The engines of digital economies across the world are dependent predominantly on one form of fuel – data. Businesses are collecting data to understand their customers and sell better, and governments are collecting data to ensure digitization and technological advancement in their countries. Dependence on data has grown rapidly, and with it, so has the vulnerability of data subjects.
The time is ripe for a comprehensive data privacy framework that is protective of the data subjects without compromising the needs of businesses that collect data or the progressive advancement of technology.
The Existing Data Privacy Framework
The data privacy framework in place in India was introduced through Sections 43-A and 72-A of the Information Technology Act 2000. Subsequently, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 were issued, that regulate the collection, disclosure, transfer and storage of sensitive personal data and information.
The current framework imposes no obligations upon data collectors to report any compromises to the end-consumer. A variety of other loopholes seem to be conducive not to a protective environment, but one that encourages breaches.
The Ideal Data Privacy Framework
Given that the Government’s goal is to create a Digital India and ensure the success of a variety of other projects that find their backbone in data and telecom, it is important to establish that data-driven innovation cannot be scaled without adequate privacy safeguards. In this regard, legislation alone is not enough unless supported by an adequate implementation ecosystem including an effective grievance redressal system and user awareness.
The sheer volume of data transactions being incurred on the internet today renders a centralized ex ante compliance system impractical. The legislator should therefore be encouraged to recognize and endorse a culture of corporate accountability that would limit the ex ante enforcement approach to a minimum.
Further, the privacy framework should define the broad principles, and organizations can then design their own privacy programs in compliance with these principles. The focus should be to improve internal governance mechanisms in organizations without introducing bureaucracy. While organizations should be allowed to self-regulate, they should be held accountable for any violations.
The ideal data privacy and protection framework is transparent, consent driven, and holds its stakeholders accountable. All stakeholders can work with the government and do their bit for a safe and secure India.