The draft personal data protection bill proposed by the Justice Srikrishna Committee is a major step in India’s journey towards a data governance framework that protects individual privacy, enhances institutional strength, and promotes innovation. With the public comment period for this process closing this week, we want to share more about this view point and offer some suggestions to strengthen the draft bill.
The bill is expansive in its scope, covering all aspects of an individual’s data. It covers identity artifacts issued by the government, which we call an individual’s issued identity. We are encouraged that it will also regulate de-facto identity, which are the data trails that an individual leaves behind while engaging in a digital society and which can be used to identify her.
Most importantly, the primary purpose of data protection acts needs to be protection of individuals from the new risks and harms that a data-based economy has created. After prioritizing this objective, the law can optimize for secondary aims such as ease of business and innovation. We recently shared our learning about the role privacy plays in market-building by creating trust in the ecosystem.
To achieve these aims, India’s data protection legislation will need to address ethics, consent, transparency, the right to be forgotten, and sectoral regulation.
First, the law will need to wade into moral issues. It will need to provide guidance on the uses of data that are acceptable and those that are not. Researchers have shown that more information can both benefit and harm individuals, depending on the context. Consequently, the proposed Data Protection Authority (DPA) should be empowered to specify prohibited uses of data. In addition, the deletion of broad exemptions, such as “purposes related to employment”, is also necessary, given that they can be misused. Several studies show the widespread existence of data-based discrimination in the employment market, for example.
Second, consent needs to be strengthened to make it meaningful. While the bill lays down broad principles, more needs to be done to make consent work in practice. Researchers have found that standardized privacy policies greatly enhance people’s understanding of the specific ways their data are being utilized. Therefore, the DPA can be empowered to specify templates for collection of consent, and businesses required to adopt and adhere to these templates.
Third, the transparency provisions need to be bolstered to ensure better compliance. This will also provide individuals and their representatives the information and tools to protect themselves. The government can consider making data breach notifications to affected people mandatory. Researchers have shown that such notifications reduce identity theft and an average victim’s loss, while improving firms’ security and operational practices.
To further enhance transparency, the DPA can consider making data protection impact assessments and data audits publicly available, after removing any confidential information. In addition, data fiduciaries could be required to provide information about any data breaches on their website. Many researchers have documented negative consequences of poor data security practices on firms’ stock prices. Therefore, requiring firms to make this information public could create the right incentives for businesses to improve their data security.
Fourth, a qualified “Right to Erasure” would be valuable. Economic theory has shown that retaining old, irrelevant information can reduce societal well-being. The current Right to be Forgotten is insufficient because it requires individuals to make the request of an adjudication officer. This lengthy process is likely to discourage erasure requests.
Fifth, the bill can do more to recognize the need for contextual regulation, and therefore create a greater role for sectoral regulators. Economists have noted that “rather than a uniform piece of regulation to address contemporary privacy issues, a nuanced approach–dynamic and individualized to specific markets, contexts, and scenarios–may be necessary”. This has been witnessed by researchers, such as when different kinds of consent mechanisms have had different impacts on the genetic testing market in the US. Therefore, sectoral regulators like the Reserve Bank of India and Telecom Regulatory Authority of India could be empowered with limited legislative powers (for example, to classify some data as “sensitive”), whereas the adjudication powers may remain with the DPA.
There are other useful suggestions that have been discussed in the past three months, including modifying the exemptions for the state and the data localization mandate. These are important issues that must be addressed in the next stages of the process as well.
Having received comments from interested stakeholders, the government will now incorporate the feedback and work toward introducing a Personal Data Protection Bill in Parliament. This will not be the first time—in the past decade alone, at least five privacy bills have been introduced in Parliament by members from different political parties. However, when introduced, this will be the first government-backed privacy bill to be raised. We hope the bill will be debated thoroughly and passed by our lawmakers. That would be the culmination of a decade-long journey to establish a data protection law for India.