Read on Twitter
Tweetstorm coming up on the 9 distinguishing points of our thinking on #DataProtection ☔️ @dvararesearch @benichugh @julupani @binduananth 1/n
External Tweet loading...
If nothing shows, it may have been deleted
by @teninthemorning view original on Twitter
1. Scope —the law should apply to protect the personal data of all people in India, foreign entities conducting business in India + those outside India processing personal data from india. 2/n
2. Protect all personally identifiable data—do away with the distinction b/w “sensitive personal data” and “personal data”. Protect all personally identifiable data.This means the law will not apply to de-identified data; incentivising de-identification (as techniques evolve) 3/n
3. A new “Legitimate purpose” test should be the contextual test for entities to apply ACROSS data lifecycle, allowing data use that is (1) lawful (2) necessary for the service to be pvded (3) proportionate. See page 42 for suggested language dvara.com/blog/wp-conten… 4/n
4. #Consent remains important though the #legitimatepurpose test should be primary ground for processing; the role of consent is no longer permission but as #notice of #collection with option to opt-out. Obligations to process data inline with #legitimatepurpose not waived. 5/n
5. #UserDataRights should be the core of the regime, guaranteeing a bundle of rights that empower #datasharing and protect against #dataharm. Read our docs for the list of these rights we propose! Spoiler: proposing a #definition of #harm & right to #informational #privacy 6/n
6. Responsive regulation tools should be considered for a full pyramid of support and of sanctions, to provide regulatory certainty for all market players and crowd entities into regulation through ex-ante & ex-post tools. We event have A GRAPHIC in our response ;) see pg 55 7/n 
7. #SystemicallyImportantDataEntities (also, coolest hashtag of 2018). Draw from #financial #regulatory thinking; consider grading entities into (1) systemically important (2) medium risk & (3) low risk entities to ration supervisory ®ulatory capacity and tools accordingly.8/n
8. #liability—strict for most obligations where obligation is well defined in law (w/ gradual requirements clear for each sector through secondary legn & industry codes), this will help #insurance market; reasonable efforts for evolving principles like data harm & privacy. 9/n
9. Inter-sectoral coordination—a future #DataProtectionAuthority should create processes to work with existing/future regulators in each sector for nuanced, fit-for-purpose regulations for sectors, to improve supervision, reduce risk of regulatory arbitrage. 10/n
And that’s a wrap! Check out our (NON expert) legislative doc that shows how our thinking hangs together. Released v humbly& with full knowledge that this is only a learning document to constructively continue the debate. All comments welcome. dvara.com/blog/wp-conten… 11/n
Special thanks to everyone who agreed, disagrees, engaged and challenged us in our thinking so far—@DavidMedine @alokmittal001 @Katharine_Kemp @Michael_S_Barr @KartVenkatesh @GregChenFinTech @nehaachaudhari @PushanDwivedi @binduananth @Deeptigeorge
And many many others including @BhairavAcharya @matthan @sunil_abraham @ambersinha07 @smithakprasad @chinmayiarun @ambaonadventure @resaspeaks @amol_kulkarni1 @alokpi @nixxin (including the Committee!) who’re engaging on these issues in India. Here’s to continuing discussions!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
