As we look to adopt techno-legal regulations in various different aspects of our technology driven world we need to be mindful of the need to retain a “zone of mischief” - a level of flexibility that will offer us the freedom to innovate and improve.
The “Brussels Effect” is the phenomenon where other countries adopt regulation similar to the EU’s and as a result ends up extending Europe’s regulatory dominance. However, regulations like the GDPR have faced criticism for its burdensome compliance requirements. India’s DPI approach offers a new data governance model. But in order for this approach to be globally successful, strong regulatory institutions and a commitment to techno-legal governance are necessary.
There is a commonly held belief that there are basically three different approaches when it comes to data governance - the US, the Chinese and the European. But both the US and China leave regulation in the hands of technology companies - while the EU imposes regulations that these companies need to comply with. The middle path is the Indian techno-legal approach.
Data governance faces challenges in enforcement due to businesses seeking ways around regulations to maximise data usage. Traditional laws are often outpaced by evolving business practices. The “Privacy by Design” concept embeds privacy into technology design, but its success depends on businesses’ willingness to adopt it. India’s techno-legal approach, emphasising interoperability, federation, and protocol-based design in its digital public infrastructure, offers a model for embedding regulatory principles directly into technology, ensuring more effective data governance.
India’s new draft data protection law mandates that data fiduciaries must notify affected individuals and the Data Protection Board of a breach, but it lacks specifics as to timelines or remedial actions. I worry that over-reporting minor incidents could lead to public desensitization, and would have preferred a more balanced approach that only requires notification of only the most high-risk breaches, similar to the European GDPR.
The new draft of India’s digital data protection bill is praised for its simplicity and relatability, although it has raised concerns for its lack of detail and government exemptions. The draft also misses key concepts like data portability and uses non-standard terminology.
The latest draft of India’s Digital Data Protection Bill, 2022, stands out for its simplicity and new concepts like “voluntary undertaking” and official recognition of “consent managers.” However, it omits features like data portability and the right to be forgotten. Critics argue the draft lacks safeguards and over-delegates legislative authority, particularly around the concept of “deemed consent.” But the principles-based approach it espouses could ensure agile and enduring data protection regulation.
Data asymmetry allows those with access to large data sets to gain insights that can be used for various purposes, including manipulation. Solutions like India’s DEPA framework aim to reduce this asymmetry. However, challenges remain in knowledge and intelligence asymmetry, requiring democratisation of data science techniques and addressing biases in AI algorithms.
In India, the absence of comprehensive privacy law has led to over-reliance on CERT-In Rules, 2013, for data breach guidance. Recent directions by the Ministry of Electronics and Information Technology has expanded mandatory reporting requirements, raising concerns about inundating CERT-In with trivial incidents and, as a result, hindering its ability to respond to serious breaches.
John Perry Barlow’s 1996 “A Declaration of the Independence of Cyberspace” argued for internet exceptionalism, where the online world would be free from real-world regulations. This belief shaped the liberal terms of service on websites, but with the internet’s growth and concentration in the hands of dominant platforms, the enforcement of these terms has led to serious global consequences. Barlow’s vision of a more humane online civilization may have been overly optimistic.
