Context
In the light of important recent developments on informational privacy, data protection and data governance in India, and their widespread ramifications on India’s strategic relations with other nations as well as for doing business in India’s digital economy, the Technology and Society Initiative at the Centre for Policy Research is organising a discussion on these themes. This discussion will seek to engage with representatives from embassies, chambers of commerce and research funding organisations located in India.
The last few years have seen a formalisation of the right to informational privacy within India’s constitutional framework. While the context to this – the challenge to the validity of the Aadhaar project – has entailed broader issues on delivery of public goods and services, the response to whether an individual can assert control over key informational aspects of her life has become a critical part of our rights jurisprudence. The Supreme Court verdict in Justice Puttaswamy’s case (2017) unequivocally affirmed this right despite leaving open several important aspects including the permissibility of restrictions on this right, and the level of scrutiny which the judiciary could exercise to safeguard them. What was particularly striking was the judicial reliance on considerable scholarship emerging from India and Indian scholars on important themes pertaining to this right: the differing conceptions of privacy and the role for each of them within India’s constitutional framework; the impact of privacy erosion on citizen-State relationship and private transactions in the commercial realm; surveillance tools and technologies in India; the need for an indigenous data protection law, and much more. The court has picked up on this thread in the second Puttaswamy verdict upholding the constitutional validity of Aadhaar with some important caveats and exceptions.
Recently, the Expert Committee headed by retired Justice Srikrishna also convened to come out with a draft personal data protection bill. The centrality of data to both commercial activity and governance purposes has found recognition in this bill. While the present legal regime to regulate data in India can be considered chequered at best with divergent regulations across finance, healthcare, telecom, mobility etc., the new bill aims to create a ‘big data-ready’ framework. It impacts any private enterprise handling personal data by stipulating new internal procedures and strong penalties. The major themes in the bill are new user rights for data principals (individuals) who share their data with data fiduciaries (technology companies); data localisation and cross-border data flows; data protection authority (DPA) and its powers; data fiduciaries and new compliance requirements; and exceptions including law enforcement. Each of these carries major implications for data-driven solutions. During the deliberations of the Committee too, substantial Indian scholarship on the themes listed above have been referenced and relied upon. This is truly a breakout moment for privacy and data protection in India. It is changing the terrain of institutional responses to personal data, technology architectures, and digital trade.
Discussion Objectives and Format
The core objectives driving the discussions are to:
i) Highlight informational privacy debates in India;
ii) Locate informational privacy within India’s constitutional setting, closely re-examining the Supreme Court verdicts in this regard;
iii) Explore themes such as the notice-and-consent framework, regulatory interventions and structural changes, and other key themes on privacy and data protection in India;
iv) Demystify concepts introduced to strengthen personal data protection, including actor and data categories, and new user rights, and their potential impact on technology design;
v) Highlight the ramifications of data localisation and cross-border data transfer restrictions, on digital trade and e-commerce;
vi) Decode the new structural mechanisms proposed to mitigate risks in collection, storage, and processing of personal data;
vii) Identify the impact of these mechanisms on the functioning of data-driven businesses and the future of data innovation in India.
The discussions will be structured as a combination of short power point presentations on key sub-themes, followed by two panel discussions. The first panel shall be on public law developments pertaining to the right to privacy in India, with specific focus on the Supreme Court verdicts over the past couple of years on this right and on the constitutional validity of Aadhaar. The second panel will focus on data protection in India. The primary objective is to highlight research on these themes, demystify the legalese, and flag areas of immediate and long-term concern from both geopolitical and business standpoints.
Please RSVP your intent to participate at this discussion to ananth.p@cprindia.org