Writ[e] & Talk | Ep 4 | Assessing the Regulatory Burden for Informational Privacy in India

Listen to the episode here: Spotify | YouTube

Host: Ms. Sayantani Bagchi

Speaker: Mr. Lalit Panda

Transcript

Ms. Sayantani Bagchi: A warm welcome to all of you to the fourth podcast of Writ[e] & Talk. Today, we are delighted to have with us Mr. Lalit Panda, a senior resident fellow at the Vidhi Centre for Legal Policy. Today, we will discuss his paper, “The Weight of Secrets: Assessing the Regulatory Body for Informational Privacy in India”. I extend a hearty welcome to you Mr. Lalit.

Mr. Lalit Panda: Thank you Ms. Bagchi, I am very happy to be here!

Ms. Sayantani Bagchi: Alright, so just to give you all a brief context of the topic that we shall take up today. So in today’s world, informational technology has deeply impacted our lives in a variety of ways and hence, it cannot be allowed to remain unregulated. However, considering the growing complexities revolving around digital governance and the handling of data, it has become all the more difficult to efficiently design a regulatory framework designed to protect data. This paper that we shall discuss today touches upon the proposals of the Sri Krishna Committee, while drawing on the experiences of other jurisdictions. It also justifies the idea of a unified, cross sectoral data protection regulator with a broad mandate and eventually, examines the limits of sectoral regulation and clarifies the significance of outlook for models, such as co-regulation and responsive regulation, as well as the role of the much-wanted principle of accountability.

So, without further ado, I would lift my first question. So, Mr. Lalit, in your article, you have mentioned that schemes for data protection cannot be ex ante in nature, such as licensing and permission, because it would eventually result in the throttling of the culture of innovation in the tech industry. So, could you please elaborate on the problems posed by such ex ante regulatory schemes and alternative solutions which can be adopted by the agencies for adequate regulation of information and technology?

Mr. Lalit Panda: I would lay out a little bit on what exactly regulation is about. This particular statement that you quoted from the article, it features as sort of a broader background about what we should keep in mind about regulation in India, generally and the specific problem about regulation of information technology before getting into questions about data protection regulation specifically. So, in drawing out this general background what I was trying to do, and especially when point out this aspect of ex ante regulation, was to point out that there are certain general issues about regulations in India, as well as regulation of information technology that are relevant if we want to understand data protection regulation. If we come to ex ante regulation specifically, we need to understand what kind of ex ante regulation we’re talking about.

Ex ante regulation means, generally, any kind of regulation or any kind of regulatory action that someone takes or data regulator takes before any illegality has taken place or before, you know, any actual harm has occurred yet. So it is in a sense, you can think of it as a precautionary, without any occurrence of default of the law, those kinds of regulatory actions would be ex-ante. But, specifically, the kind of ex ante regulation that raises many concerns for us is the form of ex ante regulation that comes in the form of licensing and permission. What this means is that before taking certain significant business actions, there might be a requirement under law that the government has to write an approval or it has to license any such activities. Whenever you give the government such power to give permission before any activity takes place, it has to be considered very carefully about what the consequences of this decision are.

Number one, if the kinds of actions for which you are requiring government permission are very large in number, that there is a huge volume of them, for example, you want permission for certain kinds of transactions then there will be a lot of such transactions, the problem that comes up is that you need state capacity, you need government personnel with adequate skills and knowledge who will be able to apply their mind to these transactions to provide the permission. India has had a long history of low state capacity, which means that, in turn, for the skills and expertise of our government personnel, as well as in their sheer number, in terms of their government personnel ratio to the number of citizens, India has performed poorly, which means that we don’t have capacity. So, if you keep that in mind, then you would suggest that yes, perhaps, ex ante regulation, in the form of permission and licensing especially, is bad for India.

Secondly, the other problem that you have in the system of licensing is the kind that is created by the government officer who has to license your activities. This government officer now gets the discretion somewhat, to not just approve or reject your license or your permission on the basis of some lawful or legitimate reason, but also because of some extraneous reason. This could be pure favouritism for your competitor or it could be outright corruption or some form of discrimination. All of these things would be you know extraneous reasons why licensing could be used by a government officer in an illicit way.

