What should an effective data privacy regulator in India look like?


  • Multiple scandals involving Facebook and Cambridge Analytica have made one thing clear – the failure of market forces to uphold privacy and protect user data. As long as there is demand for data, coupled with weak enforcement of laws, our privacy and data will remain vulnerable in the hands of private players. But it’s not just the private sector, the Edward Snowden revelations were the key to unearthing the extent to which surveillance is entrenched in the systems of government which, in the absence of reform, will only expose our privacy and data to greater risk.

Fundamental concerns:

  • These are the fundamental concerns which justify the presence of a strong privacy regulator with effective independence and functional powers to enforce compliance. The regulator must necessarily prioritise user privacy above everything else because of the power dynamics and information asymmetry present today in how our data is treated. A practical illustration is when a service provider, public or private, may deny provision of a service in the absence of data, lowering the bargaining power of a user. Similarly, while consenting to give away data, users are not always aware of the full import of their consent. But the regulator, in enforcing best practices and monitoring compliance, is also promoting good business practices.

It recognizes and proposes some solutions to the implementation problem in a lot of our laws, taking off from SaveOurPrivacy’s Seven Principles.

  1. It’s necessary for the provision of an emergency medical service.
  2. Prevent, investigate or prosecute a cognizable offence.
  3. Exempted by a privacy commission that the draft seeks to institute.
  • Also, the draft bill proposes that no person shall store any personal data for a period longer than is necessary to achieve the purpose for which it was collected or received. The same applies to the processing of personal data.
  • The draft bill has been submitted to the Justice Sri Krishna Committee — which will deliberate on a data-protection framework for the country.
  • The bill prescribes punishment for offenses related to interception of communication, surveillance, abetment, repeat offenders and offenses by companies.

Seven principles

  • The bill is based on seven principles.
    • The importance of individual rights
    • A data protection law must be based on privacy principles and guidelines discussed in the report of Justice AP Shah Committee of Experts; the Supreme Court judgement on Right to Privacy and European Union’s General Data Protection Regulation.
    • A strong privacy commission must be created to enforce privacy principles. The commission should be granted wide powers of investigation, adjudication, rule-making and enforcement. The privacy commission must have jurisdiction over the government as well as private bodies.
    • The government must respect user privacy. The government cannot deny essential services to citizens if they choose not to share data with it. The draft says government withholding services on pretext of collection of information effectively amounts to “extortion of consent”.
    • A complete privacy code must come with surveillance reform. Even when individual interception and surveillance is carried out this should be severely limited in substance and practiced through procedural safeguards.
    • Strengthen the Right To Information Act and exempt information commissioners from interference or control by the privacy commissioner
    • International protection and harmonisation is a must to protect the open internet. The group suggests the law must have extraterritorial effect and apply to web services and platforms which are accessible in India and gather personal data of Indians.
  • The bill takes inspiration from the Privacy (Protection) Bill, 2013 which was drafted over a series of roundtable discussions and inputs conducted by the Centre for Internet and Society, Bengaluru.


As India embarks on this ambitious project to codify norms for upholding privacy and data protection, it must be remembered that even the most well-meaning laws fail to deliver in absence of a strong body overseeing its enforcement. The experience with regulatory bodies in India may have been mixed, but that does not negate the need to have one or to propose a ‘facilitating’ body sitting on the fence as market forces bet on our data.

Source:Business Standard

Leave a Reply