Our data regulations still prescribe processes that must be followed to bring about the scarcity we have long believed will ensure data protection. Rather than prescribing processes, we should focus on engineering for the outcomes we want to achieve.
The widespread use of digital technologies has given law enforcement brand new opportunities to use sophisticated tools for detecting crimes. That said, simply because technology has opened up new pathways for investigation does not mean that we should use them in ways that violate personal privacy.
Now that we know the DPDP Act, 2023 will come into force in just under 18 months, data fiduciaries have begun to panic, worried that they have left it too late. For all the procrastinators out there, here is an easy 3-step guide to assessing where you currently stand.
As the technology to collect neural information directly from our brains starts to become commercially viable, we need to think deeply about the social and ethical implications of this. Apart from just data protection we may need a broader articulation of cognitive liberty.
Modern privacy law is based on principles of data protection that were first articulated in the 1970s. As a result, it is based on the idea that we should collect as little data as possible to safeguard personal privacy. In the age of AI and big data, that approach is fast losing its relevance.
Since data allows us to price risk more accurately and, at the same time allows us to offer incentives for appropriate behaviour, it is a very useful tool for insurers looking to achieve optimal risk pooling. However, if we take it too far we risk ending up in a surveillance society.
The introduction of the term Consent Manager in the Digital Personal Data Protection Act gave rise to considerable speculation. No other data protection law had anything like it, and the law itself was unclear as to what role these entities played. Now that the Rules are with us, things are a little clearer.
The much awaited Digital Personal Data Protection Rules are finally with us and, with that the final piece of the puzzle is in place. While there is a lot to unpack, overall, the Rules follow the Act in terms of simplicity - adding just enough to make it complete without complicating things unduly. That said, there are a few issues that still need to be sorted out.
The individual agency that privacy laws offer were designed for a time before networked privacy. As a result we cannot just rely on laws and regulations to protect our data but need to do considerable additional work to secure it.
The question of what is to be done with personal data in the course of an M&A transaction is always complicated. It becomes even more so when the data in question is highly sensitive genetic information that was collected for a specific purpose. We need to think through these issues as the Indian law comes into force.
