Le­gal Leg-Up:

With a draft law, In­dia takes the first steps to­wards en­act­ing data pro­tec­tion leg­is­la­tion amid ris­ing data breach.

India Business Journal - - CONTENTS - MOUMITA BAKSHI CHATTERJEE

With a draft law, In­dia takes the first steps to­wards en­act­ing data pro­tec­tion leg­is­la­tion amid ris­ing data breach.

new leg­is­la­tion has pro­posed to take ex­plicit con­sent of in­A­di­vid­u­als

be­fore sen­si­tive per­sonal in­for­ma­tion, like re­li­gious or po­lit­i­cal be­liefs, sex­ual ori­en­ta­tion and bio­met­ric in­for­ma­tion, is pro­cessed. The pro­posed law as­sumes sig­nif­i­cance as it has been drafted amid a sharp rise in data breaches. The law also man­dates that crit­i­cal data per­tain­ing to In­dian res­i­dents will have to be stored and pro­cessed within In­dia.

The draft leg­is­la­tion, which could af­fect how global com­pa­nies store data in In­dia, also pro­vides for the right to be for­got­ten and pre­scribes steep penal­ties for vi­o­la­tions. The draft of Per­sonal Data Pro­tec­tion Bill, 2018 - based on the rec­om­men­da­tions of a gov­ern­ment-con­sti­tuted, high­level panel set up in 2017 and headed by Jus­tice B N Srikr­ishna - re­stricts and im­poses con­di­tions on cross-bor- der trans­fer of per­sonal data. "Pri­vacy has be­come a burn­ing is­sue, and there­fore, ev­ery ef­fort has to be made to pro­tect data at any cost," note Jus­tice Srikr­ishna.

The panel sub­mit­ted its re­port on data pro­tec­tion as also the draft of the Bill to IT Min­is­ter Ravi Shankar Prasad re­cently, wrap­ping up nearly a year of de­lib­er­a­tions. In its 213-page re­port, the panel has asked the gov­ern­ment to de­ter­mine cat­e­gories of sen­si­tive per­sonal data which are crit­i­cal to the nation and added that such data can be pro­cessed "only in In­dia".

The Bill sug­gests set­ting up of Data Pro­tec­tion Author­ity of In­dia to pre­vent any mis­use of per­sonal in­for­ma­tion. "It is a mon­u­men­tal law, and we would like to have the widest par­lia­men­tary con­sul­ta­tion. We want In­dian data pro­tec­tion law to be­come a model glob­ally, blend­ing se­cu­rity, pri­vacy, safety and in­no­va­tion," em­pha­sises Mr Prasad.

Over­rid­ing Act

The draft leg­is­la­tion, which will go to the Parliament af­ter stake­hold­ers' con­sul­ta­tion, pro­vides for a penalty of Rs 15 crore or 4 per cent of the to­tal world­wide turnover of any data col­lec­tion en­tity, in­clud­ing the State, for vi­o­la­tion of per­sonal data pro­cess­ing pro­vi­sions. Fail­ure to take prompt ac­tion on a data se­cu­rity breach can at­tract a penalty of up to Rs 5 crore or 2 per cent of turnover, whichever is higher.

Once passed by the Parliament, the frame­work will over­ride all types of leg­is­la­tion deal­ing with data pri­vacy and col­lec­tion, in­clud­ing the law re­lated to Aad­haar. "The Bill pro­vides that right to pri­vacy is a fun­da­men­tal right, and it is nec­es­sary to pro­tect per­sonal data as an es­sen­tial facet of in­for­ma­tional pri­vacy," the draft stresses. The pro­posed law al­lows pro­cess­ing of per­sonal data only for the pur­pose that it is col­lected, for com­pli­ance with laws, em­ploy­ment as well as any func­tion of the Parliament or State leg­is­la­ture.

'Sen­si­tive per­sonal data' com­prises pass­words, financial data, health data, sex life, sex­ual ori­en­ta­tion, bio­met­ric data, ge­netic data, caste or tribe and re­li­gious or po­lit­i­cal be­lief or af­fil­i­a­tion. Th­ese can be han­dled only with ex­plicit con­sent of an in­di­vid­ual.

