Shivanand Pandit
Srikrishna Committee has placed mammoth prominence on consent of the person whose data is being used and presented the draft bill on data confidentiality. However, the Bill is pierced with glitches and hitches.
Technology is the significant mainspring which has transformed human lives. Conversely, it is also one of the things which is being misused. This misapplication gave birth to numerous damaging upshots and an enduring eruption of cyber crimes. The digital eon has opened up a Pandora’s box of innumerable disquiets such as Data theft and sale, Scams, Snooping, Eavesdropping, Cyber bullying and positioned the confidentiality of individuals in a perilous position.
Physical borders pose no constraint or seem non-existent in this technological era. Yet, cultural views and transfiguring lifestyles categorically compel the personal space and privacy.
More than few nations throughout the world have already instigated data protection laws. The focus on users’ right to their data and its protection comes after the scandal over admittance acquired by political marketing firm ‘Cambridge Analytica’ to data collected through Facebook.
As we know, India is the biggest host of subcontracted data processing in the world, non-existence of the apposite statute may turn India into epicentre of cyber scandals. Therefore, the Apex Court of India decided to place the keystone for a robust data privacy regime in India. As a result, India progressed nearer to its first data privacy law. The data fortification structure has been recommended by the Committee of Experts under the chairmanship of former Supreme Court judge Bellur Narayanaswamy Srikrishna. This is the paramount step in India’s Data Privacy expedition.
The devil is in the details
Even though the Bill will be subject to further review before becoming a law, the committee is already fronting condemnation for being too compassionate and absent in accuracy on key concerns. Many are of the view that the Bill is not free from ambiguities and far-off from impeccable.
Undoubtedly the Bill offers much desired transformations such as purpose limitation, collection limitation, storage limitation, privacy by design, transparency, security safeguards and so on. But it fails to address some vital issues such as data localisation, cross border data transfer, breach notification and right to erasure. Matters of Interception of communications, surveillance and direct marketing were attempted earlier are exclusively omitted from the present Bill. Therefore, appropriate modifications should be made to enact a law that protects the privacy rights of citizens. Furthermore, the public discussions and soundings are very much obligatory. Let us take a look at various grey areas of the Bill:
*Despite the Bill proposing to recuperate transparency and answerability, the panel members consist of a chairperson and six other associates employed by the Central government, would barely function independently. The Bill bestows extreme commands to the Central government and mentions that only Central government is authorised to release guidelines to the authority and the authority shall be bound by guidelines on interrogations of policy in which the pronouncement of the Central government is conclusive.The Bill does not grant a time period for businesses to obey the provisions either.
* The Bill stipulates that every entity processing and handling personal data shall guarantee the storage space on a server or data centre located in India. Companies would need to employ massive amounts on positioning up local servers to meet this prerequisite. This will be a big impediment for companies to function in India.
*The acquiescence by businesses establishments may take substantial time after the Bill turns into a Law. In case of European Union GDPR (General Data Protection Regulation), businesses were given two years to comply with the rules, once the structure came into force in 2016.
*‘Aadhaar’ has been cited in the Bill in the definition of official identifier. The insertion of the term is wholly unnecessary as the wide definition of official identifier in the Bill prevents the requirement to openly include the word in its domain. The Unique Identity Authority of India does not find a mention anywhere in the Bill. This does not mean that UIDAI and Aadhaar are unaffected by the Bill.
*The Srikrishna Committee contained zero people from civil society. Basically, a committee that is supposed to decide on data processing of individuals who are fundamentally powerless had no powerless citizens on board to have their say.
*The Bill is being censured and condemned for allocating the State immense power to regulate one’s data. If the government feels, considering the criticality can retrieve data. Prior consent can be ignored if one is carrying journalistic, research and other works.
#SaveOurPrivacy
The struggle of citizens of India to save their privacy has become routine affair. India has a golden opportunity to manufacture its data protection framework by judiciously employing two different models embraced by the European Union and United States of America. This will assist to allot balanced primacy to privacy of individuals and innovation aspects. Thus, power-packed data privacy law must see the light before next general election in India. This helps to avoid manipulation of data and voters. Otherwise, the situation like what is suspected to have occurred during last American presidential elections will take rebirth.
The government has an unattractive task before it. Because laying the underpinnings of a data privacy rule of considerable scope and managing the welfares of various interested parties such as individual citizens, the State and businesses is not a simple task. Till then let us keep our fingers crossed and not forget the new proverb ‘data is the new sex’, both progressively demand unequivocal consensus and not getting it could be an action of harassment or persecution.
(The author is financial adviser and tax specialist)
