheels have already been set in motion for the creation of a data protection statute for the country. It was announced recently that the government has constituted an Expert Committee under Justice BN Srikrishna to map the details of a data protection framework. It is now a matter of when, and not if, a data protection law will be enacted in the country.

And so, the need of the hour is to come together to debate the form that this law will take. To be effective, this law must remain true to the spirit of the Constitutional values. At the same time, it must recognise the technological developments in the world of today that make data protection a complicated task.

The Right Questions to Ask

While all our panelists will bring their own unique perspectives to this discussion, we believe there are a few fundamental questions that need to be answered by any law on data protection.

First, how will the law impact individuals? The main thrust of any data protection regime should be to safeguard the interests of an individual. One way of doing this is by assuming that the State knows what’s best for the individual. This is obviously a pitfall that needs to be avoided. So how should protective measures be designed to avoid accusations of paternalism? A more pertinent question would be to ask how the law will empower individuals to exercise their autonomy. Informational self-determination, the notion that an individual must have the right to determine how his data is handled, has been one of the foundational principles of data protection over the years. Is it feasible to include this principle in the world of today, when there is a glut of data and ways of accessing it? Are there any compromises that we will have to settle for? What implications will this have for our conception of democracy itself?

Second, how will a data protection law impact the entities handling data? What aspects of their digital behaviour will be regulated? Will the new law ration the collection of data, or will the data collectors be free to gather as much individual data as they like but in accordance with specific guidelines? The first thing that a law on data protection must do is set the permissible boundaries within which such entities can handle an individual’s data. Defining these boundaries will have repercussions on the law’s implementation. So how will these boundaries be defined? Will they be different if the entity is the State, as opposed to a private entity? It is also likely that the law will introduce stricter regulations than what currently exist. If so, how can one incentivise entities handling data to be proactive in protecting it? How should the law strike the right balance so as to not drive away innovation and further development of technology?

Finally, how can the law be designed to stand the test of time? There is a natural inclination while framing a law to focus on the problems of today. This approach may not be the best one when it comes to data protection. The proliferation of information and the myriad ways in which it can be collected, processed and disseminated provide unique challenges. Big Data, the Internet of Things and machine learning are now part of the mainstream discourse. What is telling is how rapidly these developments have come to prominence. Given the pace of technological development, it would not be a stretch to imagine that we could face even more issues in the future than we currently do. How will the interactions between individuals and data collecting entities, be they private or State actors, change in the future? Can the law be made prescient enough to anticipate these changes?

To the extent possible, a new Brainstorm post will be published every Tuesday and Friday. We look forward to an enlightening discourse starting next week!

About the author

Manasa Venkataraman

Manasa is a Research Associate at the Takshashila Institution. She is a graduate of Government Law College, Mumbai and transitioned to public policy after working as a corporate lawyer in Mumbai. She works on issues at the intersection of technology, law and policy, with a specific focus on privacy and data protection.