A good start

De­spite many far-reach­ing pro­vi­sions, there are some con­cerns with the pro­posed law. "The draft does not give users own­er­ship of their data and de­prives them of con­trol that they need to be able to delete data from col­lec­tors, like Face­book and Google. Also, there is no re­stric­tion on mass sur­veil­lance by the gov­ern­ment," notes Nikhil Pahwa, a dig­i­tal rights ac­tivist. He fur­ther adds that it is not fea­si­ble to ex­pect ev­ery web­site or app to mir­ror the data in In­dia and points out that do­ing so will be a "di­rect at­tack" on the global na­ture of in­ter­net.

An­other area of con­cern is that the draft does not man­date en­ti­ties to in­form or dis­close data breach in­ci­dents that may oc­cur. NASSCOM-DSCI opines that while the Bill builds on the Supreme Court's judge­ment ad­vo­cat­ing pri­vacy as a fun­da­men­tal right, man­dat­ing lo­cal­i­sa­tion of all per­sonal data is "likely to be­come a trade bar­rier in the key mar­kets". "Start-ups from In­dia that are go­ing global may not be able to lever­age global cloud plat­forms and will face sim­i­lar bar­ri­ers as they ex­pand in new mar­kets," the soft­ware ser­vices body adds.

The pro­posed law re­stricts cross­bor­der trans­fer of per­sonal data but pro­vides ex­emp­tion on use of per­sonal data for na­tional se­cu­rity, in­ves­ti­ga­tion of crime, le­gal pro­ceed­ings and cer­tain jour­nal­is­tic ac­tiv­i­ties. Be­sides set­ting up of Data Pro­tec­tion Author­ity of In­dia - aimed at pre­vent­ing mis­use of per­sonal data, en­sur­ing com­pli­ance and pro­mot­ing aware­ness of data pro­tec­tion - the draft leg­is­la­tion also pro­vides for set­ting up of an ap­pel­late tri­bunal.

The draft law calls for com­pen­sa­tion to be given to any per­son who has been wronged. It also makes ob­tain­ing, trans­fer­ring or sell­ing of per­sonal data in con­tra­ven­tion an of­fence. It has em­pha­sised there is ne­ces­sity to cre­ate a col­lec­tive cul­ture that "fos­ters a free and fair dig­i­tal econ­omy", re­spect­ing the in­for­ma­tional pri­vacy of in­di­vid­u­als and en­sur­ing em­power-

ment, progress and in­no­va­tion.

The Bill in the works aims to "pro­tect the au­ton­omy of in­di­vid­u­als in re­la­tion with their per­sonal data, to spec­ify where the flow and us­age of per­sonal data is ap­pro­pri­ate and to cre­ate a re­la­tion­ship of trust be­tween per­sons and en­ti­ties pro­cess­ing their per­sonal data". The ar­eas cov­ered un­der the law in­clude con­sent, what com­prises per­sonal data, in­clud­ing sen­si­tive per­sonal data, ex­emp­tions which can be granted, grounds for pro­cess­ing data, stor­age re­stric­tions for per­sonal data, in­di­vid­ual rights and right to be for­got­ten.

It goes with­out say­ing that data is the new oil to­day. No won­der, the world over, large busi­ness con­glom­er­ates are lin­ing up to have a share of the boom­ing data mar­ket. Amid data boom, there is wide­spread data breach. De­vel­oped coun­tries have made their first move to pro­tect data pri­vacy of in­di­vid­u­als. Through the pro­posed law, In­dia too has taken the first steps in a long jour­ney to usher in data pro­tec­tion and pri­vacy.

"Pri­vacy has be­come a burn­ing is­sue, and there­fore, ev­ery ef­fort has to be made to pro­tect data at any cost."

JUS­TICE B N SRIKR­ISHNA

Ex-Supreme Court Judge "We want In­dian data pro­tec­tion law to be­come a model glob­ally, blend­ing se­cu­rity, pri­vacy, safety and in­no­va­tion."

RAVI SHANKAR PRASAD

Union IT Min­is­ter

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.