DATA RULES

India secured its 'Data Democracy' project with the government proposing legal guardrails for the commercial use of personal data EPISODE #101

Nov 28, 2022

A very Happy Monday to you.

Last week the union government put out the draft data privacy legislation, the Digital Personal Data Protection Act, 2022, for discussion. You may recall that the government had recently withdrawn the earlier draft, which was doing the rounds of the Parliamentary committees.

As promised the new draft is pithy. Critics who had earlier panned the earlier draft law arguing that it tried to do too much, are now claiming that this version is too short. Damned if you do and damned if you don’t.

Regardless this data privacy law was long overdue and is India’s first serious attempt to regulate technology.

If nothing it was required to secure the foundations of India’s unique ‘Data Democracy’ project wherein individual data, as in the case of Aadhaar and UPI, is monetised to democratise access and empower at scale. So this week I put the spotlight on India’s new data rules. Do read and share your feedback.

The cover photo this week is taken by Hogarth de la Plante and sourced from Unsplash. Thought it was a nice metaphor for the guardrails that will soon be in place.

A big shoutout to Vandana, Mahalingam, Gautam, Kapil, Premasundaran, Aashish and Vivek for your informed responses, kind appreciation and amplification of last week’s column. Gratitude also to all those who responded on Twitter and Linkedin and for the congratulations on the 100th episode of Capital Calculus. Reader participation and amplification is key to growing this newsletter community. And, many thanks to readers who hit the like button😊.

Photo by Hogarth de la Plante on Unsplash

NEW GUARDRAILS

Last week India came a step closer to establishing rules for commercial exploitation of data when the union government circulated the draft Digital Personal Data Protection Act, 2022 for comments. This replaces the version that was withdrawn earlier this year, just before it was to be put up for a formal clearance by Parliament.

The big takeaway from the draft in circulation is that it is pithy. Especially when contrasted with the draft that was withdrawn.

To put it simply the draft law doesn’t try to do too much. Yes, critics are baulking, but let us not forget that regulating technology requires a soft touch—especially given that it changes both exponentially and disruptively. Any overreach will stifle innovation and trigger chaos.

In the Indian context the stakes are very high. By deploying Digital Public Goods (DPGs) like Aadhaar, Unified Payments Interface, Co-Win and so on, India has leveraged personal data for doing public good. One concern that dogged this impressive project has been the ability and willingness of institutions to secure personal data.

At a time when white collar crime is rampant, this fear about misuse or theft of personal data is very legit. More importantly, there can be no two arguments against protecting privacy. It is sacrosanct and should be treated thus.

Trade-offs

Strikingly, the latest draft acknowledges the trade-off between protection of privacy and commercial mining of personal data.

In fact, it is the central purpose of the new law. The preamble of the draft law makes this very explicit.

“The purpose of this Act is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.”

It has taken little over a decade for India to get here.

Ever since the idea of Aadhaar was seeded under the Congress-led United Progressive Alliance (UPA), its first chairman, Nandan Nilekani, had been arguing for a privacy law.

The idea was initially tossed around by a committee of bureaucrats, even while privacy warriors were railing against Aadhaar arguing that it risked loss of privacy. While their fear was valid, it sounded ironical, given that people were voluntarily sharing even more critical personal information in public domain through social media tools like Twitter, Facebook, WhatsApp and so on.

Eventually, the UPA put up a draft law for discussion, but it was not taken to its logical conclusion. Worse, the UPA was guilty for not creating Aadhaar under a law, leaving the identity project vulnerable to criticism levelled by privacy warriors.

It was only when the Supreme Court weighed in that the Bharatiya Janata Party (BJP)-led National Democratic Alliance, which had replaced the UPA in office, hurriedly passed a law to extend legal backing to Aadhaar in 2016.

Thereafter the idea of a privacy law found fresh legs.

Meanwhile the idea of consent was codified in the Data Empowerment & Protection Architecture (DEPA); it accorded every Indian control over their personal data. While this consent architecture enabled portability of individual data and the rollout of various DPGs, the need for a privacy law grew.

