Back to the Basics: Framing a New Data Protection Law for India

Abstract

Over the past decade or so, the use of personal and big data has changed the way many businesses and governments operate. Regulators and legislative bodies have been struggling to keep up with the changes in technology, and increasing concerns about what it means for the privacy of individuals. In India, we have worked with the Information Technology Act, 2000 (IT Act), and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Data Protection Rules) for a few years now. These rules were arguably put together as a response to claims that Indian law did not meet European data protection standard, and for the purpose of ensuring that Indian companies do not lose cross border business (with the European Union). The rules are fraught with inconsistencies, right from the scope of the rules, to the manner in which they can be enforced. Barring these rules, we have had minimal regulations on the use of personal data in certain sectors. At the time of writing this paper, a Committee of Experts (Committee), constituted by Ministry of Electronics and Information Technology (MEITY), is working on recommendations regarding a new legal and regulatory framework for protection of personal data in India. With all signs pointing only towards an increase in not only data driven businesses, but also data driven solutions to problems in many aspects of our life, it is imperative that we get it right this time. The constant change and development in tech over the past few decades has shown us that it may be difficult to predict the way our technology and the internet will look in 10 years. It may be even more difficult to put in place the perfect legal system that addresses such technology. However, ensuring that the basic premise of the data protection law – what/who does it aim to protect, what the scope of the law is, and what principles the law is meant to uphold – is balanced and robust, will go a long way in ensuring that we have a strong, yet flexible legal framework. This paper takes a preliminary look at each of these three concepts, while focusing largely on some of the principles that data protection laws have traditionally relied on, and how they can be revisited in today’s context.