Managing Data Governance in India

The adoption of the Digital Personal Data Protection Bill of 2022 by the Union Cabinet for introduction in the forthcoming Monsoon session of Parliament represents a watershed moment in the country’s data governance environment. 

The Digital Personal Data Protection Bill (DPDP) and Legislative Measures

DPDP: A Comprehensive Framework

DPDP stands out as a cornerstone of India’s data governance initiatives. It introduces substantial amendments that redefine data processing and consent mechanisms. Notable highlights include:

Lowering the Consent Age

The DPDP bill lowers the age of consent for data processing to 18 years, requiring parental authorization for individuals under 18. A future bill will adopt a nuanced approach, allowing case-specific determination of the consent age. 

Exemptions and Child Definition

The bill defines a child as an individual under 18 or a lower age stipulated by the Central Government. Certain organisations managing children’s data may be exempted from parental consent if secure data processing practices are demonstrated. 

Cross-Border Data Flows Relaxation

The DPDP bill introduces a flexible approach to cross-border data flows, transitioning from whitelisting to blacklisting. By default, global data transfers are permissible, except for jurisdictions on a defined negative roster. 

Other Legislative Measures

In addition to the DPDP bill, India is set to implement other key legislative measures:

Digital India Bill

Designed to modernise regulations, the Digital India Bill replaces the existing Information Technology Act of 2000. This bill aligns regulations with the contemporary digital milieu, fostering a conducive environment for digital growth.

The Indian Telecommunication Bill, 2022

Addressing the evolving needs of the telecommunications sector, this bill aligns the regulatory framework with technological advancements, ensuring streamlined operations and enhanced connectivity.

Non-Personal Data Governance Policy

Recognizing the multifaceted data environment, a dedicated policy for non-personal data governance has been formulated. This policy sets guidelines for equitable utilisation of non-personal data, promoting responsible data handling.

Global Data Governance Trends

European Union and GDPR

The General Data Protection Regulation  of the European Union establishes comprehensive regulations for personal data processing, preserving privacy rights. GDPR’s impact extends beyond the EU, influencing global data protection systems.

United States: A Fragmented Approach

In contrast to the EU’s unified GDPR, the US approach to privacy rights lacks a consolidated structure. Data usage and protection are governed by industry-specific rules and legislation such as the Privacy Act and the Electronic Communications Privacy Act.

Data Governance Approaches in China and India: A Comparative Analysis

China’s Data Governance Landscape

China emphasises data protection through legislations:

• Personal Information Protection Law 
• Data Security Law These laws fortify China’s data governance framework, safeguarding personal and corporate data.

India’s Data Governance Initiatives

India’s legislative measures include:

• Guidelines and Code for Information Technology Intermediaries and Digital Media Ethics (2021)
• Digital India Act, 2023 These initiatives enhance accountability on digital platforms and pave the way for a modernised regulatory framework.

Comparative Outlook

China and India’s data governance approaches differ:

• China focuses on personal and corporate data protection, curbing cross-border data transfers.
• India concentrates on intermediary guidelines, digital media ethics, and the forthcoming Digital India Act. Both nations adapt regulations to address digital challenges, ensuring data security and responsible handling.

Summary

India’s recent developments in data governance signify its dedication to adapting regulations to the digital era. The DPDP bill’s amendments and legislative measures reflect global trends, illustrating India’s commitment to data protection and privacy rights.