So, both of these concerns, you’ll realise, individuals who lived in India in the period pre- liberalization in the early 1990’s, they had to deal with these forms of industries and sectors, whether it be opening some kind of factory, engaging in manufacturing of certain products, employing certain kinds of people etc. For all of these things, business persons had to get permission before they could even start doing them. So, when somebody makes a form of business plan, when somebody has to meet competition in a particular way by moving fast or innovating or doing some action that responds to the market situation, all of those immediate responses would be shackled by this possibility that you have to wait for the government to approve what you are doing and imagine that all of these things, all of these problems that limit the business activity when it comes to ex-ante regulation like licensing, these are multiplied manifold when it comes to information technology. Why? When it comes to state capacity, already you can see that information technology issues give rise to a vast volume of informational flows. There is high speed informational flow, innovation and change in technology and there is just a lot of volume of transactions that are taking place that need to be regulated.

So, on that ground you would need a lot of state capacity to deal with permissions and licensing and such kind of activities. Now, for a second, even if we do consider that there is such state capacity available the fact remains that requiring permission will slow down various activity and to answer your question it does have an impact on innovation. This is relevant for us when we think about regulation of technology because regulation of information technology has greatly transformed, has vastly transformed in the last few decades and arguably it has transformed our lives for the better because we have pretty, we have welcomed it with open arms. A large number of changes that we see in our lives, the way that we interact with each other, in the way we obtain knowledge, in the way we entertain ourselves, in the way, we conduct our everyday activities are now undergirded by information technology, the way we used it and this is fruit directly of innovation in the technology industry.

So, not only is it very helpful for us, but it has been very fruitful for us to allow this innovation to take place and not be trifled but also so far as India is concerned, this innovation is now also characterising global competition in the technology industry. So, any change when it comes to the pace on innovation would be difficult for any one country to do on its own without suffering economically or in terms of competition and this is a relevant factor to keep in mind when trying to design regulation. So, I hope this makes it clear somewhat as to why ex ante regulation like licensing, is a problem.

Generally speaking, it is not to say that you can’t have ex ante regulation in data protection at all. You can have areas in which you have it, you have it in the regulation of tender setting and approval of data protection officers who are professional, who engage in and internally regulate various bodies that are using data, personal data. We also need ex ante regulations when it comes to risky activities, like certain kinds of emerging technologies or cross border data flows. Various data protection laws have ex ante regulation in the form of approving your group schemes or your standard contract on the basis of which the cross-border data flows are taking place. So, yes, you have some narrow areas where ex ante regulation would still be taking some role but the bulk of the regulatory approach for data protection in nonetheless ex post. There might be some oversight and monitoring, consider that also ex ante, but the bulk of the regulatory response is in the form of ex post responses and that form of regulation.

So, to sum it up, essentially “unclear”. But there might be some cases where ex ante regulations might be useful and mostly it should still be ex post.

Ms. Sayantani Bagchi: Alright, we move on to the next question. This responsive regulation model that you have proposed in this article, faces the primary challenge of being inherently reactive, so this means that the action is taken only after a problem or violation has occurred. Now, this might lead to a situation where individuals and businesses are not incentivised to proactively address the data privacy concerns, as they may only face consequences after a violation has occurred. So, do you think that this is a valid concern and if so, how do you propose to address the same?

Mr. Lalit Panda: That’s actually a very well noted issue and let me just unpack that a little bit. First, let’s be clear about what we mean when we talk about responsive regulations. It is this principle that is developed to explain a particular way in which enforcement tool is being used by the regulator. What do we mean by enforcement tool? We mean all the forms of regulatory actions that ensure that legal rules are actually complied with. There is no violation taking place. All of these enforcement rules they could be outright enforcement rules and in the criminal prosecution, there could be much lighter forms of enforcement rules like naming and shaming companies with public reports or there could be just requiring them to provide information to you. All of these things are various ways where the regulator can nudge the regulated entity into complying with a legal provision.

