Opinion | India's data protection bill is a great start but it's far from perfect

Jayanth Kolla

The draft data protection Bill submitted by the 10-member Srikrishna committee to the Centre on July 27 is a great start in the right direction towards data privacy and regulation in India.

The Bill has managed to define various terms such as Data, Personal Data, Sensitive Personal Data, etc, in a crisp and definitive manner. It also laid down penalties for offenders. These two moves will help in bringing some clarity in an otherwise evolving ecosystem, powered by technologies.

We are entering the intelligence era where data privacy and the need for regulation is paramount. Every company today is a data company — it either collects, requires, uses or generates data. And, every individual consumer/citizen has attributes that can be labelled, identified, processed and profiled. Digital technologies, primarily led by advanced analytics, machine learning (ML) and artificial intelligence (AI) can generate tremendous value out of such attributes. And, like all technologies, these too can turn disastrous if not contained within certain boundaries.

The first line of the data protection Bill — “Data privacy is a fundamental right of every citizen” — sets the context and empowers the individual. The Bill goes on to charter a well thought-out framework, covering exhaustive touch points.

However, the Bill falls short on a couple of areas. It puts the onus of consent withdrawal and all associated legal costs on the individual, and provides overarching powers to the State, without clearly defined boundaries or limitations.

Data has multiple forms — collected, compiled, derived, generated, profiled, etc — and given that an average citizen is fairly undereducated on all the forms and their potential use, the State, at least in the early days, needs to protect her rights and lessen the burden on the individual.

As for overarching powers, the Indian State has handled such ambiguities responsibly. In the telecom sector, “lawful interception” necessitates the service providers to capture all conversations, but the recordings are available only to certain State authorities and upholders of law, in specific circumstances and upon necessary approvals. Also, India is one of the only nine countries to release net neutrality regulations in its purest form (when even advanced countries such as the United States couldn’t uphold it). Having said that, the data protection authority (proposed to be set up to ensure various stakeholders process the data in line with the law) has to come up with laws defining the boundaries of various entities, including that of the State.

These are still early days of what can be achieved through data processing and analytics. For instance, the data a company like Google collated, processed and used 10 years ago is completely different to what it does today, and it will be different 10 years hence. Google, with all its data collation and processing capabilities, has only come out with its Knowledge Graph in 2012-13, which is still very limited in its functionality. No other company has a fully functional Knowledge Graph as yet. Going forward, in 10 years, the pace at which artificial intelligence and machine learning algorithms are advancing, Knowledge Graphs will be commonplace. In such a scenario, it is impractical and impossible to lay down an all-encompassing regulatory framework in the early stages of the ecosystem. On the contrary, a restrictive framework can impede the growth and limit the potential of the ecosystem.

The data protection Bill closely follows and is in line with Europe’s General Data Protection Regulation (GDPR). There are multiple data protection regulation frameworks designed and advocated by various entities across the world. The Data Empowerment and Protection Architecture (DEPA), developed by iSPIRT, is a well thought-out design and set of guidelines.

The Bill is a good start, and needs to be understood in a larger context considering the fluidity of the evolutionary ecosystem that it is trying to regulate. It does exactly what it is supposed to do — start a public and political debate on the subject of data collation, processing and privacy, and by extension, educate its citizens and lawmakers (hopefully, adequately).

Considering the upcoming general election and what the Facebook-Cambidge Analytica episode showed the world, all political parties have a vested interest in conducting it in a fair manner. So, expect this debate to only get louder and stronger in the days to come.