‘Clear method for data collection must’
NEW DELHI: India’s legal framework on personal data protection should ensure that the purpose for which data is collected is clearly explained and it should lay down a clear methodology for procuring data, retired Supreme Court justice BN Srikrishna said on Sunday.
When data is collected without the consent of the individual, like in current circumstances where a lot of data is being collected in connection with the Covid-19 pandemic, the law should ensure data anonymisation, he added.
“Under what circumstances can data be taken away without consent of the principal? Take for instance, the situation of Covid. Data is necessary for statistical probability. If someone wants to do research on impact of Covid, they will need a lot of data on it. This is where the aspect of “data anonymisation” comes in, where only numbers and no personal information can be utilized”, Srikrishna pointed out.
He was speaking at a Webinar organized by law firm Shyam Padman Associates on the topic “The Challenges in Personal Data Protection in the absence of (a) Data Protection Law in India”.
Srikrishna, who headed the committee which, in 2018, proposed the draft of the Personal Data Protection Bill said that the line between right to privacy of an
› If someone wants to do research on Covid, they will need a lot of data. This is where ‘data anonymisation’ comes in... only numbers, personal info can’t be utilised.
BN SRIKRISHNA , retired Supreme Court justice
individual and the right of the state to access data is a fine one and the data protection law should guarantee that data collected is only to the extent to which it is required.
“The legislative enactment must categorically explain the purpose for the collection of data. There should be a rational connection (between the data collected and the purpose for which it is acquired). There should be no absurdity in the connection. There is also the need for proportionality. The law should not go beyond what is absolutely required,” he explained.
The state, he said, can take away rights of an individual, only if it can ensure that it is for the greater good of the public. “For instance, in case of Aarogya Setu, the state, in a positive move, did not make it mandatory,” Srikrishna said.
The central government came out with a draft Personal Data Protection (PDP) Bill in December
2019. The bill regulates personal data of individuals and governs the processing of such data by both government and companies incorporated in India.
Justice Srikrishna said the bill falls short on certain aspects including absence of data localization which enables transfer of data outside India .
“Can State access data of a person who is a suspect. The answer in legislation is yes. Unfortunately, in my opinion, PDP of 2019 has watered down this provision which allows state to unilaterally infringe fundamental right (of privacy) in name of sovereignty and security”, he said while expressing hope SC will look into such aspects. The SC’s seminal 2017 judgment in the case of Justice KS Puttaswamy v. Union of India in which the court had held right to privacy as a facet of the fundamental right to life was instrumental in initiating debate on the absence of data protection laws in India.