‘Consent has to be the bedrock on which data is processed’
NEWDELHI:IT’S been a year since the Justice BN Srikrishna Committee was formed to study issues related to data protection. On Friday, the draft Personal Data Protection Bill, 2018 was submitted to the government. In a phone interview, Arghya Sengupta, member of the committee and research director at the Vidhi Centre for Legal Policy, an advisory group, explained the implications of the draft bill to of HT. Edited excerpts:
Vidhi Choudhary
and you can go to the DPA for any complaint against anybody, whether in the private or public sector.
So far, in the IT Act, the reasonable security practice rules are not applicable against the government. I think it is of great credit to the committee that we could evolve a consensus on this issue. This law will apply to the private as well as the public sector.
Third, there is a broad principled formulation in favour of local storage of data. The principle has been set that the data of Indians should remain in India.
Of course there will be exemptions, people will be allowed to take their data abroad. We are very cognisant of the fact that the Internet must remain free and unwalled. But at the same time, we think data is a huge asset of the country. So, if companies are going to use this data to provide services that are beneficial for Indians, then they should set their data centres up in India, create jobs for Indians and keep their data protected and secure in India.
However, the government may exempt certain types of data due to practical limitations like the Reserve Bank of India is facing with financial data. But the exemptions will only be on two grounds — necessity or strategic interests. A lot of data currently exists in India already. I don’t think it is that big an issue because it’s happening anyway. Also when we say data localization, let’s not think one server somewhere that will have everybody’s data. We have 29 states, we are a large country. It’s going to be decentralised across several servers in several parts of the country.
And yes, if security is a concern, then the government of India must take every step to reassure its citizens that the data will remain secure. My sense is that it should not be a serious deterrent. We allow transfer of personal data with some restrictions. I think this is a very nuanced provision; if there are some serious concerns. the central government can exempt people. But we should send the message very clearly that if India is such a large market for global technology companies, then the benefit should not only be to those companies but also to the citizens of India. The committee would have been remiss if it did not have any discussion on Aadhaar. There is a whole set of amendments suggested to Aadhaar. It’s part of the Appendix.
This is for the consideration of the government because our task is not to draft the Aadhaar Act. It’s going to be a new-age regulator and an independent body. There are clear safeguards for independence provided. Its members can’t be removed very easily, they have tenures. The appointment process involves bipartisan participation. There is no reason to start off on a note of distrust that the government will control everything. The appointment committee has one representative fr- om the government and two from the outside - the cabinet secretary and the chief justice. The terms and conditions have prescriptions that are equal to a Supreme Court judge. They are not eligible for reappointment. And they can’t hold any other office so there is no conflict of interest. No, not at all. The RTI Act is in no way going to be weakened by any privacy protections in this bill. Nothing in the data protection act will prevent disclosure of information.