Justice BN Srikrishna, who led a panel that finalised a personal data protection framework for the country and a draft data protection bill in July 2018, has now said that the Indian government should frame new laws to regulate the monitoring of its citizens by state agencies that may use technology tools.
“There should be a special law passed because this kind of access can happen on various platforms,” the former Supreme Court judge told ET.
His comments come in the wake of WhatsApp Pegasus spying scandal that affected 121 users in India. The Israeli spyware was installed through a WhatsApp call routed by its creator NSO Group over WhatsApp’s server. “The access to a phone was made possible by reverse-engineering Whatsapp and fooling the server to believe that spyware code was Whatsapp traffic. Therefore, technically, the end-to-end encryption feature was not broken,” Facebook had said.
Justice Srikrishna also said that there should be clarity on “under what circumstances, who can do it, and what is the procedure” for such actions by the state.
Talking about the need for immediate action by the government, he said, “Data protection has become a buzzword in the country and simultaneously they (government) must ensure that breaches are stopped, security has to be improved.”
The Srikrishna Committee has also recommended data localisation where in critical data should be stored exclusively in India while one copy of all personal data is required to be stored within the country.
Talking about the importance of data localisation, he said that one copy of all personal data of Indian citizens needs to be stored within the country as this will enable “access” in case of law and order situations. He pointed out that sourcing data from foreign locations through processes like mutual legal assistance can take a long time, anywhere from 18 months to two years.
Data Protection Bill In Parliament For Winter Session
The Data Protection Bill (DPB) was proposed to the government of India in July 2018 by a nine-member expert committee headed by Justice BN Srikrishna. The government recently notified that the DPB will be placed before Parliament in the current Winter session.
According to the draft proposal, hefty penalties on entities found violating the privacy of users will be imposed. It also added that failure to take prompt action on a data security breach can lead to a penalty of up to INR 5 Cr or 2 % of turnover, whichever is higher.
The government has also been simultaneously working on including data localisation norms in the same bill. These norms will prevent any global companies to make a data bank outside India, further ensuring that its citizens remain immune in case of any global data breach.
It has also set up a committee headed by Infosys cofounder S Gopalakrishnan to decide how to regulate non-personal data. Ecommerce platforms including Amazon, Flipkart and others like Ola and Uber have also been reportedly approach to seek views on data regulation.