What constitutes ‘fair use’ of data is increasingly coming under scrutiny by regulators across the world. With the digital detonation that has been unleashed in the past few years, leading to a deluge of data – organisations globally have jumped at the prospect of achieving competitive advantage through more refined data mining methods. In the race for mining every bit of data possible and using it to inform and improve algorithmic models, we have lost sight of what data we should be collecting and processing. There also seems to be a deficit of attention to what constitutes a breach and how offending parties should be identified and prosecuted for unfair use.
There’s growing rhetoric that all these questions be astutely addressed through a regulation of some form. With examples of detrimental use of data surfacing regularly, businesses, individuals and society at large are demanding an answer for exactly what data can be collected – and how it should be aggregated, stored, managed and processed.
If data is indeed the new oil, we need to have a strong understanding of what constitutes the fair use of this invaluable resource. This article attempts to highlight India’s stance on triggering regulatory measures to govern the use of data.
Importance of Data Governance
Before we try to get into what data governance should mean in the Indian context, let us first look at the definition of data governance and why it is an important field of study to wrap our head around.
In simple terms, data governance is the framework that lays down the strategy of how data is used and managed within an organisation. Data governance leaders must stay abreast of the legal and regulatory frameworks specific to the geographies that they operate in and ensure that their organisations are compliant with the rules and regulations. A lot of their effort at present is aimed at maintaining the sanctity of organisational data and ensuring that it does not fall in the wrong hands. As such, the amount of time and effort expended on ensuring that these norms are adequately adhered to is contingent upon the risk associated with a potential breach or loss of data.
In effect, a framework of data governance is intended to ensure that a certain set of rules is applied and enforced to ensure that data is used in the right perspective within an organisation.
Data Governance in Indian Context
India is rapidly moving towards digitisation. Internet connectivity has exploded in the last few years, leading to rapid adoption of internet-enabled applications — social media, online shopping, digital wallets etc. The result of this increasing connectivity and adoption is a fast-growing digital footprint of Indian citizens. Add to this the Aadhaar programme proliferation and adoption – and we have almost every citizen that has personal digital footprint somewhere – codified in the form of data.
With a footprint of this magnitude, there is an element of risk attached. What if this data falls in the wrong hands? What if personal data is used to manipulate citizens? What are the protection mechanisms citizens have against potential overreach by stewards of the data themselves? It is time we found answers to these very pertinent questions – and data governance regulation is the way we will find comprehensive answers to these impending conversations
Perspectives for India
The pertinent departments are mulling over on a collective stand that should be taken while formulating data governance norms. For one, Indian citizens are protected by a recent Supreme Court ruling that privacy is a fundamental right. This has led to a heightened sense of urgency around arriving at a legislative framework for addressing genuine concerns around data protection and privacy, as well as cybersecurity.
As a result of these concerns, the Central government recently set up a committee of experts, led by Justice BN Srikrishna, tasked with formulating data governance norms. This committee is expected to maintain the delicate balance between protecting the privacy of citizens and fostering the growth of the digital economy simultaneously. Their initial work – legal deliberations and benchmarking activity against similar legal frameworks such as GDPR (General Data Protection Regulation) – has resulted in the identification of seven key principles around which any data protection framework needs to be built. Three of the most crucial pointers include:
1. Informed Consent: Consent is deemed to be an expression of human autonomy. While collecting personal data, it is critical that the users be informed adequately about the implications around how this data is intended to be used before capturing their express consent to provide this data
2. Data Minimisation: Data should not be collected indiscriminately. Data collected should be minimal and necessary for purposes for which the data is sought and other compatible purposes beneficial for the data subject.
3. Structured Enforcement: Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. Without statutory authority, any remedial measures sought by citizens over data privacy infringement will be meaningless.
Striking the right balance between fostering an environment in which the digital economy can grow to its full potential, whilst protecting the rights of citizens is extremely difficult.
With a multitude of malafide parties today seeking to leverage personal data of citizens for malicious purposes, it is crucial that the government and the legal system set out a framework that protects the sovereignty and interests of the people. By allaying fears of misuse of data, the digital economy will grow as people become less fearful and more enthusiastically contribute information where a meaningful end outcome can be achieved.