In order to secure digital transactions and address data privacy issues, the government has released a white paper on the data protection framework. As per the paper, a nuanced approach towards data protection will have to be followed in India, bearing in mind the fact that individual privacy is a fundamental right limited by reasonable restrictions.
The white paper has been formulated by a panel led by former Supreme Court justice B.N. Srikrishna. The government has sought public comments till 31 December on the white paper.
It was in July this year that the government constituted a 10-member committee of experts headed by former Supreme Court justice B.N. Srikrishna to study various issues relating to data protection. The committee was asked to make specific suggestions on the principles to be considered for protection as well as suggest a draft Data Protection bill.
Other members of the committee include telecom secretary Aruna Sundararajan, Unique Identification Authority of India Chief Executive Ajay Bhushan Pandey, and additional secretary in the Information Technology Ministry Ajay Kumar.
The white paper will touch upon issues like technology agnosticism, where it states that the data protection law must be flexible to include changing technologies; data minimisation — as in data sought and processed – must be minimal and as necessary; informed consent; accountability of data controller; penalties for wrongful processing and enforcement of data protection framework by a statutory authority.
The white paper also noted, “Since technologies such as Big Data, the Internet of Things and Artificial Intelligence are here to stay and hold out the promise of welfare and innovation, India will have to develop a data protection law which can successfully address the issues relating to these technologies, so as to ensure a balance between innovation and privacy.”
What Does The Government Intend To Achieve Through The White Paper
The committee seeks to put the onus on stakeholders and the public through a questionnaire on issues pertaining to collection of personal information, consent of consumers, penalties and compensation, code of conduct and an enforcement model that should be set up.
The framework for submission of comments shall be available shortly here.
The white paper stated, “The sensitivity of the data could also develop based on its combination with other types of information. For example, an email address taken in isolation, is not sensitive. However, if it is combined with a password, then it could become sensitive as it opens access to many other websites and systems, which may expose the individual to harm such as cyber attacks and phishing frauds.”
The white paper also seeks “to designate certain lawful grounds under which data can be processed, even in the absence of consent.” It is speaks about the need to create safeguards which will prevent misuse of personal information in these contexts of use.
Just in this year, many issues of data breach and attacks on data privacy have come to the fore. For instance, the security of the Aadhaar system has been brought into question several times. In April 2017, the Aadhaar details of 1.4 Mn registered users were made public on the Jharkhand Directorate of Social Security. These details included sensitive information such as names, addresses, bank account details and Aadhaar numbers. Similarly, in August 2017, a Punjab government entity published the Aadhaar details of 20,100 citizens on its official website. These details include Aadhaar numbers, user names and their father’s name.
Thus on Aadhaar, the committee said ,“Despite its attempt to incorporate various data protection principles, Aadhaar has come under considerable public criticism. First, though seemingly voluntary, possession of Aadhaar has become mandatory in practice, and has been viewed by many as coercive collection of personal data by the State. Concerns have also been raised vis-à-vis the provision on Aadhaar based authentication which permits collection information about an individual every time an authentication request is made to the UIDAI.”
Thus the committee concluded that “Finally, despite an obligation to adopt adequate security safeguards, no database is 100% secure. In light of this, the interplay between any proposed data protection framework and the existing Aadhaar framework will have to be analysed.”
Data privacy is increasingly becoming an area of concern in the country, with giants like Facebook, WhatsApp, and Monster India also being inspected for allegedly sharing user information with third-party entities. In September this year, the Supreme Court of India has reportedly issued notices to Google and Twitter, in reference to the public interest litigation petition filed against the Internet behemoths over data privacy concerns by Pallav Mongia, an Advocate-on-Record at the Supreme Court. The petition, according to sources, has raised concerns about the lack of control over information sharing with cross-border corporate entities, which could potentially be a violation of the Indian citizens’ right to privacy.
As digital transactions and Internet penetration in the country increases, it is but imminent that more such issues around privacy and security of information will spring up. The white paper by the government is thus an attempt to put in place an effective data protection framework while at the same time not invade the privacy of citizens. How effective will it be in toeing this fine line will become clear in the coming months.
[The development was first reported by Live Mint]