Data protection: Srikrishna paper keeps questions open instead of definitive solutions
Instead of definitive answers on securing privacy data and digital transactions in particular, the draft white paper readied by a 10-member expert panel headed by retired Supreme Court Judge B N Srikrishna keeps most questions open. It reads like a questionnaire for the public and the government has released it for the public response latest by December end.
For instance, it asks: Can an individual drag government or companies to court for misuse of his personal data and seek huge compensations? What should be the definition of “sensitive data” like financial and medical information of an individual that should not be allowed to be processed in deference to his/her privacy? What about computing data related to the minors?
The committee also wants to know whether a data protection authority and data controllers will require to manage the issues related to knowledge garnered by corporations, both domestic and international, as well as government and its agencies. “A stronger mechanism in the form of a central oversight authority may be required in India in order to effectuate the effective protection of personal data,” it recommends.
“The objective of the whole exercise is to ensure growth of the digital economy while keeping personal data of citizens secure and protected,” says the draft white paper.
On the issue of penalties, it stresses that the quantum of penalty prescribed under the provisions of the IT Act “appear to be inadequate and may not act as a deterrence” to growing e-commerce and other technologybased players in India.
It wants to know whether or not the penalty can be fixed on a “per-day basis” for breaching of data protection law. “An upper limit may be a fixed amount or may be linked to variable parameter, such as, a percentage of the annual turnover of the defaulting data controller,’’ said the committee.
Compensation as per the paper frames an important remedy where an individual has witnessed a loss or damage as a result of a data controller’s failure to comply with the data protection principles. The compensation could be based on the amount of gain of an unfair advantage, wherever quantifiable, made as a result of the default.
“It is quite common for Internet users to disclose personal information they later regret, or to possess information posted about them that they wished had remained undisclosed. Information posted on the Internet is never truly forgotten,” the paper says, asking whether there should be a way a user could erase information from the Internet “to remove the shackles of unadvisable past things and correct past actions.”
When it comes to defining what is personal data, the white paper informs that there may be a need to categorise the types of information which could frame a pivotal part of an individual’s identity.