Rethinking personal data regulation in India

The Committee suggested a data policy blueprint for India, a country which 'can arguably be projected as being one of the top consumer markets, and by extension data markets in the world'.

Published: 15th February 2021 07:35 AM  |   Last Updated: 15th February 2021 07:35 AM   |  A+A-


In the privacy model, data collection and processing by the data fiduciary are carried out only after consent of the data principal. (Express Illustrations)

Shortly after the Personal Data Protection (PDP) Bill, 2019, was formulated by the Government of India, the Committee of Experts on Non-Personal Data Governance Framework submitted its report. The Committee suggested a data policy blueprint for India, a country which “can arguably be projected as being one of the top consumer markets, and by extension data markets in the world”.

Both the suggested regimes for personal and non-personal data regulation have adopted disparate models for regulation. To harmonise data regulation in India, there is a need for adopting a common overarching philosophy. Data regulation can broadly be classified into three categories—(i) privacy model, (ii) ownership model and (iii) the harm/accountability model. 

The Supreme Court of India in Justice K S Puttaswamy (Retd) & Anr. v. Union of India (2017) adopted the ‘privacy model’ while declaring that the right to privacy includes personal data protection. In this model, a data market is not even conceptualised except in a very narrow sense as the overarching emphasis is on protecting the personal data of individuals. The Committee of Experts under the Chairmanship of Justice B N Srikrishna, which was constituted in pursuance of the Supreme Court’s instructions, also adopted the privacy model in its report. 

Privacy model: In the privacy model, data collection and processing by the data fiduciary are carried out only after consent of the data principal (unless in specific exceptions). Data is considered to be an extension of the private space of an individual and the individual’s autonomy. Purpose limitation, use limitation and data minimisation are also subject to the consent of the data principal. Thus, it takes a rights-based approach. The PDP Bill follows this model. The European Union also follows this model in its General Data Protection Regulation.

Drawbacks of consent-based model: However, as some recent studies have shown, consent as a ground for data processing may become largely inconsequential as data principals are incapable of providing informed consent, especially in India due to lack of data awareness. Also, repetitive and long forms cause consent fatigue. Therefore, there is significant validity in the argument that data fiduciaries should not be allowed to absolve themselves of all liability for their future actions solely on the ground of the uninformed consent that they had initially obtained. 

Further, in the emerging environment of big data and artificial intelligence, privacy principles of purpose limitation, use limitation and data minimisation appear operationally unimplementable. In fact, compliance with the privacy/consent model has caused heavy expenditure to private companies as well as the governments in European Union countries. The high compliance cost may be particularly harsh for small and medium entrepreneurs and stymie innovation and growth. 

Ownership model: In the ownership model, data is considered to be property or an asset, thus making it amenable to marketisation and development of a veritable data market. Under this model, personal data derived from an individual and its anonymised form (which is then christened as non-personal data) will belong to the individual; whereas if data is produced by a source that relates to assets and processes that are privately-owned, it will belong to the entity producing the data.

The data includes derived, observed and inferred data that results from private effort involving application of algorithms and proprietary knowledge. Data generated from public efforts, i.e. collected or generated by the governments, or by any instrumentality of the governments, is classified as public data. The ownership model is a combination of both the ‘data source’ logic and ‘data subject’ logic, as opposed to the privacy model where the ‘data subject’ model is adopted. The Non-Personal Data Committee report suggests adoption of this model.

While this model can lead to the growth of a vibrant data market, it may not fit for personal data protection because granting of ownership rights to uninformed data principals may result in unintended harm to them due to the unpredictable nature of market forces. This is, however, the least-compliance-cost model from the perspective of data fiduciaries. Accountability model: The third model for data protection law is the harm/accountability model, which requires that the data fiduciary will, notwithstanding the consent that it might have obtained from the data principal, continue to be liable for the harms caused to the latter as a consequence of its actions.

This model addresses the shortcomings of both the privacy and ownership models. On the one hand, it protects individuals from privacy harms irrespective of their uninformed consent. On the other hand, it also protects and acknowledges the proprietary knowledge and innovation put in by data fiduciaries to generate derived and inferred data. This again entails a high compliance cost for data fiduciaries, but is the least transactional. So the transaction cost is low. 

Conclusion: Therefore, data regulation in India must be designed keeping in mind the ‘harm/accountability model’ to maintain a healthy balance between privacy rights of individuals and economic growth. This is critical to attain the objectives of the PDP Bill i.e. “to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion.”

The current Bill in its present design has turned out to be a hybrid between the consent (privacy) framework and the harm model, with the result that it has created a heavy compliance cost regime for both old and new data fiduciaries. This cost would become even more for data fiduciaries relying on legacy systems as there would be an added component of transition/migration costs. The non-personal data framework should also adopt the accountability framework so that the two become harmonious and integrated.

Amar Patnaik (
Rajya Sabha MP and former CAG official with a PhD in management

Nikhil Pratap
A practising advocate

India Matters


Disclaimer : We respect your thoughts and views! But we need to be judicious while moderating your comments. All the comments will be moderated by the editorial. Abstain from posting comments that are obscene, defamatory or inflammatory, and do not indulge in personal attacks. Try to avoid outside hyperlinks inside the comment. Help us delete comments that do not follow these guidelines.

The views expressed in comments published on are those of the comment writers alone. They do not represent the views or opinions of or its staff, nor do they represent the views or opinions of The New Indian Express Group, or any entity of, or affiliated with, The New Indian Express Group. reserves the right to take any or all comments down at any time.

flipboard facebook twitter whatsapp