India’s digital strategy: Regulations and Infrastructure

Pre-Digital India Regulation

  • Regulatory Vacuum in the 1990s
  • Information Technology Act, 2000
  • Safe Harbor for Intermediaries in 2010
  • Rudimentary data security and privacy protections in 2011
  • Archaic provisions on ‘hacking’ etc.

Pre-Digital India

  • NeGP under the Congress led UPA Government in 2006
  • Inception of the Aadhaar project in 2009
  • Digitization of government collected citizen data and provision of e-governance schemes
  • Booming software industry
  • Economic alternative for data processing

Digital India

  • Broadband Highways
  • Universal Access to Phones
  • Public Internet Access Programme
  • e-Governance
  • e-Kranti
  • Electronics Manufacturing
  • IT for Jobs
  • Information for All
  • Early Harvest Programme

Aadhaar

  • 12 digit unique government issued ID number
  • Tied to biometric data which includes iris scan from both eyes and multipoint data from fingerprint pattern 
  • Purpose - subsequent use for delivery of welfare government services in an efficient and transparent manner, along with using it as a tool to monitor government schemes.
  • UID is a crucial part of the vision for the Digital India programme

Understanding the Data Matrix

Aadhaar’s Data Matrix

‘Cradle to grave’ identity

India Stack

Health Stack

Health Stack

  • Digital India and e-governance
  • Proliferation of data-driven business models 
  • Emerging centrality of data to India's geopolitical ambitions
  • Data sovereignty/Data colonialism/Data Localisation

Digital policymaking

India’s new privacy law

  • Territorial Scope
    • Territorial limits
    • Rules on localization to come
  • Subject Matter
    • Digital Personal Data only
    • Fiduciaries

Scope

  • Data fiduciaries
    • Who is a data fiduciary
    • Who is a significant fiduciary

Scope

 

  • Broad category of deemed consent
    • Voluntary provision of data
    • Functions of state
    • Only procedural safeguards
    • Public Interest - fraud prevention, network security
    • Fair and reasonable purposes
  • Legitimate Interest and performance of contract removed as grounds for processing

Scope

  • Local storage and localization requirements removed
  • Conceptualices a scheme with a white list of jurisdictions
  • Factors for white-listing are at the government’s discretion
  • No distinction made between personal data, sensitive personal data and critical personal data
  • Parallels between ‘white-listing’ and ‘adequacy’ in GDPR
  • No parallel provisions on standard contractual clauses and certifications

Cross-border data transfers

  • Obligations of fiduciaries
    • Understanding Scope
    • Governance measures
    • Redressal and notifications
    • Personnel obligations - DPO based in India
    • Data Rights and their obligations
    • Data Transfers

Compliance

  • SDFs to be notified
    • Volume and sensitivity of data
    • Risk of harm to data principal
    • Risk to democratic processes
    • Risks to sovereignty
  • Additional obligations of SDFs
    • Appointment of independent data auditors
    • Data Impact assessments
  • Social media platforms no longer automatically designated as SDF

Significant Data Fiduciaries

  • No DPA
  • Data Protection Board
  • DPB is an entirely executive body with rule-making, adjudicators and enforcement functions
  • Regulatory strategies needed in India
  • Regulatory clarity and a system of supports and sanctions
  • Certain obligations such as data impact assessments have been removed

Regulatory Structure

AI in India

AI Policy Landscape

  • Privacy and Security of data
    • Digital Personal Data Protection Act
    • MCI Code on Professional ethics
    • Electronic Health Records Standards, 2016
    • Draft Digital Information Security of Healthcare Act (DISHA)

 AI Policy Landscape

  • Regulation of AI related products
    • Medical Devices Rules, 2017
    • Design and Patents regulation

AI Policy Landscape

  • Access to data and standardisation
    • Electronic Health Records Standards, 2016
    • Open Data Policy
    • ISO 13485:2016

Challenges

  • Data

    • Access to data

    • Standardisation for collection

    • De-identification standards

    • Data security and privacy

Challenges

  • Negligence and Liability
    • Standard of care
    • Issues of liability
    • Relationship of agency

Challenges

  • Other challenges
    • Lack of dedicated Regulatory authority
    • Lack of appropriate certification mechanisms
    • Lack of sufficient investment
    • Information Asymmetries and Perceptions

Thank you