To strengthen data privacy, the government has introduced the Personal Data Protection Bill, 2019, which is under consideration of the Joint Parliamentary Committee. The Bill aims at striking a balance between the rights of the individuals, duties of data intermediaries, and necessities of national security. However, privacy is a delicate, personal and inordinately subjective concept. The problem is too complex to be addressed only by regulation and legal mandates. Therefore, devising a comprehensive privacy governance model capable of adapting to the needs of different stakeholders will not be an easy task.
Privacy is a state of mind — a notional boundary that everyone tries to situationally draw, to protect one’s tangibles as well as intangibles. Information. Thoughts. Ideas. Reputation. Privacy is what one decides to make it. A contradiction between voluntary self-disclosures and vexing invasions prevails in everyone’s mind. For instance, one may feel good about the number of likes or birthday wishes on her social media but feels bad when the same public information gets used for targeted ads.
Similarly, sharing the lifetime banking history with a for-profit credit bureau is acceptable for some, but sharing the same information with their law-protection agencies may not be palatable. Billions use WhatsApp, Facebook, or Twitter for free but despise it if data scientists draw conclusions from self-publicised information.
Connotations of privacy laws
The United Nations respects privacy as a fundamental human right. However, due to the diverse socio-political and geo-economic values globally, data privacy and protection (DPP) legislation have varied connotations. For example, in its July 2020 ‘Schrems II’ judgment, the Court of Justice of the European Union (CJEU) highlighted several shortcomings in the US privacy legislation that impede personal data protection. The ruling allows personal data transfers outside the EU only if the levels of data protection are equivalent to that guaranteed within the EU by the General Data Protection Regulation (GDPR).
In August 2017, a nine-judge bench of the Supreme Court of India, in Justice KS Puttaswamy vs Union of India , declared ‘the right to privacy’ as a fundamental right of the Indian citizens. The ‘Data Protection Rules’ under the Information Technology Act, 2000 (IT Act) currently govern data protection in India. In addition, the Bureau of Indian Standards (BIS) provides a framework to establish and operate data management systems.
The new Personal Data Protection Bill imposes compliance requirements for organisations that collect, process, store or dispose of individuals’ sensitive personal data. The Bill proposes provisions for penalties and sets-up grievance redressal mechanisms.
India has a unique opportunity to learn from the experiences of implementation models in the EU, the US and other nations. It is thus imperative to contemplate on the following considerations.
The data protection rules must provide objective and exhaustive criteria for determining the nature and amount of penalties. Bringing transparency will prevent long-drawn litigations and deter companies from creative engineering to circumvent the rules.
The role of the Data Protection Authority (DPA) should extend beyond regulation. It should govern national programmes to sensitise the masses on privacy rights, promote data literacy and inculcate cyber hygiene at the grassroots level. It entails breaking down the theoretical concepts into simple ideas which citizens understand.
The policy should constitute a special fund to support the growing businesses. It will provide a level-playing field to emerging companies and balance out the hegemony of large corporations. Moreover, such a fund can be financed by the penalty collections, unlike the UK and the EU, where the penalties fund the budget like taxes.
Centres of Excellence should be established across the country in collaboration with the universities, think tanks and private industry. India can leverage her competitive edge in the IT-ITeS sector to focus on advanced privacy and cyber research in different domains such as data localisation, data anonymisation, data leak detection, privacy psychology, etc.
India should take a leadership role at the global stage to build alliances and treaties to promote privacy as a fundamental human right and prevent any potential wars on personal data violations or privacy invasions.
Going forward, the Indian Privacy Governance Model will need to strike a delicate balance between preserving the core values of privacy while delivering ever-improving services in a burgeoning digital world.
Mittal is with the IAS. Jain is a US-based cyber security advisor. Views are personal