Data Protection Regulation in India


By Ragavi R
(Imae source: echalliance.com)


Jeremy Bentham, a utilitarian philosopher in the 18 th century invented the institutional form of surveillance model called “Panopticon”. Panopticon is a model where the inmates in a prison are watched by a single guard and the inmates are unaware that they are being watched. What is the link between Panopticon and Data Protection Regulation? Well, the answer lies in the way how the 21 st century business and its ecosystem functions.

‘Uber’, one of the largest taxi companies, owns no cars.
‘Facebook’, the popular media owner, owns no content.
‘Alibaba’, the most valuable retailer, has no inventory.

Even though the statement sounds pessimistic, it provides an insight into the fact that we are racing towards a “data world”. The collection, organisation and processing of data have become ubiquitous. According to the Information Technology Act 2000, the definition of “data”, is the representation of knowledge, information, facts, concepts, instructions which are being prepared or have been prepared in a formalised manner, and it is intended to be processed in a computer system or network, and may be in any form (including computer printouts, magnetic or optical storage media, punched cards, punched tapes, etc) or stored internally in the memory of a computer. Data protection law is a comprehensive set of privacy laws, policies and regulations that aims to minimise the intrusion. India does not have a comprehensive Data protection Regulation Act.

Personal Data Protection Bill, 2018
The emergence of a data protection bill in India is predominantly contributed to the Justice K S Puttaswamy (retd) vs Union of India case. The nine-judge bench declared Right to Privacy as one of the fundamental rights and intrinsic part of the Article 21. Justice D Y Chandrachud stated that, “Informational Privacy is a facet of the right to privacy. The creation of a regime needs to balance between individual interest and legitimate concerns of the state”. A committee headed by Justice Srikrishna was formed in drafting the Data Protection Bill, 2018. The main objective of the data protection regulation in India is to ensure that the growth of digital economy does not happen at the cost of individual’s privacy. The bill also tries to define the responsibility of the state and to ensure a trust-based relationship between the data fiduciaries and data principles.

Means of the Data Protection Regulation
Personal Data Protection Regulation Bill is a comprehensive bill that takes into account the dynamics of information privacy. It has defined what data is and has bifurcated the data into personal data and sensitive data. The critical data (no mention of what is “critical data”) will be stored within India. There are several other cyber agencies like National Technical Research Organization, Defense Intelligence Agency and National Critical Information Infrastructure Protection Centre that perform cyber protection function in India.

Data Localisation
Data localisation is the act of storing the data on a domestic device, which is physically present within the borders of a specific country where the data is generated. A study by Gartner in the year 2015 revealed that India had only about 1.2 per cent of the world’s data centre infrastructure, which is insufficient. The cloud Infrastructure in India is substandard compared to other countries.

What is the road ahead?
As far as data localisation is concerned, it is not favourable in the international arena. Many researchers are suggesting alternatives like Mutual Legal Assistance Treaties (MLATs). India has already signed MLATs with 39 countries. However, the scope of this treaty is ambiguous. There is a provision in the data protection bill, which states, “Personal Information that doesn’t serve ‘public activity or interest’ cannot be disclosed unless it is deemed to be of public interest”. This particular provision is in conflict with the Section 8(1) of Right to Information Act, 2005. The argument boils down to transparency and privacy. If transparency is necessary, privacy is affected and if privacy is required transparency should be withheld. 
The data world, in which we are existing, is an asymmetric battleground. In a similar way how a central guard watches his inmates, we are also being watched without our knowledge. On the one hand, we trade off our privacy for some other utility (popularly called as “privacy paradox”) and on the other hand, we are constantly involved in debating on data protection. Can public policy initiatives tackle this sensitive issue?

(Ragavi R is a Research Intern at Centre for Public Policy Research. Views expressed by the author are personal and need not reflect or represent the views of Centre for Public Policy Research)

Comments

Popular posts from this blog

CPPR's social media presence on Blockathon makes a mark!

Latin Catholic community of Kerala: Role in 2016 Assembly Elections

Road Safety in India- Still in Coma