Now, what responsive regulation does is that it says how you apply and what kind of enforcement tool you apply and what level of intervention you have with a regulated entity, the scale of that intervention, the punitive effect of that intervention, all of that should depend on the nature of the conduct of the defaulter, which means that if it is a one-time default , inner workings default, then you can have a lighter approach to it, but if there is a more serious default, then, you can escalate on a sliding scale or in a pyramid, you have a range of enforcement tools, you choose the more serious enforcement tool as the gravity of the default increases. This clarifies that this form of thinking about how you should respond to illegality or default or harmful behaviour by regulator activity, this clearly seems to have a link with how we think about proportionality of penalties for example.

You know a stricter punishment or a reverse offence and you have a lighter punishment for a less light[er] offence, but the way you need to think about this, when it comes to regulation, is that you think about it over multiple defaults, so you can escalate and deescalate your responses according to the change in the behaviour of the regulatory entity over time. Which means, if it responds to what you’re doing you change your behaviour and you can lighten the response and if it does not respond to what you’re doing then you can easily change. This kind of fairness, proportionality and consistency that this brings to regulation- that is one of the most [important] benefits that it is supposed to provide, it is supposed to be a little more predictable, credible sanctions, so that regulated entity can tell that I have already committed this default once, if I submit it again, I will get a harsher punishment and I can be sure of it.

These are general principles that regulation is supposed to provide for. Why it is especially useful in the Indian context, is that it allows for prioritisation and for allocation of regulatory resources. As I mentioned already, we do have a problem of capacity and the facts can remain that data protection, particularly, is a complex field with a lot of contextual questions involved, opacity of transaction and data flows taking place, it is very difficult to actually go out of your way to investigate and check in on all areas. So, you need some methods by which you save up on your regulatory resources and apply it where it is really needed more. That is what responsive regulation is supposed to do.

That said, this criticism that you’re referring too, that it is mainly reactive and does not actually go out of its way from preventing something from happening. This is correct, so, this is a problem because if I mentioned there is a lot of opacity in the way in which personal data is used, and because of this you can’t just be reacting to things when the default takes place, you need to proactively go out of the way and find out where the illegality or harmful activity may be taking place in the future, you need to engage in information gathering and research into these cutting-edge fields of technology before the actual harm takes place and so you can take precautionary steps, such as injunctions or directions, to prevent certain actions from taking place that might be harmful. That said, even though we accept criticism and forms of regulation exists, it doesn’t remove the significance of responses to guide regulators in the use of enforcement tools and responses to default or harm. This idea of sliding scale or hierarchy, that you must respond in a way that takes a count of conduct and doesn’t treat existing conduct of entity as irrelevant but accounts for it. This is applicable even if we are separately engaged in monitoring and oversight. So, you can be dinging proactive and reactive forms of regulation at the same time. While what you’re saying is correct, responsive regulation on its own is only reactive, but that doesn’t mean that we stop using responsive regulations, instead can supplement it with other proactive steps.

Ms. Sayantani Bagchi: Alright, we move on to the next question. So, Mr. Lalit, in your question, you have suggested a co-regulatory model where private and public agencies work in tandem. Now, this model would entail state regulation, including the approval and oversight of non-state actors, as well. So, the question I would like to ask you is that- what would the division of powers be in this model and to what extent would private players be allowed to engage in this process? Moreover, what do you think would be the impact of a rights-based model of data protection and regulation, if non-state actors are engaged in this particular process?

Mr. Lalit Panda: Alright, so I guess you have asked me two questions and before I can get into them, let me lay out how co-regulatory model actually matches up with others. I think the form of regulation that we are most familiar with is what is called command and control form of regulation. In this form of regulation, the regulator would say what to do, it has to decide the “unclear” and has to engage in “xyz”, formulate the rule etc. So, an internal process of deliberation may not involve the regulated entity at all and in the enforcement of these rules, it does not, in any way, use the assistance of the regulated entity, so that is what we understand normally that the government is regulating a regulated entity and on the other hand we have a self-regulatory model where the regulated entity. For example, the most famous form of self-regulation is journalism where they have standards for themselves and they have internal networks to ensure that, it takes place within a profession which is regulating itself, we understand these are two opposite poles of regulatory models.

