New Data Protection Law Must Not Limit Data Collection: Experts

New Data Protection Law Must Not Limit Data Collection: Experts is an IANS report published in Business Standard on 11 October 2017. The article covers a seminar organised by the Internet and Mobile Association of India (IAMAI) featuring Sunil Abraham, then Executive Director of the Centre for Internet and Society, alongside Kamlesh Bajaj of the Data Security Council of India, Google’s Chetan Krishnaswamy, and Rajya Sabha MP Rajeev Chandrasekhar, discussing India’s forthcoming data protection regime following the Supreme Court’s landmark privacy judgment.

Contents

  1. Article Details
  2. Full Text
  3. Context and Background
  4. External Link

Article Details

📰 Published in:
Business Standard
📅 Date:
11 October 2017
📄 Type:
News Report
📰 Article Link:
Read Online

Full Text

With India planning to roll out a new data protection regime following the landmark Supreme Court judgment upholding right to privacy as fundamental right, experts have cautioned that the new law should not limit collection and use of data.

"The new data protection law should have data-driven innovation at its core," said Kamlesh Bajaj, Founder-CEO, Data Security Council of India (DSCI).

"It should not limit data collection and use, but limit harm to citizens," Bajaj added at a seminar on "Data Protection and Privacy" organised by non-profit industry body Internet and Mobile Association of India (IAMAI).

In a major boost to individual freedom, the Supreme Court in August declared that right to privacy was a fundamental right and protected as an intrinsic part of life and personal liberty and freedoms guaranteed by the Constitution.

"The Supreme Court judgment calls for production of a new law," said Sunil Abraham, Executive Director of Bangaluru-based research organisation, Centre for Internet and Society (CIS).

The experts noted that the Supreme Court judgment remains meaningless for digital Indians without a proper data protection law in place as all other existing laws, such as the Information Technology Act, 2000, do not adequately address the question of right to privacy.

Recognising the importance of data protection and keeping personal data of citizens secure and protected, the Ministry of Electronics and Information Technology (MeitY) on July 31, constituted a Committee of Experts under the chairmanship of its former judge Justice B.N. Srikrishna to study and identify key data protection issues and recommend methods for addressing them. The committee will also suggest a draft Data Protection Bill.

"While the regulator should be given tools to make companies behave better, it should not start with harsh punitive actions," Abraham noted, adding that big fines could challenge the very logic of regulation.

In a question to whether a robust data protection regime should come in conflict with issue such as national security, he said that lawmakers should find a way to maximise both imperatives.

"Surveillance is like salt in cooking. It is necessary, but in limited quantity," he added.

Participating in a chat with Google's Public Policy Director Chetan Krishnaswamy at the event, MP Rajeev Chandrasekhar, however, said that regulation should start with the process of data collection itself and consumers cannot be expected to demonstrate harm or inappropriate use of their data to enjoy the right to privacy.

"It should not be a free run for companies to mine consumer data," the independent Rajya Sabha member said.

He emphasised that the process of formulating a data protection law is as important as the law itself and all stakeholders should be able to openly put forward their views and apprehensions and it is only with such a consultative process that the opportunities for the technology space can be safeguarded.

—IANS

gb/vd

Disclaimer: No Business Standard Journalist was involved in creation of this content

Back to Top ⇧

Context and Background

This article appeared two months after the Supreme Court’s unanimous nine-judge bench decision in Justice K.S. Puttaswamy (Retd.) v. Union of India (August 2017), which declared privacy a fundamental right under Article 21 of the Constitution. The judgment created immediate pressure to translate constitutional protections into statutory frameworks, prompting the Ministry of Electronics and Information Technology to establish the Justice B.N. Srikrishna Committee on 31 July 2017—even before the Supreme Court delivered its final verdict—demonstrating anticipatory policymaking in response to expected judicial developments.

