UPSC REVISION: DATA PROTECTION FRAMEWORK FOR INDIA

28 DATA PROTECTION FRAMEWORK

PRS BN Srikrishna White Paper on Data Protection Framework for India

Access to data is knowledge and knowledge is power. There are many players — both legitimate and unscrupulous — who want to lay their hands on this enormous power. Indians are set to become the world’s top data consumers. They deserve legislation that ensures comprehensive protection.

The Committee of Experts on a Data Protection Framework for India (Chair: Justice B. N. Srikrishna) released a white paper on November 27, 2017. The Committee was constituted in August 2017 to examine issues related to data protection, recommend methods to address them, and draft a data protection law. The objective was to ensure growth of the digital economy while keeping personal data of citizens secure and protected. The Committee sought comments on certain questions raised by it till December 31, 2017. It will draft a law for data protection in India based on the feedback it receives.

Principles: The Committee suggested that a framework to protect data in the country should be based on seven principles: (i) law should be flexible to take into account changing technologies, (ii) law must apply to both government and private sector entities, (iii) consent should be genuine, informed, and meaningful, (iv) processing of data should be minimal and only for the purpose for which it is sought, (v) entities controlling the data should be accountable for any data processing, (vi) enforcement of the data protection framework should be by a high powered statutory authority, and (vii) penalties should be adequate to discourage any wrongful acts.

The Personal Data Protection Bill, 2018

Positives

1.        It seeks to codify the relationship between individuals and firms/state institutions as one between “data principals” (whose information is collected) and “data fiduciaries” (those processing the data) so that privacy is safeguarded by design. This is akin to a contractual relationship that places obligations on the entities entrusted with data and who are obligated to seek the consent of the “principal” for the use of personal information. 

2.       committee has given users comprehensive rights of correction, updation, and data portability

3.       In many ways, the draft legislation mirrors the General Data Protection Regulation, the framework on data protection implemented in the European Union this May, in providing for “data principals” the rights to confirmation, correction of data, portability and “to be forgotten”, subject to procedure.

4.        It envisages the creation of a regulatory Data Protection Authority of India to protect the interests of “principals” and to monitor the implementation of the provisions of the enabling data protection legislation.

5.       On the positive side, the Bill has proposed stringent penalties in case of any violation or misuse of personal data by public or private entities.

6.       The thrust on creating an institutional structure for data protection is also a good move towards creating a framework for all stakeholders to be more responsible and build trust while dealing with personal data.

7.       The Bill also includes a generally inclusive and progressive list of sensitive personal data.

Negatives

1.       no clarity on ownership of data:  Telecom Regulatory Authority of India’s recommendations on data protection did a better job on this front by categorically stating that the user owns her data

2.       The other big worry is the exemptions allowed for processing of data by the the State. While the proposed legislation states that such exemptions can be given only when it’s necessary, it is vague and leaves it open to interpretation and potential misuse. 

3.       What makes this more ambiguous is that State agencies can process personal data of users, albeit subject to conditions, without any judicial oversight. The exemptions granted to state institutions from acquiring informed consent from principals or processing personal data in many cases appear to be too blanket, such as those pertaining to the “security of the state”. These are hold-all phrases, and checks are vital.

4.       To be fair, the committee has flagged concerns related to the need to gather user data for surveillance by intelligence agencies and has argued in favour of bringing a law to ensure oversight. But the proposed Bill has left out this crucial aspect of data protection. The report recommends a law to provide for “parliamentary oversight and judicial approval of non-consensual access to personal data”. Without such an enabling law, the exemptions provided in the bill will fall short of securing accountability from the state for activities such as dragnet surveillance.

5.       The draft Bill in fact gives sweeping powers to the Centre by allowing it to issue binding directions to the proposed Data Protection Authority.

6.       The proposal to restrict cross-border data flows and making it mandatory to store one serving copy of all personal data within India, could be counterproductive for Indian businesses. This could become a trade barrier and impact the thriving Indian business processing industry.