Co-regulatory models are fusions of these, you ask me how exactly we are supposed to divide this cooperation between public and private entity that are engaging in co regulatory model. At what stage does the government stop doing something and involved in the regulation itself, to understand where that division takes place, it would be good to go through some of the forms of co-regulatory tools that exists. So, I guess a good example would be from certain good examples would come from data protection itself. For instance, there is the most famous form of co-regulatory tool called a code of practice. Now, a code of practice is basically a form of more detailed rules, you could say that they’re not rules in the sense that if you do not comply with the rules you suffer from a penalty. Instead, these codes of practice are specific rules that are created that act as safe harbour.

What is this supposed to do? Let’s take an example. Let’s say this is about data storage. Now, data storage rules in the actual statute, the general statute, they often say something like this that data storage should be for such a period, for only such period as is necessary for the object, for the purpose specified for that particular processing activity. So, you only store the data for as long as is necessary for your purpose of processing.

Now that sounds very vague. What does this mean? How much is necessary? And the problem is how much is necessary changes from sector to sector and changes from context to context. And for these specific contexts you need to create these codes of practices where what does the code of practice do?

The code of practice essentially serves as a rule that if you comply with the code of practice this serves as evidence that you have complied with the law. It’s not automatically the case that you have been found to comply with the law. You might still be found to be having committed an illegality but it is evidence of the fact that you might have complied with the law. So, prima facie, if you comply with the code of practice, you can be said to be safe but some further evidence might come out to suggest that you are actually in violation of the law. That might be the case. So, the way this is regulatory tool is that these codes of practice are actually developed in cooperative. Which means that while industry players might provide inputs to the government or the regulator or they might actually even draft the code of practice themselves on the basis of their expertise and their knowledge about how the specific activity is taking place in this sector. The final approval of that code is done by the government after Vetting. And the government can decide to reject it or it can decide to change it up. But it is made in cooperation with each other.

It’s somewhat like saying that regulations are being drafted in cooperation with the regulated entity. So that’s what do except that it’s not an absolute regulation, it is just only an evidentiary safe harbour. That’s one example for co-regulatory pool. There are many others. For example, even a complaints redressal model that you have inside an organization, if there is a complaints redressal model inside, let’s say, Google, and you say that I’m complaining to Google about the fact that Google has violated its own privacy policy, then in a way, privacy is being enforced by the regulated entity itself when it is dealing with your complaints. To the extent that these complaints address models are mandated by law, this is how the government is requiring the private entity to support it in doing the regulation. So that’s another one.

There are various other forms of co-regulatory tools. Professionals are created like data protection officers. These are officers who are employed by the employed by the regulated entity, the data fiduciary, or the data controller as it is called in EU. They employ these people and these people are made responsible, the data protection officers are made responsible for the compliance of that company with the data protection laws, generally speaking. So here you have an officer, a private officer, who has been mandated with the duty of enforcing in a way or complying with the law.

So, all of these tools are ways in which the law is trying to shift some of the burden of ensuring that data protection is adequately from the regulator to the regulated entity or to certain players in the regulated entity system, in the system that is being regulated. So, there could be even professionals who are outside of the regulator entity itself. For example, there could be external data auditors. You have these auditors who come to audit your finance, financial documents and stuff like that. Similarly, you can have external data auditors who come in to audit your data protection practices. And these are systems by which you can ensure that even though there is a huge and heavy burden that is placed on a data protection regulator, there are people in the private sector who are assisting it and who are helping it along the way.

Now, so far as this system where you take the assistance of private actors, non-state actors, in implementing data protection, insofar as this system is taking place within data protection, you are correct to raise the question that how does this affect the fact that data protection is a rights-based field? The data protection is a right in itself, and it is supposed to involve the right to informational privacy. How is that being safeguarded adequately if non state actors are actually responsible for enforcing it? I think that in principle per se, there is nothing to suggest that non state actors, private actors, cannot under law, be made responsible for the protection of rights. It’s not something that on its own seems wrong. What’s important is to make sure that the right isn't lost or the right isn’t violated, or there is inadequate protection of the right because these regulated entities are biased in favour of themselves. And how does that happen? That happens as long as you ensure that there is adequate oversight over these regulated entities so that if they are not engaging in their co-regulator step in.

