Home / Opinion / Columns /  This is the opportunity to draw up the best privacy law

Last week’s big news in India was the withdrawal of the Data Protection Bill from Parliament. From the moment it was added to the list of supplementary items on the parliamentary agenda, policy discussion groups were abuzz, trying to figure out what exactly this meant for the future of data protection in India.

Soon after the news broke, Union minister Ashwini Vaishnaw proactively reached out to the media to explain what the government was doing and why. Civil society was quick to categorize the withdrawal as yet more evidence of the government’s intransigence, even though scant months ago, the very same organizations decried the latest draft as unfit for the purpose.

The fact is every new version of India’s privacy law progressively denuded the simplicity and internal consistency of the one that preceded it, making it unwieldy and, in many places, internally incongruent. Amendment upon amendment warped the language beyond recognition, each version adding new concepts to the mix—from special provisions on social media intermediaries to an attempt to regulate non-personal data. While the Joint Parliamentary Committee draft for the most part was good, in places it was a Frankenstein’s monster of disconnected intentions cobbled together with bits of wire and sticky tape. Unwinding this mess was always going to be a Herculean task. But given how long it had taken us to get to that point, few of us were willing to suggest tearing it up and starting from scratch.

Now that the government has bitten the bullet and withdrawn the bill with a promise to produce a new streamlined version, almost everyone I speak to agrees that this is exactly what we need. And, more importantly, that it gives us the opportunity to incorporate all the feedback we’ve received over the past five years, unencumbered by the constraints of trying to insinuate changes into an existing draft.

So now that we have a blank slate, how should we approach drafting the privacy law?

One way might be to list the things the law should not contain. For instance, there is no need to include non-personal data in the law as it has no bearing on the primary purpose of this law—protection of privacy. As and when the government decides to regulate non-personal data, it can do so under a separate law, not force-fit the concept into a framework ill-suited to support it. Similarly, including regulations that only apply to social media intermediaries is unnecessary, particularly since it is notoriously difficult to define what qualifies as one. If we have to, let us regulate them through a separate dedicated law.

Above all, the new draft should place a premium on simplicity. Today, the bill is prescriptive, requiring 13 different types of information to be notified to the data principal before data collection, and imposing such onerous obligations as submitting a copy of a privacy-by-design policy and reporting without exception all data breaches to the Data Protection Authority. Unlike Europe, India is only just embarking on its data protection journey. We should not attempt to go from zero to hundred overnight. Instead, it would be wise to gradually ramp up data protection obligations, ensuring that they are not too prescriptive, while still getting Indian data fiduciaries accustomed to taking privacy more seriously.

We should also not shy away from taking an innovative approach. To the extent possible, the law should be administered digitally. We have a track record of successfully rolling out digital data governance solutions at scale and the new privacy law should support the use of this kind of techno-legal infrastructure across all sectors of the economy. Similarly, the grievance redressal and dispute resolution process should, at least in the initial stages, be wholly digital, along the lines of the online dispute resolution processes.

It is also useful to view this in a somewhat broader context. The government has for sometime been working on replacing the 20-year-old Information Technology Act with a modern Digital India Act. A couple of weeks ago, the Department of Telecommunications initiated a consultation process around a new telecom regulatory framework, looking to replace the pre-Independence Telegraph Act with a “future-ready framework" more in keeping with modern communication systems.

The digital privacy legislation could be the third leg of this stool, setting up a triumvirate of modern regulations that will underpin the entirety of India’s digital economy. If these three laws can be designed to support each other, individually addressing clearly distinct domains yet deftly coordinating with each other to hand off responsibilities to one or the other regulatory framework where their spheres of operation intersect, we will have a robust legal regime fit for the modern digital era. Done well, this could be a model the rest of the world will emulate.

That said, there is a need for speed. India has gone too long without data protection regulation and we cannot put it off much longer. As much as the withdrawn draft did not cut it, we cannot take our own sweet time to prepare its replacement. Given all the work that has already been done and the diversity of viewpoints at hand, it shouldn’t take too long to come up with a new draft, even if we have to prepare it afresh.

Minister Vaishnaw promised that we would have a new law by the next budget session. If we go about it with the appropriate level of urgency, this is eminently doable.

Rahul Matthan is a partner at Trilegal and also has a podcast by the name Ex Machina. His Twitter handle is @matthan

Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
More Less
Subscribe to Mint Newsletters
* Enter a valid email
* Thank you for subscribing to our newsletter.

Recommended For You

Trending Stocks

Get alerts on WhatsApp
Set Preferences My ReadsWatchlistFeedbackRedeem a Gift CardLogout