What a new data law must have?

Source: The post is based on an article “What a new data law must have” published in the Times of Indian on 5th August 2022.

Syllabus: GS 2 Government Policies and Interventions for Development in various sectors and issues arising out of their Design and Implementation.

Relevance: Data Governance in India

News: Recently, the Government of India (GOI) has withdrawn the Personal Data Protection Bill 2019 from Parliament, and the Union Ministry of Information Technology (MeiTY) is reportedly finalizing a new draft.

Some related concepts

Personal data protection: This is about allowing an individual to control how information about her is used,

Non-personal data regulation: It refers to the regulation of non-personal data for economic aims.

Reasons for withdrawing the draft bill

The objectives to protect personal data were diluted. The Justice BN Sri Krishna committee recommended protecting personal data, given the fundamental right to privacy. However, the draft bill 2019 included both personal and non-personal data. Later, a parliamentary committee examining the law also suggested a common regulator and law for personal and non-personal data.

What should an ideal data protection law look like?

(1) Our new law should focus on personal data and exclude non-personal data. Personal data is data about an individual or which relates to one, for example, our name, phone number, chat history, credit history, profile details, etc. In contrast, non-personal data may include, the number of cab users in a locality.

(2) There should be reform of Indian surveillance laws to put checks on government use of data. For this, certain privacy principles can be extended to data processing by law enforcement agencies, in line with the fundamental right to privacy.

For instance, minimizing the amount of data collected by security agencies, limiting how long it can be stored, etc.

(3) There should not be an over-reliance on consent for data processing: In the withdrawn bill, there was an over-reliance on the consent of the individual. The law mandated consent for data processing every time, with limited exceptions. It neither empowered the individual nor took into consideration the business realities, like seeking consent for each act of processing was expensive and simply not feasible.

In contrast, the EU’s GDPR recognizes that businesses may have legitimate interests in processing data and allows such processing, without businesses needing to resort to consent each time. Plus, the new law should provide ample consultation at each stage of regulation.

(4) The data regulator must be strong and coordinate with other regulators: The new law should establish a robust regulator. The regulator must also work closely with RBI, National Health Authority, TRAI, and other sectoral regulators. These regulators have already made inroads into data governance, like mandating local storage of payments data, barring merchants and payment aggregators from storing card data, restricting co-branding partners from accessing transaction data, etc.

(5) Enable cross-border data flows: The proposed law should enable and encourage cross-border data flows and limit data localization. Cross-border data flows are critical to economies. For example, a McKinsey Global Institute Study in 2016 estimated that global data flows contributed $2. 8 trillion to the global GDP. It can enable the development of, and the skilling of our workforce in, new technologies like AI. It will also prevent the fragmentation of the internet.

Print Friendly and PDF