Former Supreme Court judge-led panel suggests specialised agency to prevent data theft
A Bill drafted by a committee headed by former Supreme Court judge BN Srikrishna provides for the formation of a Data Protection Authority of India to protect citizens’ data and privacy — a growing concern in an increasingly digitising economy.Updated: Jul 27, 2018 23:39 IST
HT Correspondent, New Delhi
A Bill drafted by a committee headed by former Supreme Court judge BN Srikrishna provides for the formation of a Data Protection Authority of India to protect citizens’ data and privacy — a growing concern in an increasingly digitising economy.
The 10-member experts’ panel was set up in July 2017 to come up with an overarching report on data privacy and also recommend legal provisions.
The draft Personal Data Protection Bill, 2018 — part of the report submitted to law and information technology minister Ravi Shankar Prasad — says that the authority will protect “data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness of data protection”.
In essence, the authority will function as India’s privacy regulator. “Data principal,” in the bill, denotes a person whose data is being referred to.
In a digital economy abounding with platforms such as Facebook, Google and widening use of the internet, privacy and security of people’s data have become a key public concern and a defining public policy debate.
Individual privacy is a “guaranteed fundamental right”, the Supreme Court ruled in August in a landmark verdict. A nine-judge bench said right to privacy was at par with right to life and liberty, and that the verdict will protect citizens’ personal freedom from intrusions.
The Data Protection Authority will be empowered to take “prompt and appropriate action” in response to any reported matter of data security breach in accordance with the provisions of the bill. Calling it a “monumental work”, Prasad said the IT ministry will examine the report. He said due processes will be taken up to bring a data protection bill before Parliament soon.
- Has an all-encompassing law ‘General Data Protection Regulations,’ which came into effect on May 25, 2018.
- User consent needs to be explicit
- Right to be forgotten, a concept that arose in the EU
- Applies to businesses anywhere in the world who handle European data
- Penalties for non-compliance are up to 4 percent of the company’s global turnover, or 20 million Euros, whichever is higher
- Data protection fragmented in various federal and state laws
- Each sector will deem what is private or personal data
- A movement to pass a new law on consumer privacy protections failed in the Congress in 2017.
- California, with ‘Shine the Light Law,’ was one of the first states in the US to implement privacy laws
- The Privacy Act of 1988 regulates the handling of personal information of individuals
- Privacy is not a fundamental right
- Does not apply to government agencies
The Bill also provides for an appellate tribunal. Any person with a complaint of data breach can appeal to the tribunal whose verdict will have the effect of a decree. Any person who has “suffered harm” from any entity, including the state, handling his or her data shall have the right to seek compensation.
“This is a critical milestone to ensure citizens’ data are protected and fundamental for citizens’ empowerment. The idea is to have a free and fair data economy. Many African countries don’t have privacy laws. So this law can be a reference point for the global south,” said Arghya Sengupta of the Vidhi Centre for Legal Policy, a legal policy advisory group. Sengupta is a member of the Srikrishna committee.
Alleged instances of leakage of data related to Aadhaar, the 12- digit unique biometric ID every Indian is required to possess, have recently made headlines. Aadhaar regulator Unique Identification Authority of India (UIDAI) has, however, denied any breach.
A key function of the authority is to determine the “circumstances” when a “data protection imp- act assessment may be required”. The authority can initiate a sort of risk assessment. It can review technological exercises by a company or entity which may carry a risk of breaching data privacy.
According to section 33 of the proposed Act, such “circumstances” may include any processing involving “new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data”.
A data fiduciary, which the bill defines as any person, the government or a company that processes people’s data, must undertake a “data protection impact assessment” before carrying out a task that may violate privacy, according to the bill’s provisions.
The authority will have a chairperson and six wholetime members. They will be appointed by the government based on the recommendation of a selection committee.
First Published: Jul 27, 2018 23:35 IST