Today's Editorial

26 April 2018

What India needs: Data law, regulator?

Source: By Krishn Kaushik: The Indian Express

Though India does not have a larger data protection framework, over the years, a number of domain-specific laws have been amended to protect users’ data. In his 266-page judgment declaring privacy as a fundamental right, Justice D Y Chandrachud wrote, “Ours is an age of informationInformation is knowledge. The old adage that ‘knowledge is power’ has stark implications for the position of the individual where data is ubiquitous, an all-encompassing presence… The Internet has become all pervasive as individuals spend more and more time online each day of their lives.”

Emphasising the threat to privacy from both the State and non-State actors, the judge asked the government to “put into place a robust regime for data protection”. What is the data protection framework in India? And how safe or unsafe is your data? Though India does not have a larger data protection framework, over the years, a number of domain-specific laws have been amended to protect users’ data.

Foremost among these is the Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011. Issued under Section 43A of the Information Technology Act, 2000, it is, however, only applicable to corporate entities, not to any arm of the government. Also, the rules are restricted to sensitive personal data — medical history, biometric information and sexual history, among other things.

There is an array of other laws and regulations — provisions in the Aadhaar Act, the Credit Information Companies (Regulations) Act for the financial sector, and data protection laws for the telecom and health sectors. Experts, however, say that in the age of digital data, these laws are not adequate and what India needs is an “omnibus” or horizontal data protection law. Sunil Abraham, Executive Director at the Centre for Internet and Society, a Bengaluru-based not-for-profit body, calls the existing laws “minimal”, merely defining personal information and placing “certain obligations” on data controllers.

A major void in these laws, according to Abraham, is that “citizens don’t have much recourse; only if you have lost property or suffered financial harm can you approach the court for justice”. A breach of personal information, however, does not allow a person to seek damages or compensation. Malavika Raghavan, a researcher with Dvara Research who works on consumer protection in the digital economy, says the long ‘Terms and Conditions’ users agree to while downloading an app or signing up on a platform such as Facebook or Google “effectively tie us into the arrangements and all the purposes that the collecting entity includes”.

Raman Jit Singh Chima, policy director for India at Access Now, an international digital rights advocacy group, agrees with Raghavan, calling the current data protection regime in the country “very token stuff”. Chima says India urgently needs “a federal office for privacy and data protection”, a body with cross-border regulatory powers like the Competition Commission of India, especially when companies such as Facebook and Google, which may have the largest amount of data on users, are not even Indian.

Such a body might be on its way.

In July 2017, the government created a committee headed by former Supreme Court judge Justice B N Srikrishna, to bring out a draft of the data protection framework for the country. One of the most important proposals in the committee’s white paper was on setting up a high-powered statutory authority with regulatory capacities. Raghavan has another concern: whether such a data protection law would take into consideration India’s first-time users. “We are not building products and regulations for first-time Indian users of data-driven services,” she says.

Experts, however, say any legal framework will have its limitations. A par Gupta, a constitutional lawyer who practises in the Supreme Court and has been part of a number of cases at the intersection of freedom of expression and technology, says, “No law will ever completely insulate us from the harm that will come from technological advances, but some basic guiding principles can take care of a lot of problems.”

As India has an opportunity to build its data protection framework, it has two models to choose from: the one adopted by the European Union, which is tilted towards privacy of individuals; or the second, the path chosen by the US where innovation is given primacy over regulation. The Srikrishna Committee mentions the two models, and says that “factoring in these diverse objectives, a nuanced approach towards data protection will have to be followed in India”.

In the absence of a data protection regime, can data is used to manipulate voters, like what is alleged to have happened during the 2016 American presidential elections? There is no simple answer to that. The truth is data has always played a role in elections, with political parties bundling voters on the basis of caste, religion, gender, location, language, etc. Now that the issues of micro-targeting, misinformation and fake news have come to the fore, says Gupta, there needs to be a debate about amending laws to “prevent such events from happening in the future”.

Abraham of CIS takes a more philosophical approach to how technology may influence voters. “When a technology is new and novel, its impact on the human mind is more profound. As more and more people get used to it, there are diminishing returns on its impact,” he says, adding that till the Internet reaches the last person on the ground, it will continue to influence voter choices. “It does not necessarily have to be through manipulation.”



Book A Free Counseling Session