Data Governance

The Zone of Mischief

As we look to adopt techno-legal regulations in various different aspects of our technology driven world we need to be mindful of the need to retain a “zone of mischief” - a level of flexibility that will offer us the freedom to innovate and improve.

A New Delhi Effect

The “Brussels Effect” is the phenomenon where other countries adopt regulation similar to the EU’s and as a result ends up extending Europe’s regulatory dominance. However, regulations like the GDPR have faced criticism for its burdensome compliance requirements. India’s DPI approach offers a new data governance model. But in order for this approach to be globally successful, strong regulatory institutions and a commitment to techno-legal governance are necessary.

The Third Way

There is a commonly held belief that there are basically three different approaches when it comes to data governance - the US, the Chinese and the European. But both the US and China leave regulation in the hands of technology companies - while the EU imposes regulations that these companies need to comply with. The middle path is the Indian techno-legal approach.

Designing Data Governance

Data governance faces challenges in enforcement due to businesses seeking ways around regulations to maximise data usage. Traditional laws are often outpaced by evolving business practices. The “Privacy by Design” concept embeds privacy into technology design, but its success depends on businesses’ willingness to adopt it. India’s techno-legal approach, emphasising interoperability, federation, and protocol-based design in its digital public infrastructure, offers a model for embedding regulatory principles directly into technology, ensuring more effective data governance.

Data Breach

India’s new draft data protection law mandates that data fiduciaries must notify affected individuals and the Data Protection Board of a breach, but it lacks specifics as to timelines or remedial actions. I worry that over-reporting minor incidents could lead to public desensitization, and would have preferred a more balanced approach that only requires notification of only the most high-risk breaches, similar to the European GDPR.