There has to be a system of appeals such that if any user or any citizen is not happy with how the co-regulatory activity is taking place, for example, in your internal redressal complaints, redressal mechanism, that has not happened very well. You should just be able to appeal from it to the regulator that right must be available. And lastly, a co-regulatory activity, especially such as activities like creating codes of practices, they will only be successful if you ensure that there is transparency in the system by which those codes of practices are created.

So, yes, there are some risks with co-regulation, but there are safeguards that can be put in place to ensure that these risks are counteracted. And what's important is that we gauge or we at least measure appropriately how far these co-regulatory tools are necessary. Because of the vastness of the burden of data protection as a regulatory field, there's just a lot of work that a data protection regulator will have to do because of how many things and how many ways data, personal data is used. And that is why this sort of a thing might become necessary.

Ms. Sayantani Bagchi: So, the next question is about the application of the solutions that you have proposed in this paper. So, the regulatory environment for data privacy in India is complex with multiple overlapping regulations and guidelines and there is a lack of clarity around the scope and application of the right to privacy in the digital age. Now, this creates a lot of uncertainty around the legality of certain data processing activities. Additionally, the regulatory framework for data privacy in India is still evolving which can make it difficult for individuals and business to understand their rights and obligations. So, in this context, do you think that these issues could be a challenge in applying the solutions you have proposed in this paper and how do you think the data privacy regime can be improved in regard to the same?

Mr. Lalit Panda: Yes, the factors you are referring to, the fact that the actual scope of violation of data privacy and the inchoate nature of Indian data privacy regime right now, all of these are arguments in favour of adopting the principles I have proposed. One thing, this is something we did not really discuss, but I have actually pointed out in the, you actually pointed out when you described the subject-matter of the paper itself. The proposal is for unified cross-sectorial regulator. Now, given the fact that India’s data protection regime is not set up properly, what we have actually is various different sectorial regulators who are trying to do some data protection from the side. So, you see, you have some data protection happening from CRAI, there is some data protection happening from RBI, and many of these different sectorial regulators can come up with their own rules regarding privacy.

But this is a main point I am trying to point out. Sectorial data protection is not the way to go when it comes to data protection. Not only is data protection a fundamental right, in the sense it requires some baseline for everyone to follow but if you have sectorial regulators, you do not account for two very important phenomena. One, that data flows across sectors, from one sector to another and there are even company that are cross-sectorial because they have horizontal width across different industry, so, all of this cannot be accounted for by one particular regulator for one particular sector. they have to make sure that data that is going out of one sector and that is going elsewhere, is not causing harm, and, even if you have a number of sectorial regulators, there will still have a number of sectors where there is no regulator at all. What is going to happen to data protection in those particular areas?

So, this is one very simple example of how the existing situation in India actually would provide an argument in favour of these regulatory design I am referring to. And in so far, as the other principles are suggested, such as co-regulation, responsive regulation, you will find that both of them, are actually very [very], particularly useful when we are dealing with a field of law, conceptually having more ambiguities and a field of law that is not yet developed to the maturity that it has clear allocation of rights and duties. How is that so? For example, a core regulatory scheme, the example I had mentioned earlier, the code and the practice using and such tools, what they do, is they take the general principle of the statute which many might consider to be ambiguous and vague and they try to give them specific content through a co-operative system, a networked form of regulation, with the regulated entity and it is difficult to arrive at these crystallised forms of rules applicable in each sector without a good understanding from the players of my sector itself as to how it should be operating.

Co-regulation is very much useful in a situation of regulatory uncertainty and responsive regulation is equally a solution to that regulatory uncertainty or compliance uncertainty, because as I mentioned, responsive regulation requires you to deal with first time offence, first time default, inadvertent default, default that do not seem to have the marquee of something that is, was intentionally meant to cause harm. You can deal with that with a lighter touch and then you can escalate the enforcement tool gravity according to the gravity of the default that is taking place. So, these principles that I am referring to in the paper are actually quite useful when we deal with a situation when the field of law and stage of development of law create uncertainty regarding rights and duties.

