Data Protection in India: Submission to the Committee on Data Protection Framework
In August 2017, the Supreme Court of India stated that the Indian Constitution provides a Right to Privacy to its residents. This landmark judgment was the culmination of a years’-long effort to enhance the rights of citizens in an increasingly data-driven age. It is also the beginning of a detailed process to translate the judgment into actual practice. Not only will the judgment be followed by a Data Protection Bill in Parliament, but many sectoral laws and regulators will need a rethink. The laws we make today will be in force for years to come, and therefore we need to be extremely thoughtful and collaborative.
To help draft the Data Protection Bill, the government of India appointed a Committee of Experts to examine issues related to data protection, recommend methods to address them, and draft a data protection legislation. In November last year, the Committee, headed by Justice B N Srikrishna, released a white paper that outlined these issues, relevant global precedents, and preliminary thoughts on the framework. The paper had several useful suggestions and invited comments on many specific questions.
As a member of the Digital Identity team at Omidyar Network I work closely on the issue of data privacy in India, and therefore contributed my perspective to this important conversation by submitting a response to the Committee.
Omidyar Network is engaged in the global data protection and privacy discourse, with a focus on user control and privacy issues for digital identity. This perspective, articulated in Omidyar Network’s point of view on Digital Identity and Privacy, has been informed by research we’ve commissioned to study privacy issues, discussions we’ve had with key stakeholders on the topic, and knowledge of emerging technologies that are enhancing user control and privacy. Fundamentally, Omidyar Network believes that for a digital system to be privacy-protecting and effective, the appropriate technical design and governance choices need to be made.
My response to the Committee of Experts reflects these positions, in addition to our current understanding of data protection and privacy through the lens of Omidyar Network’s experience and learnings in India, as well as Silicon Valley and London. It reflects the following beliefs that we hold about the proposed legislation:
- Anchoring the report in some core principles: The Committee should lay out the normative framework which we must aspire to. The overall vision of empowering individuals should be at the heart of the legislation.
- Stating that privacy has value to the economy: There is a fundamental link between privacy and innovation. Privacy enhances trust and increases voluntary participation in the digital economy.
- Creating an effective Data Protection Authority (DPA): The white paper already has useful recommendations on making the DPA more effective, including applying the law to both government and private data collectors, and direct compensation to complainants. In addition, for the DPA to be effective, it must have the authority to impose penalties. The Right to Information Act, which grants such an authority to information commissions, is a good example to learn from.
- Enabling a smooth transition to a high standard: The nature of personal data is such that once it is out in the public domain, it is nearly impossible to put the genie back in the bottle. This calls for getting data controllers to abide by higher standards, even if it means having a moratorium period that allows them to prepare themselves for such standards.
As a part of a firm that backs both for-profit and nonprofit organizations that are harnessing innovation to catalyze social change, I’m encouraged by the increasing salience of data protection and privacy globally. I, alongside my colleagues at Omidyar Network, hope to share our learnings, while also continually learning from other stakeholders who are engaged in this process both in and outside of India. We believe that this space will evolve rapidly in the near future and therefore it is important for us to keep learning.
The establishment of this Committee is an important and timely step in India’s journey toward a robust data protection regime, and the prospect of a robust data privacy legislation presents an opportunity for the country to strengthen its leadership position on digital innovation. The data protection law that we come up with will not only be consequential for Indian residents, but it will also be watched very closely on the global stage as other countries shape their digital futures.
To see my full comment submitted to the Committee on Data Protection Framework in January 2018, click here.