By Rahul Matthan, Manasa Venkataraman, and Ajay Patri
This policy advisory is a curated set of responses to the discussion paper issued by the Telecom Regulatory Authority of India, seeking comments and suggestions on the creation of data protection laws.
There is an urgent need to bring forth effective data protection norms in India. However, these norms must be introduced and regulated by the appropriate regulator. The questions posed by the Telecom Regulatory Authority of India (TRAI) in this Consultation Paper are pertinent, but some of them are beyond its remit.
To this end, while our comments to this consultation paper span the entire subject of data protection, it is respectfully submitted that TRAI take steps to effect norms for the stakeholders falling within its jurisdiction.
Without prejudice to the above, we are of the opinion that a rights based approach to data protection is the proper way forward. The law should extend certain basic data rights to every individual, as well as prescribe certain harms. Service providers collecting data (Data Controllers) for the purposes of providing their services should be liable if it is proven that their actions have caused harm to individuals by violating data rights. The law should also provide that data processes be audited periodically to rectify errors in processing. This framework shifts the burden of evaluating the privacy risk to personal data away from the data subject and onto the data controller. This will also ensure that data controllers are mindful of complying with data processing standards.