The Law

I am not going into the details of the proposed law.

Instead, I am requesting you to read Rahul Matthan’s post on Substack. Rahul is a partner at the law firm TriLegal and my go-to person data privacy. Being a lawyer, Rahul understands the nuances and implications of the proposed law. It is written very simply and would recommend you please read it.

Sharing the link below:

Ex Machina

Exceptionally Simple

The simplicity of the latest draft of the data protection law is being viewed with concern. As are the exemptions granted to the state. But merely because constitutionally imposed fetters have not been written into law does not mean that the government cannot be held accountable to them…

3 years ago · 5 likes · Rahul Matthan

In fact, he is my guest for the upcoming episode of Capital Calculus on StratNews Global. Please watch it at 7.30 pm this Thursday. I will be sharing a fresh alert on social media ahead of the telecast.

Regulating Technology

This is India’s first serious attempt to regulate technology. The bigger challenge is that the India tech story departs significantly from that pursued by the Western world.

Instead of outsourcing everything to big tech, India has adopted the DPG model—wherein institutions provide the digital rails that are accessible to anyone to develop innovations. As a regular reader of this column you would realise that this has been a recurring theme.

The key to deploying and scaling DPGs—which has made it possible to roll out Aadhaar to 1.3 billion residents, 2-plus billion covid-19 vaccines and average 7-plus billion transactions on the Unified Payments Interface—is interoperability. Implicit in this is data portability.

I cite this example as critics like Rahul are pointing out that there is not enough clarity on data portability in the draft bill. If true, it is a point of concern. It could potentially jeopardise DPGs. Exactly why I began by saying that technology regulation needs a soft touch; inevitably the regulator is playing catch-up—the pace of technological change is such.

In the final analysis it is clear that a data privacy bill was much needed. Yes, it could have been sooner. But it is better to get it right than hurry it through. Strike the right cadence, such that tech innovation is not derailed.

Recommended Viewing

Sharing the latest post of Capital Calculus on StratNews Global.

This time it was a conversation with Lt General Anil Bhatt, Director General of the Indian Space Association (ISpA).

The immediate context was the historic launch of the first private manufactured rocket by an Indian firm, Skyroot Aerospace. But we used the occasion to also discuss the new playbook adopted by India since 2020 which seeks to elevate the Indian private sector to the status of a partner of the Indian Space Research Organisation (ISRO). This is putting in play an entirely new set of dynamics.

General Bhatt walked us through these changes, dwelling on:

How the launch proves that the Indian private sector is space capable;
How the new playbook adopted by the government is returning dividends;
The use cases of the class of rockets launched by Skyroot Aerospace.
…..and much more. Do watch and share your thoughts.

Sharing the link below:

Till we meet again next week, stay safe.

Thank you for reading Capital Calculus 2.0. This post is public so feel free to share it.

Vandana Bahl

Dec 1, 2022

Dear Anil,

A very well timed article!!

As you rightly said, the Data Protection Bill will provide a better comprehensive legal framework to regulate technology .India ,by the turn of this century will have one of the world s largest digital personal data footprints. We have to find solutions for Data Free Flow with Trust and Cross Border Data Flows.

The Bill has certain short comings , but it is definitely a step forward in the right direction!!

Expand full comment

1 reply by Anil Padmanabhan

Gautam Dasgupta

Nov 29, 2022

Whether the draft of the data privacy legislation is approved by Parliament or a fresh draft is made, is something that will crystallize in the future; however one thing is certain that whatever becomes the guardrails of law, this is a start and further fine tuning of required and acceptable legislation will happen in future. A start, whether perfect or with a few blemishes, had to be made; as they say, one eye is better than being blind. The sincerity of the ruling government from time to time, is required to prevent misuse of personal data. Very well written and explained Anil. 👏

8 more comments...

Capital Calculus 2.0

Discussion about this post

Ready for more?