As the technology to collect neural information directly from our brains starts to become commercially viable, we need to think deeply about the social and ethical implications of this. Apart from just data protection we may need a broader articulation of cognitive liberty.
The use of cybernetic principles to maintain an equilibrium in society has long been the goal of policy organisations. However, it was not until digital technologies became ubiquitous that this actually became real. Now that it has come to pass, it is important to ensure that those at the helm are working in the interests of society.
The challenge with regulating technology is that laws always lag behind the technologies they regulate. One way to address this is to adopt a philosophy of incremental regulation that follows in lockstep with technological evolution. This requires a theoretical understanding of the evolutionary dynamics of technology.
Since data allows us to price risk more accurately and, at the same time allows us to offer incentives for appropriate behaviour, it is a very useful tool for insurers looking to achieve optimal risk pooling. However, if we take it too far we risk ending up in a surveillance society.
As we look to adopt techno-legal regulations in various different aspects of our technology driven world we need to be mindful of the need to retain a “zone of mischief” - a level of flexibility that will offer us the freedom to innovate and improve.
The “Brussels Effect” is the phenomenon where other countries adopt regulation similar to the EU’s and as a result ends up extending Europe’s regulatory dominance. However, regulations like the GDPR have faced criticism for its burdensome compliance requirements. India’s DPI approach offers a new data governance model. But in order for this approach to be globally successful, strong regulatory institutions and a commitment to techno-legal governance are necessary.
There is a commonly held belief that there are basically three different approaches when it comes to data governance - the US, the Chinese and the European. But both the US and China leave regulation in the hands of technology companies - while the EU imposes regulations that these companies need to comply with. The middle path is the Indian techno-legal approach.
Data governance faces challenges in enforcement due to businesses seeking ways around regulations to maximise data usage. Traditional laws are often outpaced by evolving business practices. The “Privacy by Design” concept embeds privacy into technology design, but its success depends on businesses’ willingness to adopt it. India’s techno-legal approach, emphasising interoperability, federation, and protocol-based design in its digital public infrastructure, offers a model for embedding regulatory principles directly into technology, ensuring more effective data governance.
India’s new draft data protection law mandates that data fiduciaries must notify affected individuals and the Data Protection Board of a breach, but it lacks specifics as to timelines or remedial actions. I worry that over-reporting minor incidents could lead to public desensitization, and would have preferred a more balanced approach that only requires notification of only the most high-risk breaches, similar to the European GDPR.
The new draft of India’s digital data protection bill is praised for its simplicity and relatability, although it has raised concerns for its lack of detail and government exemptions. The draft also misses key concepts like data portability and uses non-standard terminology.
