‘Consent has to be the bedrock on which data is processed’
NEWDELHI:It’s been a year since the Justice BN Srikrishna Committee was formed to study issues related to data protection. On Friday, the draft Personal Data Protection Bill, 2018 was submitted to the government. In a phone interview, Arghya Sengupta, member of the committee and research director at the Vidhi Centre for Legal Policy, an advisory group, explained the implications of the draft bill to Vidhi Choudhary of HT. Edited excerpts:
What are the key takeaways for the Indian user on WhatsApp, Facebook, Google?
First is consent. The bill is consent-centric. Consent is the fundamental principle on the basis of which data can be processed. To give you a simple example, today everybody has to look at 26-page for -ms of legal writing and then tick a box in which you don’t even read anything and you say ‘ I agree.’ My personal hope, and this is written in the bill, is that it will be replaced by a data trust score. So then you know that this person you’re giving your data to is 1 on 10,so you’d think twice.
Second, if you have a problem currently, there is nowhere you can go to. If your data is stolen, you don’t know what to do. Here, we are creating a Data Protection Authority (DPA) which will have its offices everywhere and you can go to the DPA for any complaint against anybody, whether in the private or public sector.
So far, in the IT Act, the reasonable security practice rules are not applicable against the government. I think it is of great credit to the committee that we could evolve a consensus on this issue. This law will apply to the private as well as the public sector.
Third, there is a broad principled formulation in favour of local storage of data. The principle has been set that the data of Indians should remain in India.
Of course there will be exemptions, people will be allowed to take their data abroad. We are very cognisant of the fact that the Internet must remain free and unwalled. But at the same time, we think data is a huge asset of the country. So, if companies are going to use this data to provide services that are beneficial for Indians, then they should set their data centres up in India, create jobs for Indians and keep their data protected and secure in India.
However, the government may exempt certain types of data due to practical limitations like the Reserve Bank of India is facing with financial data. But the exemptions will only be on two grounds — necessity or strategic interests.
Are there any security concerns about keeping one copy of the data in India?
A lot of data currently exists in India already. I don’t think it is that big an issue because it’s happening anyway. Also when we say data localization, let’s not think one server somewhere that will have everybody’s data. We have 29 states, we are a large country. It’s going to be decentralised across several servers in several parts of the country.
And yes, if security is a concern, then the government of India must take every step to reassure its citizens that the data will remain secure. Could this deter global Internet companies from entering India or affect their existing operations?
My sense is that it should not be a serious deterrent. We allow transfer of personal data with some restrictions. I think this is a very nuanced provision; if there are some serious concerns. the central government can exempt people. But we should send the message very clearly that if India is such a large market for global technology companies, then the benefit should not only be to those companies but also to the citizens of India.
What are the implications of this bill on the Aadhaar Act?
The committee would have been remiss if it did not have any discussion on Aadhaar. There is a whole set of amendments suggested to Aadhaar. It’s part of the Appendix. This is for the consideration of the government because our task is not to draft the Aadhaar Act.
What role will the Data Protection Authority play and how independently will it operate?
It’s going to be a new-age regulator and an independent body. There are clear safeguards for independence provided. Its members can’t be removed very easily, they have tenures. The appointment process involves bipartisan participation. There is no reason to start off on a note of distrust that the government will control everything.
The appointment committee has one representative from the government and two from the outside - the cabinet secretary and the chief justice. The terms and conditions have prescriptions that are equal to a Supreme Court judge. They are not eligible for reappointment. And they can’t hold any other office so there is no conflict of interest.
There is some criticism that the proposed bill weakens the RTI Act.
No, not at all. The RTI Act is in no way going to be weakened by any privacy protections in this bill. Nothing in the data protection act will prevent disclosure of information.