The seminar coverage captured divergent regulatory philosophies emerging amongst stakeholders during the early drafting phase of what would become the Personal Data Protection Bill 2019. Kamlesh Bajaj’s Data Security Council of India, an industry-backed self-regulatory organisation established by NASSCOM, advocated for innovation-centric regulation that avoided restricting data collection practices, reflecting technology sector preferences for permissive frameworks that minimised compliance costs whilst addressing egregious harms through targeted enforcement rather than comprehensive ex ante restrictions.

Abraham’s intervention offered a more nuanced regulatory position, acknowledging the necessity of enforcement mechanisms whilst cautioning against disproportionate penalties that could undermine regulatory legitimacy or create perverse incentives. His observation that “big fines could challenge the very logic of regulation” anticipated debates that would intensify following the European Union’s General Data Protection Regulation implementation in May 2018, when enforcement actions imposing substantial penalties on technology companies sparked discussions about whether punitive approaches fostered compliance or merely generated revenue whilst failing to address systemic privacy violations.

The “surveillance is like salt in cooking” metaphor represented Abraham’s characteristic effort to frame complex policy trade-offs through accessible analogies, suggesting that surveillance capabilities serve legitimate state functions when deployed proportionately but become harmful when pervasive. This framing challenged binary formulations that positioned privacy and security as inherently antagonistic, instead proposing that careful institutional design could accommodate both imperatives through procedural safeguards, oversight mechanisms, and proportionality requirements that calibrated surveillance powers to genuine threats rather than enabling indiscriminate monitoring.

MP Rajeev Chandrasekhar’s contrasting position—that regulation should commence with data collection itself rather than requiring consumers to demonstrate harm—reflected emerging consumer rights perspectives that challenged notice-and-consent frameworks. His assertion that individuals should not bear the burden of proving inappropriate data use to enjoy privacy protections anticipated critiques of consent-based regulatory models that scholars like Daniel Solove and Helen Nissenbaum had articulated, arguing that meaningful consent proved impossible in asymmetric information environments where companies possessed superior technical knowledge and consumers faced take-it-or-leave-it terms.

The tension between Bajaj’s innovation-centric approach and Chandrasekhar’s consumer protection emphasis foreshadowed debates that would dominate the Srikrishna Committee’s deliberations and subsequent legislative processes. The committee’s 2018 report attempted to balance these positions through data fiduciary obligations, consent requirements, and purpose limitation principles whilst incorporating industry concerns through exemptions for processing necessary for “reasonable purposes” and reduced obligations for small entities. However, the government’s subsequent modifications to the draft legislation—including broad exemptions for state surveillance and reduced constraints on government data processing—suggested that innovation concerns and national security imperatives ultimately prevailed over strict privacy protections.

Sunil Abraham’s participation in this seminar reflected the Centre for Internet and Society’s role as a technical intermediary organisation capable of engaging both industry stakeholders and civil society advocates during policy formulation processes. Unlike purely advocacy-oriented organisations that might adopt maximalist positions, CIS sought to inform regulatory design through empirical research whilst maintaining independence from both corporate and state interests. This positioning enabled contributions to official consultations, participation in expert committees, and convening of multistakeholder dialogues that shaped India’s evolving digital governance frameworks.

The article’s publication in October 2017 positioned it within a critical window when the Srikrishna Committee actively solicited stakeholder inputs and international regulatory models remained under evaluation. The European Union’s GDPR, adopted in April 2016 but not yet implemented, provided one potential template, whilst alternative approaches from jurisdictions like Singapore, Australia, and Canada offered less stringent models that technology industry representatives found more appealing. The committee’s eventual adoption of GDPR-inspired terminology and principles—including data fiduciaries, data principals, and sensitive personal data categories—suggested that European frameworks exerted substantial influence despite industry preferences for lighter-touch regulation.

📄 This page was created on 8 January 2026. You can view its history on GitHub, preview the fileTip: Press Alt+Shift+G, or inspect the .