Ms. Sayantani Bagchi: So, in the paper, you have highlighted the lessons that India can adopt from the success other jurisdictions when it comes to the implementation of their data privacy laws. Now, I am curious to know if there is any specific way in which the failures of the other countries can also guide us in the particular respect?

Mr. Lalit Panda: In a way, that is actually a difficult question to answer, because people who view data protection laws and data protection regulation today- they actually come from various and very different and divergent points of view about how it should be like right now. So, even if I say, or even if somebody says, that a particular country is failing in its data protection regulation in some way or the other, there is somebody else who does seem to have the view that they are not failing, and that they are actually doing the right thing. And you’ll see this, perhaps, in the most stark [starkest] sense, in the binary that is supposedly existent between [the] EU and [the] US. So, the US has largely taken on a form of sectoral ‘light touch regulation’ that is largely self-regulatory, almost. Whereas, the EU has taken on a form of regulation which rests on the idea of a unified data protection regulator for each country, and it does not at all engage in any form of self-regulation. It is mostly a command and control [mechanism] with some core regulatory features that is involved in that [the same].

But there are people who say, that the US might be failing when it comes to the protection of the slow erosion of informational privacy in that [the] country, while it is succeeding very well when it comes to Information Technology innovation, and there are those who argue that the EU is taking the forefront when it comes to the protection of rights, but it is actually hampering innovation and the growth of the industry- the technology industry in each respective state. So, in this sense, it’s very difficult to say what’s going on. But one thing that has to be noted is that, insofar as the data protection laws that are being adopted in other countries [is concerned], slowly, there is a trend that does seem to adopt the EU model or EU adjacent/inspired model in various countries, while the US- it seems to be increasingly left behind as an outlier, as if all alone as one of the countries that does not seem to be doing a similar form of regulation.

Though there have been causes inside the US since a long time, they’ve not managed to create a proper, unified data protection law for their country. Some [are present] in California and some other specific sectoral laws [are there], but otherwise, it doesn’t have the same teeth and the strength as it does in the EU. So yes, there is something to learn from the US in this respect. The failure of the US to bring in a strong data protection law, I would think, is a decided failure, because they are taking advantage of the fact that other countries are bringing data protection laws to allow for their own economic advantage in the field of Information Technology. Perhaps, if they brought in data protection laws, some other country would, you know, take advantage of that, and say that we will have looser data protection laws. So, why don’t all the tech companies come and work out of [in] our country.

Now, this seems to suggest that any country that actually fails to create adequate data protection laws is contributing to a global reduction in the standards of informational privacy. And I think, that’s the kind of failure that we should focus on. [it’s] Something that we should not be engaging in. A pragmatic view would be that we should wait for a global consensus to develop before jumping in all the way like the EU has, but arriving at the consensus requires us to sacrifice a little bit, and push in that direction, or at least appear to be interested in creating that kind of a world where the rights that we have to our own personal data matter. So, that’s the kind of failure that I think I was pointing out.

Well, the way in which emerging technologies are actually affecting informational privacy is not unique in any way in India. It’s happening in a very similar manner all across the world, but at different paces, because it might not be as deeply penetrating all our technological uses right now. But I can give you a conceptual view about what’s happening with these emerging technologies in the sense of two core principles that data protection seems to envisage. One is called as ‘Purpose Specification’. This is a substantive data protection principle which suggests that if we want to reduce the amount of harm that might be caused by people using your data, we can reduce how much data somebody is taking from you, and we can require by law that if somebody is taking some data from you, they should only use it for the use/purpose that they specified.

