Brainstorm Think

Not Just A Bunch of Rules

The current government has an opportunity of a lifetime to create a new institution that will be central to safeguarding the Republic for decades to come.

This is the sixth post in our Brainstorm discussion on ‘The Future of Data Protection in India’. Earlier posts: Intro123, 4, 5.

If there is one take away to draw from the first round of essays in this brainstorm, it is that the issues related to data privacy are complex. The digital explosion is challenging all industrial era assumptions and this is just the beginning. One thing is absolutely certain – whatever law we create will be inadequate and probably obsolete by the time it gets notified. We must avoid the temptation to create such a law at all. Instead, create a flexible regulatory institution that has the resources, the mandate and the agility to navigate this evolving environment.

In this new world where, to use Nikhil Pahwa’s evocative phrase, data is being weaponised – this would be the most important new institution that we must create. At the beginning of this brainstorm, my points of reference were the Securities and Exchange Board of India (SEBI), Telecom Regulatory Authority of India (TRAI) or Insurance Regulatory and Development Authority (IRDA). Now I think, it is closer to the election commission and its impact will span entities governmental, private and non-profit – both Indian and foreign.

An independent Data Privacy Commission, headed by a Chief Data Commissioner should be constituted. The immediate bill should only focus on creating the most robust, future looking and non-partisan institution with a global (and not merely domestic) outlook. It should have a simple terms of reference – the recent right to privacy judgment from the Supreme Court. Its only job being to protect the privacy of the Indian citizen – from its own government if need be.

It has to be a pragmatic institution though and not a dogmatic one. Killing the patient to cure him must not be an option. As I have argued earlier, regulation with a light touch is what we need. Setting guidelines and letting startups self-regulate would be a good way to start. The strictest regulation should focus on government services, followed by large corporations and services beyond a million users.

The global nature of this institution is challenging. India is now a large enough market to influence global players but how does an Indian regulator elicit compliance from foreign companies? The only real tool at its disposal is restriction of market access or enforcing writ through local subsidiaries. Then there are hairy situations where a foreign government could be the offending party. Perhaps, in these cases, the role of the regulator stops at informing the Ministry of External Affairs or the National Security Advisor’s office. Hence, India’s approach to this issue can’t be limited to a single institution. The regulator can be a central player but the policy would need a coherent multi-institutional response that agrees on the core objectives.

It is worth considering if India should make a global privacy alliance with other liberal entities such as the European Union and the USA since geographical boundaries will, more often than not, be irrelevant in this digital world. Privacy is an excellent unifying value for the liberal world and a formal structure can create a better deterrence against authoritarian regimes invading the privacy other citizens. This is easier said than done though since espionage’s legal cover in every country is the fact that constitutional guarantees are not available to non-citizens. A start could be made with something similar to a human rights convention and lay some universally accepted privacy rights that are available to every human being. In the new emerging world order, this is an additional dimension for liberal democracies to co-operate on.

The current government has an opportunity of a lifetime to create a new institution that will be central to safeguarding the Republic for decades to come. It must resist treating data privacy as just another matter or to merely look at other countries to see what they have done already. This is a new challenge that has hit the whole world and there are no precedents. There are no models that already exist in more developed economies. The Indian government has the opportunity to lead the way and must rise to this challenge. The opportunity is not merely to create a domestic institution but to shape a new multi-lateral global institution.

About the author

Saurabh Chandra

Saurabh Chandra is a co-founder at Ati Motors, an autonomous vehicle start-up, and a faculty fellow at The Takshashila Institution.