The Digital Personal Data Protection Bill - that has been listed as one of the items for discussion in the Monsoon Session of Parliament - will, if enacted be a significant first step in the journey to a functional privacy regime. But there is still a lot to be done including issuing regulations and establishing the Data Protection Board.
The Information Technology Act, 2000 governs cyber incidents and data protection in India. A recent amendment permits certain negotiable instruments and real estate contracts to be executed digitally. Though narrow in scope, this change could significantly impact the financial and real estate sectors, fostering innovation and modernization.
In 2014, India’s ministry of law and justice issued a policy on pre-legislative consultation, partially drawing on OECD recommendations. While most legislative proposals in India set aside time for public comments, the consultation often appears to be a formality. We need to redesign the process so that stakeholders can approach the process constructively - recognizing that policy-making is a compromise, and that both government and stakeholders must be open to differing viewpoints.
In India, the absence of comprehensive privacy law has led to over-reliance on CERT-In Rules, 2013, for data breach guidance. Recent directions by the Ministry of Electronics and Information Technology has expanded mandatory reporting requirements, raising concerns about inundating CERT-In with trivial incidents and, as a result, hindering its ability to respond to serious breaches.
There is a growing recognition of the fact that we can use technology tools to make our regulations smarter. There are 2 categories of tools to do this. The first gives users more control over what can be done with their data by placing data in pods and only allowing them to be accessed in accordance with the privacy management protocols. The second unlocks data silos allowing data to move between them with the consent of the user. While these tools seem contradictory they operate at opposite ends of the data spectrum can can be combined to augment statutory frameworks.
