Data Bill's hits and opportunities

Governance through trusts will help balance the concerns over data sovereignty and its economic potential

The right to privacy, fundamental in the relationship between the state and its citizens, has taken on a new form and urgency, given the pervasiveness of digital technology.

The Supreme Court, in the 2017 Puttuswamy judgement, recognised this. Justice Rohinton F Nariman specifically detailed the right of individuals over their personal information, stating: “Informational privacy does not deal with a person’s body but a person’s mind, and  therefore recognises that an individual may have  control over the dissemination of material that is  personal to him. Unauthorised use of such information leads to infringement of this right.”

Justice D Y Chandrachud also emphasised that the right to privacy is not an elitist construct. Survey data bears this out, with individuals across the regional, gender and socio-economic spectrum valuing the privacy of their data, as well as the ability to have control and agency over its use.

In recognition of these precepts, the Ministry of Electronics and Information Technology released the Digital Personal Data Protection Bill on November 16, terming individuals as “digital citizens” in the explanatory note accompanying the Bill and “digital principals”; enshrining in them rights to privacy and of erasure (the right to be forgotten), imposing obligations on “data fiduciaries” and “data processors”.

Although much is left to delegated legislation, the draft is an illustration of the need for the perfect to not be the enemy of the good. The Bill also introduces the concept of consent managers, who will facilitate the giving of consent by a data principal in an accessible, transparent and interoperable form.

While this terminology indicates the ownership and agency of the data with the data principal and the fiduciary holding the data in trust, the Bill could have possibly incorporated the concept of “data trusts” combined with consent manager architecture. This could have been a novel form of data governance that balanced both the concerns over data sovereignty and the economic potential of data.

Data trusts were listed by the MIT Technology Review as one of the 10 “Breakthrough technologies” for the year 2021. Trusts are entities in which people (trustees) with clearly enshrined duties and obligations look after an asset on behalf of people (beneficiaries) who own it. In a data trust, trustees would look after the data or data rights of groups of individuals and such individuals would also have the right to benefit from any monetisation of such data. Data trustees would have a legal duty to act in the interest of the beneficiaries. The concept of data trusts builds on the work of Elinor Ostrom, the first woman to win the Nobel Memorial prize in economics, who devised a mechanism for the governance of common-pool resources and public goods. Some of these principles can apply to data as well, particularly, when it can be pooled into trust.

In India, the Kris Gopalakrishnan Committee first recommended the use of data trusts for non-personal data (a concept not addressed in the Bill), and arguably, data trusts are a more powerful tool for personal data. As a governance mechanism, data trusts can steward, maintain and manage how data is used and shared — from who is allowed access to it, and under what terms, to who gets to define the terms, and how. They can involve a number of approaches to solving a range of problems, creating different structures to experiment with governance models and solutions in an agile way.

Data trusts combined with the concept of consent managers could vest data principals or citizens with the agency to give consent and for such consent to be managed with a simple and transparent mechanism for making data exchange visible and explicit in ways that benefit all parties — either through enhanced services or fee models.

The concept of “consent managers” was first put forward by the NITI Aayog in the Data Empowerment and Protection Architecture in the context of financial data in 2020. In that construct, consent managers logged and mapped how data can flow from data sources to data users in an authorised system, while being data blind — that is, unable to read, store or analyse the data. This will allow data principals to track, amend and control the consent they have provided over their data and the terms on which the consent was granted by consent managers.

The concept of a data fiduciary with ownership vesting in the data principal, with the ability to withdraw or change the terms of the consent could also provide the basis for cross-border transfer of data —a concept the Bill recognises for the first time, moving away from data localisation requirements previously prescribed. The transfer of data on a cross-border basis has geo-political, geo-economic and national security implications.

While the Bill leaves to delegated legislation the specific countries to which data may be transferred, as well as the conditions on which this may be undertaken, two important principles are worthy of consideration. Indian citizens should remain data principals and transfer should always be subject to being treated in trust and on fiduciary principles.

Additionally, India’s G-20 Presidency is an opportunity to achieve harmonisation of principles on data governance, protection and transfer, which can also provide the basis for bilateral digital trade agreements, including some under the US CLOUD Act. Additionally, the Bill should incorporate regulatory governance best practices by ensuring the data regulator is autonomous and accountable. This is critical for domestic, as well as international regulatory coordination. The G-20 Presidency is an opportunity to assume the leadership in international digital governance, and the next iteration of the Bill following rigorous and open public consultation could provide the foundation for this.

Shroff is managing partner at Cyril Amarchand Mangaldas, and Roy a partner at the law firm and a Chevening Gurukul fellow. Navya Alam and Aayushi Bindal provided research assistance for the article