Europe바카라s shown the data protection way with the GDRP, India intends to follow, but the road is tricky
Over the last year or so, concerns over data security and privacy have heightened in India. It바카라s a crucial question for a country that lacks a comprehensive privacy law as well as a proper data protection policy. With the implementation of the stringent General Data Protection Regulation (GDPR) in Europe from May this year, the importance of data protection has become an imperative for India, given that India is increasingly looking towards Europe to do business.
In this light, the recommendations of the Justice B.N. Sri Krishna Committee on data protection come at an important juncture. The committee, which has been deliberating over the issue of data privacy and protection for over a year, came out with a set of recommendations that have the potential to establish the foundation of a GDPR-like data privacy and protection policy in India.
바카라In the backdrop of Aadhaar, DNA profiling, the two roadmaps for artificial intelligence, the TRAI바카라s recommendations on privacy, data ownership in the telecom sector, the India Health Stack as well as international developments such as the CLOUD Act, the e-evidence directive and GDPR, the Bill and report are important developments in signalling to national and global communities India바카라s position on privacy and how it intends to go forward from the Puttaswamy Judgement (on data privacy),바카라 says Elonnai Hickok, COO with the Centre for Internet and Society (CIS).
The main recommendations of the panel include the explicit consent of an individual for the use of private data, the setting up of a regulator and, most crucially, giving Indian citizens the right to be forgotten or giving one the right to go completely off the radar.
Obviously, the implications of the recommendations would run across all who deal with public data and change the rules of the game. 바카라The recommendations may have a significant impact on the functioning of businesses and government bodies (like Aadhaar) on the processing of personal data or personally identifiable information (PII) of individuals, considering that it gives a broad coverage for both public and private entities, including cross border processing of data and also enforces requirements of lawful processing,바카라 says Prashant Gupta, partner, Grant Thornton India LLP.
According to legal expert and privacy activist Usha Ramanathan, though the Bill and the panel report explicitly talk about personal data and privacy of data, the focus is on the business of data. More specifically: 바카라It is about doing business using data rather than just data protection,바카라 she says. This has become more important with the debates regarding the use of the Aadhaar number for various government and private services such as getting a mobile connection where the private company is given access to a person바카라s biometric data.
Still, the committee clearly defines boundaries about data collection and use and states that individual data can be used only after the 바카라data principle바카라 or the person whose data is being used, gives an 바카라explicit consent바카라 for the use of that data. It also states that once the primary purpose of that data is completed, the party using the data has to remove or erase it. However, the roadmap to doing these has not been clearly defined.
바카라The Committee has put in place clear limits on what data can be collected, how it can be used and how long it may be stored,바카라 says Amba Kak, policy advisor, Mozilla. 바카라These rules borrow heavily from the European GDPR, and that makes sense, given that years of thought and consultation have gone into distilling these foundational principles.바카라
Most importantly, she says, 바카라The Bill also makes improvements on the GDPR. It allows for data processing for 바카라reasonable purposes바카라. While similar in intent to the GDPR바카라s 바카라legitimate interest바카라 ground, the Bill provides specific conditions on the basis of which data may be processed, as well as an illustrative list of categories. We think this is an improvement on the GDPR standard, which can 바카라easily be abused by companies바카라 who may argue that 바카라innovation바카라 itself is always a reasonable pursuit, even when it may put the privacy of users at risk.바카라
One key recommendation of the panel is localisation of data. It suggests that all data belonging to Indian individuals has to reside on Indian servers and in India. At present, a majority of our data resides in servers in other countries, which makes it vulnerable to access by authorities of other countries and unscrupulous elements. But by having the data reside it India, it will be accessible to the Indian government and authorities, which may go against the overall principles of privacy, especially as the panel gives a broad permission for the government use of all data. Also, this could impact business in India and the potential for India to enter into agreements under the CLOUD Act.
바카라The focus is data localisation because the government wants to have control over the data. Even if the data is held abroad, the government wants a copy to be in Indian servers,바카라 says Ramanathan. 바카라If the home ministry can access everything, the purpose of privacy is lost. The Bill gives the government the right to override the clauses and access data, which nullifies the entire exercise.바카라
Nasscom and the Data Security Council of India (DSCI) were quick to retort on this. In a statement they said: 바카라Mandating localisation of all personal data is likely to become a trade barrier in key markets. Startups from India going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets.바카라
Interestingly, this is not the first committee to make recommendations on data privacy. In 2012, the A.P. Shah Committee also gave its recommendations when the UID debate was at its height. However, while it spoke about data protection, the privacy argument was rather weak at that time.
Some experts feel that the proposal to establish an independent Data Protection Authority would add another layer of bureaucracy even if it brings in a dedicated body to look at data privacy and protection. Also, there is still ambiguity about its scope and functions. Analysts say the independence of the adjudicatory authority and appellate tribunal responsible for legal proceedings related to data protection violations is severely lacking. The qualifications and nominations of those serving in these bodies are entirely prescribed by the government, as are the procedures of the bodies themselves. The current system delegates far too much authority to the central government. So it remains to be seen if the new regulator can address these issues.
One of the key suggestions is the right of Indian citizens to be forgotten, which essentially means that a data principle can withdraw or erase personal data. While this is a welcome step towards protecting personal data, it is a gargantuan task. First, India has no privacy law and no sense of privacy as citizens routinely open their hearts on social media. Second, there are multiple citizens바카라 IDs including Aadhaar, PAN card, Passport, Driver바카라s license and Voter ID card. To erase data from all these sources will not be easy.
바카라The right to be forgotten is a radical recommendation,바카라 says IT expert and former HP marketing head, Lloyd Mathias. 바카라Across Europe it is a fundamental right. While the principle is fantastic, how it will be implemented? It would be difficult with the presence of multiple ID documents and the lack of a proper privacy framework.바카라
Then there will be things like data quality provision, which requires data fiduciaries to ensure that data is not misunderstood and that fact is separated from personal opinion. This assessment will be an implementation nightmare.
As of now, the committee has touched most sensitive points of data protection and privacy but has not defined the roadmap for achieving many of them. There are also ambiguities in how data will be used by the government, how citizens will protect their data and who will bear the cost of this. The government will now have to clear the cloud and define these in the final Bill so that India too can have a legislation that is comparable with Europe바카라s GDPR, which has set standards across the world.