Why a Data protection law is necessary for India?

  Jun 25, 2017

Why a Data protection law is necessary for India?

Recently, the government made it mandatory to link Aadhaar numbers to tax returns and set itself a target of one year within which it would link all mobile numbers to the Aadhaar database. While the Supreme Court agreed to refer these issues to a larger bench, it seemed happy to let the government continue to incorporate Aadhaar into all aspects of our lives.

OECD approach
Perhaps in anticipation of these events, a number of academic papers have been published recently, agitating the need for a privacy legislation. They have broadly suggested the enactment of a law along the lines of the OECD (Organisation for Economic Cooperation and Development) data protection principles articulated in the 1980s—that personal data is the property of the data subject and cannot be used without his consent.

Data subject
Most privacy laws have been built on this model and if we go down this path, our law will be consistent with global practice. However, if we make consent the cornerstone of our privacy jurisprudence, we will have taken a conscious decision to place upon the data subject, the burden of determining whether or not the use of personal data for a particular purpose is in his interest. In our present data-intensive world, this is a question the data subject is ill-equipped to answer.

Present scenario
Role of Data controller
There could be situations where the commercial interests of the data controller run contrary to those of the data subject. Take, for example, the use of financial information to assess creditworthiness. If the data controller is required to focus solely on promoting the interest of the data subject, it will only consider information that establishes a favourable credit rating. Doing so would run contrary to the commercial interests of the data controller whose business depends on lending only to those borrowers who can repay. In such circumstances the fiduciary responsibility of the data controller should extend to ensuring that the data in its possession is processed in a fair and non-discriminatory manner. And that it does not use other extraneous facts in its possession to unfairly discriminate against the data subject.

Way forward
In a way, it is a blessing that India took its time to enact a data protection law. Without the baggage of a consent-based privacy jurisprudence, we have the freedom to enact a law that is appropriate to our data-intensive world. While the rest of the world is struggling to redesign their laws that are based on a data protection model conceived of in the 1980s when data volumes were a mere trickle compared to today, India has the opportunity to build, from scratch, a forward thinking privacy framework that can address the current reality and can serve as a model for the rest of the world.