A uniform law that aims to protect citizens virtual data has the potential of securing their rights and establish confidence in the law for a better governance of government policies.
What is Data Protection?
-> Data protection is about safeguarding our fundamental right to privacy, which is enshrined in International and regional laws & conventions, also in Indian Constitution (Recent Supreme court judgement on privacy).
-> Data protection is commonly defined as the law designed to protect your personal information, which is collected, processed and stored by “automated” means or intended to be part of a filing system.
Justice B.N. Srikrishna committee constituted by Union Ministry of Electronics & Information Technology (MEITY) to study and identify key data protection issues and recommend methods for addressing them.
Need For Data Protection:
-> Every time you use a service, buy a product online, register for email, go to your doctor, pay your taxes, or enter into any contract or service request, you have to hand over some of your personal information.
-> Even without your knowledge, information about you is being generated and captured by companies and agencies you are likely to have never knowingly interacted with.
-> In the last 5-6 years there has been a quantum leap in the world of technology which has been driven by trends such as proliferation of social media, growth of ecommerce leading to boom in transactions over the Internet and demonetisation, which has pushed more people into the digital economy, so the IT act may have to be obviously reconsidered in the light of these developments.
-> IT Act may also be inadequate to deal with the current requirements since it was drafted almost 17 years ago in 2000 and was amended last in 2008.
-> The government’s decision to focus on data protection comes on the back of a wave of privacy and data breaches– from corporates such as McDonalds, Reliance Jio and Zomato to government agencies that have leaked the personal data and Aadhaar of over 100 million citizens.
Limitations and challenges Justice B.N. Srikrishna committee will be facing are:
- Reliance on Imported technology: India is overwhelmingly dependent on imported technologies. The devices dealing with the data of individuals are smart phones. The smartphone providers and the operating systems on which they are working (Android, iOS etc.) are not indigenous. They also export data to jurisdictions outside India. So India has a little say on the data protection.
- Data localization: If India wants to avoid data export, it should have its own data centers. Demanding mild temperatures it would be a burden on the economy to divert its resources to data centers.
- “Sensitive” Personal data: No universal definition of what constitutes ‘sensitive data’, among the States and Central authorities. The current definitions of sensitive data have to be re-evaluated with even some mobile applications asking the very sensitive biometric data and health records becoming increasingly popular.
- Consensus among the state government may be a concern also.
Seven guidelines of B.N. Srikrishna Committee for framing data protection law:
1) Technology agnostic: The data protection law must take into account the continuous change in technology and standards of compliance.
2) Holistic application: The law must cover both the private sector and the government sector. The committee of experts, however, also talks about “differential obligations” in case of “certain legitimate state aims”.
3) Informed consent: The white paper talks about “informed consent” and not just consent. It says the consent should be “informed and meaningful”. It is not clear what “informed consent” means.
4) Data minimization: The data collected or being processes should be minimal — only that data which is necessary for the purpose for which it is being sought. However, the white paper also adds, the data will also be collected for “and other compatible purposes beneficial for the data subject”.
5) Controller accountability: The committee is clear on fixing accountability of data controllers. It says, “The data controller should be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data for processing.”
6) Structured enforcement: The committee proposes to set up “a high-powered statutory authority”, which “must co-exist with appropriately decentralized enforcement mechanisms.”
7) Deterrent penalties: It proposes for “adequate” penalties for “wrongful processing” to ensure deterrence.
-> Government should focus on developing indigenous technological market like China to replace import-dependence with tech-export. This will automatically empower government to enforce its will on Data protection.
-> Government must act towards a comprehensive legislative stance towards cyber-space laws & privacy – Considering the Supreme Court’s recent judgements & improvising the National Cyber policy.
-> Instead of a National Data protection law, Government should rather lobby with P-5 towards an international data convention on democratic & fair-practice principles. This will overcome the problems due to technology imports.
-> The states can also frame a law or body that works for maintaining protection in the states, and a government body at central level can monitor the state-level efforts.
-> Apart from these, CERT-In also needs to be strengthened and involved for ensuring protection of citizens-data.
Countries such as Spain and Iceland are leading in the world for their data protection laws. They monitor the enforcement of laws parallel protecting the freedom of its citizens and giving them rights to raise their voice against any data violation.
India can also check the enforcement of laws by setting up a national multi-stakeholder agency, investigating the violations and appropriately fining them.