So, this purpose specification is that [what] is required to limit both the amount of collection of data, and what the data is used for. That [this] Purpose Specification runs counter to some of these emergent technologies and the way they work. Artificial Intelligence and big data often operate in a way that [in which] the purpose of the usage of the data isn’t fixed from beforehand, that [which] means that for various kinds of big data analysis in which different forms of data protect vast datasets, are brought together, aggregated and collections are found- those connections between different forms of personal data are not found by specifying the purpose beforehand. They allow room for accident, and for organic growth of that discovery. That’s one of the underlined reasons is [why] big data is successful. Similarly, Artificial Intelligence may have a range of algorithms that are constraining it. But these algorithms are having [have] so many variables and so many different specific rules that are embedded in it [them], that it is no any one purpose the Artificial Intelligence verges on a mind that has multiple purposes and objectives in its mind. So, there’s no Purpose Specification in either of these areas.

Similarly, another principle of data protection that is on the [in] jeopardy, that is on the question of Data Sensitivity. So, Data Sensitivity is the idea that there are certain categories of data which are more sensitive, that [which] are more likely or more capable of causing a violation of your privacy than other categories of data. For example, your name may not be as sensitive as the fact that you have some health issue. Or, that you are of a particular political affiliation. These are sensitive categories of data that you may not want to disclose to everybody and anybody. They can cause harm to your dignity, your liberty in a political scenario. All of these questions are dealt with by data protection laws by saying that we should have some stricter rules in relation with sensitive personal data. Now, people are suggesting that in the age of big data and inferring from the data out of other categories of data- from a certain data out of other categories of data, actually, you can infer all kinds of data out of some similar/adjacent category of data. One example for instance, is how you can infer what religion somebody is from, by checking their dietary preferences. So, Zomato might have an idea about what your religion might be. Maybe. It will be able tell in case of certain instances.

So, people are arguing then, that we should not use Data Sensitivity, we should instead be referring to the kind of use the data is being put to. Zomato doesn’t want to know, and its purpose of asking for your dietary data is not to get to know your religion or do anything about your religion. It just wants to send you what food it wants to send you. So, the argument coming then is that the old principles like Purpose Specification and Data Sensitivity- these principles should be left behind and we should move to a model of data protection which [that] is actually dealing only with harm instead of sensitivity and purpose. That’s the way in which these emerging technologies, I think, are having [creating] an effect on data protection laws.

Alright, so the question seems to assume that there is something about co-regulation that is in conflict with responsive regulation. That’s why we need some balancing between the two. But, I think, I have also tried to point this out in the paper that I don’t think that there is anything incompatible about those two forms of regulations, which means that you can very much have a form of responsive regulation that has co-regulatory features in it. So, I don’t think there is something that we have to do, specifically, to get these two models to be balanced with each other. Perhaps, there are aspects of responsive regulations that require these regulators to take action against defaulting entities and adequately proportionate responsive regulatory action may be hampered, if co-regulation comes in the way and does not permit it from happening. I think I had mentioned this when we were talking about co-regulations, i.e., whenever some co-regulatory tool, such as internal complaints redressal or data protection officer or one of these co-regulatory aspects, is not operating properly, there is nothing stopping the regulator from intervening and taking action against the regulating entity that is failing in its duty. That response of a regulator or that enforcement action, can very much be along the lines of the principal responsive regulation and that can co-exist with co-regulation, at the same time. So, I don’t see much work that we have to do to get them to balance.

Ms. Sayantani Bagchi: Alright, so I think with regard to the paper, here, we will end the questions that we had. Mr. Lalit, would you mind if we have a couple of more questions for you?

Mr. Lalit Panda: Yes, no worries, for sure!

Ms. Sayantani Bagchi: So, the first question that I have is that we have seen in the Information and Technology jurisprudence, it is pretty much upcoming and has evolved to a great extent and there are many law students and young lawyers, academicians, who are taking an active interest in this particular area. So, what are the further readings that you would suggest for this particular area of law?

Mr. Lalit Panda: I guess the problem that I have, at least, faced when I was looking at data protection, as a subject matter, is that we don’t have or I have not been able to find, at least, so far, or I have not had to deal with it for some period recently and hence, have not looked at any recent publication. But, there is no one consolidated book or something like that, which gives you a good idea about the legal aspects of data protection. So, I have actually been picking up about data protection, mostly from journal articles and many of these journal articles are quite comprehensive about the subjects that they pick up. Those journal articles have been very useful. But, before we talk about the authors who probably give these articles, there is one source that you can rely on is the broader literature that has developed on GDPR.

