India Gears Up For A Data Protection Law

How imperative is it to have a data protection framework for the country in the digital age?

Green light illuminates the keyboard of laptop computer as a man enters the data using the computer keyboard. (Photographer: Chris Ratcliffe/Bloomberg)
Green light illuminates the keyboard of laptop computer as a man enters the data using the computer keyboard. (Photographer: Chris Ratcliffe/Bloomberg)

After the Supreme Court's landmark verdict on the right to privacy, India is now moving towards a legislation on data protection. The central government had set up an expert committee to study the different issues relating to data protection in India and make specific suggestions on principles underlying a data protection bill.

On Monday, the Justice BN Srikrishna Committee released a white paper inviting suggestions on the recommendations made on a draft data protection framework. The comprehensive 240 page document studies various data protection laws across the globe and suggests norms relating to data collection and penalties for misuse of user data. The deadline for sending feedback is Dec 31., 2017.

According to the document, the issue of data protection is important both intrinsically and instrumentally. The white paper cites the Supreme Court observation in the Puttaswamy case, in which the court ruled that Indians do have a fundamental right to privacy. “Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well,” the Supreme Court had said.

We commend to the Union government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state.
Observations Of Supreme Court In Right To Privacy Case

The white paper has considered global best practices on data protection from the European Union, United Kingdom, Canada and the United States, besides covering privacy concerns surrounding Aadhaar.

Data Protection In Context Of Aadhaar

The data protection norms for personal data collected under the Aadhaar Act are found in the Aadhaar (Data Security) Regulations, 2016 (Aadhaar Security Regulations). And these regulations impose an obligation on the UIDAI to have a security policy in place which would list the technical and organisational measures that will be adopted by the authority to secure such information.

Acknowledging that the “seemingly voluntary possession of Aadhaar has become mandatory in practice”, the paper says, “Concerns have also been raised vis-a-vis the provision on Aadhaar based authentication which permits collection information about an individual every time an authentication request is made to the UIDAI.”

Despite an obligation to adopt adequate security safeguards, no database is 100% secure. In light of this, the interplay between any proposed data protection framework and the existing Aadhaar framework will have to be analysed.
White Paper Released By Justice BN Srikrishna Committee

Seven Principles

The paper outlines the seven key principles on which a data protection framework in India must be based:

1. Technology agnosticism: The law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance.

2. Holistic application: The law must apply to both private sector entities and government.

3. Informed consent: Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful.

4. Data minimisation: Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject.

5. Controller accountability: The data controller shall be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data for processing.

6. Structured enforcement: Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity.

7. Deterrent penalties: Penalties on wrongful processing of data must be adequate to ensure deterrence.

The white paper also highlights about the pros and cons of considering the “right to be forgotten” - the demand that search engines such as Google should guarantee the privacy of European citizens who want their pasts to be wiped from the all records on the internet. The issue is a contentious one in the EU, considering EU citizens have such a right but its applicability outside the EU is still up for debate.

BloombergQuint spoke to Trilegal’s Rahul Matthan and Centre for Internet & Society’s Pranesh Prakash to understand how imperative it is to have a data protection framework for the country in the digital age.