View from India: Data protection report brings regulation a step closer
A committee investigating data protection requirements submitted its report to the Ministry of Electronics and Information Technology (MeitY) for approval on 27 July along with a draft of the Personal Data Protection Bill, the first of its kind in India, which would see the creation of a new enforcement framework and heavy penalties for non-compliance.
The Justice BN Srikrishna Committee comprising a 10-member panel of experts was formed in July 2017 after the Supreme Court delivered a verdict that privacy was a fundamental right. It presented a white paper on the data protection framework which was released by the Ministry of Electronics and Information Technology in November 2017. The committee head, Justice Bellur Narayanaswamy or BN Srikrishna, is an Indian jurist and a retired judge of the Supreme Court of India.
To make privacy a meaningful fundamental right, it is essential to put in place a data protection framework that, while protecting citizens from dangers to informational privacy originating from state and non-state actors, serves the common good. Moreover, in the digital economy, depending on the nature of data that is shared, the purpose of such sharing and the entities with which sharing happens, data principals expect varying levels of trust and loyalty. For entities, this translates to a duty of care to deal with such data fairly and responsibly for purposes reasonably expected by the principals. This makes such entities “data fiduciaries”. And if the data fiduciary is in contravention of the Act, it would be liable to a penalty of up to Rs 150 million or 4 per cent of an entity’s total worldwide turnover in the preceding financial year, depending on whichever is higher.
As per the Data Protection Report, there is a need for a law that protects personal data in order to ensure that a free and fair digital economy can become a reality in India. For the country to shape the global digital landscape in the 21st century there’s a felt need to formulate a legal framework relating to personal data that can work as a template for the developing world.
Personal data should be collected only for compliance with any law, employment and for any function of Parliament or any state legislature. The Report has also taken into account sensitive personal data, which is described as passwords, financial data, health data, biometric data, genetic data, caste or tribe and religious or political belief.
Cross-border transfer of personal data has been put forth with strong conditions.
With respect to data localisation, the white paper recognised the need for treating different types of personal data differently and a one-size-fits-all model was not considered appropriate.
It’s also an acknowledged fact that the digital economy has a transformative potential to improve lives in India and elsewhere. Technologies such as Artificial Intelligence hold out the promise of new breakthroughs in medical research and Big Data generates more calibrated searches and allows quicker detection of crime. Large-scale data analytics allows machines to discern patterns and constantly improves services in an endless virtual loop. The prospects of such data gathering and analysis to benefit citizens are immense.
For enforcement of the data protection law, the report has proposed a Digital Protection Authority (DPA) as an independent regulatory body.
There’s also a provision for the ‘Right to be Forgotten’, which means individuals can limit, de-link, delete, or correct the disclosure of personal information on the internet that is misleading, embarrassing, irrelevant, or anachronistic. This is in line with the European Union’s GDPR (General Data Protection Regulation) framework.
Coming to the draft of the Personal Data Protection Bill, it indicates that “the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy.”
The draft bill states that it is necessary to create trust between the individuals who provide their data and entities who process this, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organisational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorised and harmful processing, and to establish a Data Protection Authority (DPA) for overseeing processing activities.
The draft bill has defined terms like consent, data breach and sensitive data, as well as calling for privacy by design on part of data processors.
Earlier in the month the Telecom Regulatory Authority of India (TRAI) issued its Recommendations on Privacy, Security and Ownership of Data in the Telecom Sector. What makes the TRAI recommendations different from the Srikrishna report is that TRAI recommends that devices should disclose the terms and conditions of use in advance, before sale of the device. It should be made mandatory for the devices to incorporate provisions so that user can delete pre-installed applications if he/she so decides. Also, the user should be able to download the certified applications at the individual’s own will and the devices should in no manner restrict such actions by the users.
TRAI recommends that a common platform should be created for sharing of information relating to data security breach incidences by all entities in the digital ecosystem including telecom service providers. It should be made mandatory for all entities in the digital ecosystem including all such service providers to be a part of this platform.
It should be noted that the data protection law is the first of its kind in India and involves the creation of an entirely new regulatory framework for the purpose of its enforcement. In a nutshell, the Government initiated telecom recommendations and data protection report point to the fact that we need to protect and secure our data. More so, as we are moving towards the creation of a digital India, where all data is stored on the cloud.