A chance for India to shape a data governance regime

A chance for India to shape a data governance regime

Why in News?

India’s G-20 presidency has provided an opportunity for the country to ensure that its digital strategies and data governance are inclusive, transparent, secure and conducive to sustainable development.

Background:

• In recent years, India has made great strides in its digital strategies/data governance → by embracing technology (say, UPI) and digitalisation → driving economic growth → improving the lives of citizens. However, the issues of ownership and governance of data generated and collected and data sovereignty have become increasingly important.
• Data sovereignty is the idea that data is subject to the laws and governance structures of the nation where they are collected.
• Given this, it is unreasonable to deny people control over their data and India’s DEPA – a consent management tool, has generated both excitement and concern among stakeholders.

Data Empowerment and Protection Architecture (DEPA):

• It was launched by the NITI Aayog in 2020on the premise that individuals themselves are the best judges of the ‘right’ uses of their personal data.
• It is designed as an evolvable/agile framework for good data governance that empowers people to seamlessly and securely access their data and share it with third-party institutions.

Key building blocks of DEPA:

• Enabling regulations,
• Cutting-edge technology standards, and
• New types of public and private organisations with incentives closely aligned to those of individuals.

What are the Key Challenges with Data Protection in India?

• Lack of Awareness: One of the biggest challenges with data protection in India is the lack of awareness among individuals and organizations about the importance of data protection and the risks associated with data breaches. This makes it difficult for individuals to take necessary precautions to protect their personal data.
• Weak Enforcement Mechanisms: The existing legal framework for data protection in India lacks strong enforcement mechanisms, making it difficult to hold organizations accountable for data breaches and non-compliance.
• Limited Scope: The Personal Data Protection Bill, 2019 applies only to the processing of personal data by entities within India. It does not cover data processing by entities located outside India, which can make it difficult to protect the personal data of Indian citizens in such cases.
• Lack of Standardization: There is a lack of standardization in data protection practices among organizations in India, which makes it difficult to implement and enforce data protection regulations.
• Inadequate Safeguards for Sensitive Data: The current data protection framework in India does not provide adequate safeguards for sensitive data such as health data and biometric data, which are increasingly being collected by organizations.

What Steps has India taken to Strengthen its Data Protection Regime?

• Justice K. S. Puttaswamy (Retd) vs Union of India 2017: In August 2017, a nine-judge bench of the Supreme Court in Justice K. S. Puttaswamy (Retd) Vs Union of Indiaunanimously held that Indians have a constitutionally protected fundamental right to privacy that is an intrinsic part of life and liberty under Article 21.
• N. Srikrishna Committee 2017: Government appointed a committee of experts for Data protection under the chairmanship of Justice B N Srikrishna in August 2017, that submitted its report in July 2018 along with a draft Data Protection Bill. The Report has a wide range of recommendations to strengthen privacy law in India including restrictions on processing and collection of data, Data Protection Authority, right to be forgotten, data localisation etc.
• Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021: IT Rules (2021)mandate social media platforms to exercise greater diligence with respect to the content on their platforms.
• Other Initiatives taken: India’s Data Empowerment and Protection Architecture (DEPA)

Way Forward?

• Develop a Comprehensive Data Protection Law: India needs a robust data protection law that protects citizens’ privacy rights while also facilitating the use of data for legitimate purposes. The law should be in line with global best practices and should provide for strong enforcement mechanisms.
• Build Digital Infrastructure and Skills: India needs to invest in building digital infrastructure and developing digital skills to ensure that data is collected, stored, and used in a responsible and accountable manner.
• Develop Clear and Accountable Data Governance Policies and Regulations: India needs to establish clear policies and regulations that govern the collection, storage, and use of data by governments, businesses, and citizens. These policies and regulations should be transparent, accountable, and enforceable.
• Balance the Interests of all Stakeholders: India needs to balance the interests of governments, businesses, and citizens to ensure that data governance supports sustainable development and benefits all stakeholders.
• Promote Open-Source Solutions: India can promote the development and implementation of open-source solutions to ensure that underlying data architectures are a social public good, and to promote digital technologies to become accessible and affordable for all.
• Ensure Alignment with Broader Development Strategies: India needs to ensure that its data governance regime is aligned with its broader development strategies and values, and that it supports the development of a secure, more egalitarian, and trustworthy digital future for all.
  • India Stack can be designed and implemented in a way that is consistent with India’s broader development strategies.
  • India Stack is a unified software platform that provides digital public goods, application interfaces and facilitates digital inclusion.

Conclusion

It is important for India to navigate a middle way between restrictive data sovereignty and limitless data flow for the development of ethical and responsible data governance practices.