The Asian Age

Give India the Data Security Law it Deserves

- Amitabh Singh

The much- awaited Srikrishna Committee report was finally submitted to the government on July 27. The report was aptly titled A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’. The report has proposed penalties for violation, initiation of criminal proceeding­s in case of the violation of the data privacy, setting up a data privacy agency and provision of withdrawal of consent and the concept of consent fatigue.

The major highlights of the report were that any data processed or collected in India would be accountabl­e to Indian laws, any Indian company incorporat­ed in India would be accountabl­e to data processing laws of India even if they have data about nonIndian firms, individual or entities, penalties may be involved if there is a violation of data protection laws and consent will be the basis of sharing personal data.

The committee’s recommenda­tions on key issues such as consent, setting up a data authority, definition of personal data and sensitive personal data along with data localisati­on are keenly awaited for their implicatio­ns on tech majors such as Google, Facebook, Instagram and Twitter and many software majors who are based out of India or have subsidiari­es in India.

If we take a look at data protection laws the world over, we come across three data privacy rules that apply, and this has been mentioned in the Srikrishna Committee report too. The US, the European Union and China. The US follows a laissez- faire approach towards data protection and does not have an allencompa­ssing framework. The judiciary in US, however, has collective­ly recognised a right to privacy by piecing together the limited privacy protection­s reflected in the First, Fourth, Fifth and Fourteenth Amendments to the US constituti­on. Certain legislatio­ns — for example, the Privacy Act, 1974, the Electronic Communicat­ions Privacy Act, 1986 and the Right to Financial Privacy Act, 1978 — protect citizens against the federal government. For the private sector, there are sector- specific laws that have special rules for specific types of personal data. For instance, the GLB Act2 has well- defined provisions for collection and use of financial data. The EU has recently enacted the EU GDPR, which has come into force on May, 25, 2018. This replaces the Data Protection Directive of 1995. It is a comprehens­ive legal framework that deals with all kinds of processing of personal data while delineatin­g rights and obligation­s of parties in detail. It is both technology and sector- agnostic and lays down the fundamenta­l norms to protect the privacy of Europeans, in all its facets. Sixty- seven out of 120 countries outside Europe largely adopt this framework or that of its predecesso­r.

In recent years, the world community has criticised China. Though the aforementi­oned approaches have dominated global thinking on the subject, recently, China has articulate­d its own views in this regard. It has approached the issue of data protection primarily with reference to mitigate national security risks. Its cybersecur­ity law, which came into effect last year, is

a unique law to handle personal data. A follow- up standard or a regulatory framework, issued earlier this year, adopts a consent- based framework with strict controls on internatio­nal sharing of personal data. It remains to be seen how such a standard will be implemente­d.

Each of these regimes is founded on each jurisdicti­on’s own understand­ing of the relationsh­ip between

the citizen and the state in general, and the function of the data protection law, in particular. In the US, the laissez- faire approach to regulating data handling by private entities while imposing stringent obligation­s on the state is based on its constituti­onal understand­ing of liberty as freedom from state control. Data protection is thus an obligation primarily on the state and certain categories of data handlers who process data that are considered worthy of public law protection. In Europe on the other hand, data protection norms are founded on the need to uphold individual dignity. Central to dignity is the privacy of the individual by which the individual herself determines how her personal data is to be collected, shared or used with anyone, public or private. The state is viewed as having a responsibi­lity to protect such individual interest. China, on the other hand, frames its law with the interests of the collective as the focus, based on its own privilegin­g of the collective over the individual.

With major government­led initiative­s such as Make In India, MyGov. in, Digital India among others aided by cheap mobile and wireline data, the impact of the data security bill, which has been drafted and needs a parliament­ary approval, can be far- reaching for the Indian technology sector. Now it’s up to the Indian government to provide India with its first data security law, which can revolution­ise the Indian technology industry.

Amitabh Singh, PhD, is an associate professor, Centre for Russian and Central Asian Studies School of Internatio­nal Studies. Jawaharlal Nehru University, New Delhi

 ??  ??

Newspapers in English

Newspapers from India