India must have regulator to protect data misuse: Panel
Proposed authority means to protect ‘data principals’, try to prevent misuse of personal data, and spread awareness on data protection
NEWDELHI: A bill drafted by a committee headed by former Supreme Court judge BN Srikrishna provides for the formation of a Data Protection Authority of India to protect citizens’ data and privacy — a growing concern in an increasingly digitising economy.
The 10-member experts’ panel was set up in July 2017 to come up with an overarching report on data privacy and also recommend legal provisions.
The draft Personal Data Protection Bill, 2018 — part of the report submitted to law and information technology minister Ravi Shankar Prasad — says that the authority will protect “data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness of data protection”. In essence, the authority will function as India’s privacy regulator. “Data principal,” in the bill, denotes a person whose data is being referred to.
In a digital economy abounding with platforms such as Facebook, Google and widening use of the internet, privacy and security of people’s data have become a key public concern and a defining public policy debate.
Individual privacy is a “guaranteed fundamental right”, the Supreme Court ruled in August in a landmark verdict. A ninejudge bench said right to privacy was at par with right to life and liberty, and that the verdict will protect citizens’ personal freedom from intrusions.
The Data Protection Authority will be empowered to take “prompt and appropriate action” in response to any reported matter of data security breach in accordance with the provisions of the bill. Calling it a “monumental work”, Prasad said the IT ministry will examine the report. He said due processes will be taken up to bring a data protection bill before Parliament soon.
The bill also provides for an
appellate tribunal. Any person with a complaint of data breach can appeal to the tribunal whose verdict will have the effect of a decree. Any person who has “suffered harm” from any entity, including the state, handling his or her data shall have the right to seek compensation.
“This is a critical milestone to ensure citizens’ data are protected
and fundamental for citizens’ empowerment. The idea is to have a free and fair data economy. Many African countries don’t have privacy laws. So this law can be a reference point for the global south,” said Arghya Sengupta of the Vidhi Centre for Legal Policy, a legal policy advisory group. Sengupta is a member of the Srikrishna committee.
Alleged instances of leakage of data related to Aadhaar, the 12digit unique biometric ID every Indian is required to possess, have recently made headlines. Aadhaar regulator Unique Identification Authority of India (UIDAI) has, however, denied any breach.
A key function of the authority is to determine the “circumstances” when a “data protection impact assessment may be required”. The authority can initiate a sort of risk assessment. It can review technological exercises by a company or entity which may carry a risk of breaching data privacy.
According to section 33 of the proposed Act, such “circumstances” may include any processing involving “new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data”.
A data fiduciary, which the bill defines as any person, the government or a company that processes people’s data, must undertake a “data protection impact assessment” before carrying out a task that may violate privacy, according to the bill’s provisions.
The authority will have a chairperson and six whole-time members. They will be appointed by the government based on the recommendation of a selection committee.