When the government set up the committee on Data Protection in India, led by Justice B.N. Srikrishna, it said that the objective “is to ensure growth of the digital economy while keeping personal data of citizens secure and protected”. The Committee has recently released its provisional views on the formulation of a data protection framework and invited public comments. The Committee does a commendable job on a number of counts. It has covered a wide range of issues pertaining to data protection and privacy. While it has looked at the issues from the prism of what is relevant in India, it has also brought in perspectives from other countries. But there are some important ways in which the Committee can strengthen its final report.
First, it would be useful to anchor the report in some core principles. The Committee must lay out the normative framework which we, as a nation, must aspire to with respect to data protection. Technology will evolve rapidly and the law will need to keep pace with changes. But the overall vision of empowering the individual should be at the heart of all legislation.
Second, it would be important for the Committee to state that privacy is not just a right or a moral obligation, but it has value to the economy. It enhances trust and increases voluntary participation in the digital economy. In some places, the report appears to imply that while the ideal is important, practical considerations demand that we settle for less. While the question of balance is an important one, that should not be seen as a licence to be lenient to privacy-violating data practices.
There is a fundamental link between privacy and innovation. No one will innovate in a surveillance-oriented environment or in a place where an individual’s personal information is compromised. The ultimate control of data must reside with the individuals who generate it; they should be enabled to use, restrict or monetise it as they wish. Therefore, laws should enable the right kind of innovation — one that is user-centric and privacy-protecting. The medium to long-term challenges of building a data protection framework in any other diluted way will be very difficult to handle — for the individual, the entrepreneur and the government.
Third, while the Committee has proposed the creation of a strong Data Protection Authority (DPA), there are some aspects that can make such an agency effective. Some of the recommendations, such as applying the law to both government and private data collectors, fines against violators and direct compensation to complainants, are progressive. But for the DPA to be effective, it must have the authority to impose penalties. The Right to Information Act, which grants such an authority to the information commissions, is a good example to learn from.
The report points out several practical constraints in the implementation of many of the rights it envisages — the challenges arising from the different ways data is currently stored, the burden of meeting privacy rights, the need for exemptions, etc. For this law to be successful, recognising and addressing these constraints is important.
This brings up the need for allowing a time period for data controllers to fully comply with the new law. In the case of the RTI Act, there was a period of 120 days for government departments to comply. The EU’s General Data Protection Regulation gives data controllers two years to prepare themselves to comply with the new regulation. The nature of personal data is such that once it is out in the public domain, it is nearly impossible to put the genie back in the bottle. This calls for getting data controllers to abide by higher standards of data protection, even if it means having a moratorium period that allows them to prepare themselves for such standards. In the long run, the costs of such compliance will be far lower than the potential damage that lenient exemptions to data controllers can cause.
Increasingly, India is being seen as a pioneer in digital technologies. This rapid pace of transformation has raised larger questions around inclusion, data protection and privacy. The signalling value of a strong data protection law in India would be significant and will allow the country to lead by example. We need to think about the principles we adopt — from narrowly tailored exemptions to strong independent enforcement. Ultimately, this law will shape how secure individuals feel while engaging in the digital world, and the kind of innovation we will see in decades to come.