There are some books that I have not read, myself, but there are various policy documents, including the papers that are released by the Article 29 Working Parties, to provide guidance on data protection law to the various member states of the EU. The Article 29 Working Party has various small and accessible papers that explain different aspects of data protection, like verification or consent and all these different aspects. They have released little papers on these different small subjects and those papers are quite authoritative about what those topics are about and how one should think about those topics. So, that gives a great view about European Law on the subject.

At the same time, one book that I can think of, which is pretty useful, is by this author called Graham Greenleaf, who is from an Australian University and he has written by compiling his analysis of various Asian data privacy laws. So, the book is called “Asian Data Privacy Laws” and it compiles them, where each chapter is a study of a different country in Asia and the data protection laws that the country has set up. That actually gives a snapshot of the things that might end up in India, because after the latest bill in 2022, it seems India is moving towards a model which is not exactly the European model, but which is closer to these Asian models of data protection. So, it will be good to actually study what these Asian countries have been doing in their data protection laws and how somebody has studied and what they have commented about it- I think that is a good book, as well. Otherwise, I think the journal articles of Daniel Solove, right from the basics of what privacy means, to specific questions of data sensitivity and consent, especially, have been explained and is very insightful and very helpful.

Ms. Sayantani Bagchi: Thank you so much, Mr. Lalit. So, coming to the last question, which I’m sure all listeners would be very interested in. As and when we have read the paper, we felt the structure of the article is extremely commendable and specifically, when we look at the inter-governmental comparative analysis being integrated throughout the text, instead of a particular section being dedicated to it, I have a specific query- from where did you draw the incentive to write something of this sort and specifically, is there any advice or any tips for those students who intend to write in this particular direction?

Mr. Lalit Panda: Thank you so much, it is very kind of you to say so! I guess one thing that you have picked up is a good aspect of the paper, maybe. It has been four years since I wrote this paper and when I re-read, I realized that maybe I would not have written it in the exact same way, for instance, I think one of the things that I now value in a good researched article, is one that puts front and centre, right at the beginning, what the importance of that topic [is] and what the immediate stakes are, in a way, that actually pulls in the readers, right from the outset, and I am not sure if I did that very well in this article, but that is something that anybody who is writing a paper should really look out to make it clear.

Writing a paper is a big investment, in the sense, if you spend a lot of time on that subject, you end up writing and re-writing and editing and citing, having to go back to your sources to check your citations and it can be very taxing. So, what one really wants in their paper is for it to not just lie around, but it is actually read by somebody, which makes me very grateful that somebody has actually picked up and located it. What I am trying to say is, if one wants it, one has to take a little effort in trying to make the paper accessible and trying to give the reader a promise, right at the beginning, that you are going to tell them something that they will find useful and if you give that promise in the beginning that, “[hey], this is the paper that is going to tell you something that you need to know”, then that is a good thing to keep in mind.

As per the actual structure of the paper, the rest of the paper itself, the way in which one has to go about that varies from subject to subject. It is difficult to offer any one kind of structure or a rule about how one should do it. For example, I could sequence the different topics in the paper in a different way. But when sequencing it in a particular way, you have to think about how it is building up, you should think about whether you should put the important subject first or put the less important subject in the beginning that builds upto the most important subject later, because logically that might be necessary before they understand a more important topic. These sorts of things can not only be a question of logic, but also about rhythm and style, and about what effect you want to have it on your reader when they read that paper. It is just about how good argumentation works, I guess, that you have to pay attention to, like how this form of sequencing, how you style sentences, that has an effect on what the readers’ feel. I’m sorry, otherwise, I don’t have any other very helpful tip.

Ms. Sayantani Bagchi: Alright, thank you so much, Mr. Lalit, for those insightful words and I’m sure, all our listeners have enjoyed the conversation we had today. We are looking forward to hosting you on our campus, someday. Lots of good wishes to you! With this, we come to an end of the session.

Mr. Lalit Panda: Thank you so much, I am honoured to have been part of this.

Ms. Sayantani Bagchi: Thank you!