Data Governance

Data is being equated as the new oil, given its potential economic benefits. India currently lacks dedicated data protection laws. Accordingly, data governance has been in bits and pieces in the country. Several laws and policies had provisions pertaining to data. These include: the National Data Sharing and Accessibility Policy 2012; Information Technology Act, 2000; Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; Right to Information Act, 2005; Indian Telegraph Act, 1885; among others. 

There has been renewed interest in data governance for the government since 2017, for achieving multiple objectives, including: securing the privacy of citizens, reaping the economic value of data, ensuring access to data for Law Enforcement Agencies (LEAs) etc. Data can be classified in three broad categories: Personal Data, Non-Personal Data (NPD) and Community Data. Regulatory footsteps for these have been traced below. 

Personal Data

In the judgement of K.S. Puttaswamy vs. Union of India, 2017, the Supreme Court of India (SC) recognised ‘right to privacy’ as a fundamental right. The Government of India (GoI) had formed a committee under the chairmanship of retired justice B. N. Srikrishna to study various issues relating to data protection. The committee proposed the draft Personal Data Protection Bill 2018 (draft bill). After a round of public consultation, an amended Personal Data Protection Bill, 2019 (bill) was introduced in Lok Sabha. The same had been referred to a Joint Committee of the Parliament (JPC), which is currently reviewing the same. Notably, many stakeholders have pointed out various lacunas in the bill. These include: inadequate grievance redress mechanism for users, lack of awareness and capacity of users towards data protection and privacy, broken  notice and consent mechanism, excessive powers of the GoI, sub-optimal Data Protection Authority (DPA) among others.

While the country still lacks a dedicated personal data protection law, many sector specific personal data protection regulations and/or guidelines have been framed and proposed. These include: Telecom Regulator Authority of India’s (TRAI) Recommendations on Privacy, Security and Ownership of the Data in the Telecom Sector, 2018; Reserve Bank of India’s (RBI) Notification on Storage of Payment System Data, 2018; National Digital Health Mission’s (NDHM) Health Data Management Policy; among others.

Non-Personal Data

India has taken a step forward in governing NPD. The Ministry of Electronics and Information Technology (MEITY) constituted a Committee of Experts under the chairmanship of Kris Gopalakrishnan, co-founder, Infosys, tasked with proposing a NPD Governance Framework. The committee released its report in 2020. After a round of public consultation, a revised report was released in 2021 for another round of public consultation. The report also deals with community data.

Stakeholders have raised cautioned against the recommendations of the report. These pertain to: lack of clarity on the market, regulatory, and government failures that the report seeks to address; lack of adequate evidence in formulating assumptions around maturity and facets of India’s data market and digital economy; insufficient assessment of data protection, competition, intellectual property regimes in India to determine the policy maturity, inter-linkages and conflicts.

Areas Requiring Research

Basis the above, Narayan Chamber of Policy (NCP) has identified areas requiring research. These have been listed below.

    • Desk research on the structure, power and functions of the proposed DPA;
    • User survey on regulating community data;
    • Competition Impact Assessment of select provisions of the NPD governance report;
    • Awareness generation and capacity building initiatives for users; and
    • Advocacy campaign on the need for enacting the Personal Data Protection Bill 2019.