The government expects the first draft of recommendations on data protection legislation to come this month. These will become the basis for framing a law on data security. Big internet companies such as Google and Facebook must be waiting for these recommendations with bated breath. And the man they fear is BN Srikrishna, a former Supreme Court judge, who heads the committee preparing the recommendations.
About the committee
The Union Ministry of Electronics and IT created a committee to draft a data protection law under Srikrishna last year. The terms of reference of the committee include, “to make specific suggestions for consideration of the Central Government on principles to be considered for data protection in India and suggest a draft data protection bill”.
Why was the committee set up?
Even though the Information Technology Act contains certain provisions about data protection and handling, experts were of the opinion that India needed a fresh data protection law with the increased digitisation led by Aadhaar, the Goods and Service Tax and the push towards a digital economy. IT Act may also be inadequate to deal with the current requirements since it was drafted almost 17 years ago in 2000 and was amended last in 2008.
This was the first time that India has started work on a specific data protection law, which is expected to look at aspects such as data sovereignty, data retention and responsibilities of government, companies as well as individuals while handling third-party data.
What’s expected of the committee?
Last year, the committee released a white paper for stakeholders to discuss and debate various issues. It gave some clues about what could be recommended by the committee. It identified seven principles for the data protection law, which include technology agnosticism, where it states that the data protection law must be flexible to include changing technologies, data minimisation — stating that data sought and processed must be minimal and as necessary, and informed consent.
Why are the recommendations so eagerly awaited?
As per the white paper’s note on purpose and use of data, an ecommerce company may not be justified to use the user’s earlier collected data to launch and market a new mobile wallet service without obtaining the user’s consent. Such tough recommendations will make doing business difficult for many companies. Within hours of the European Union’s General Data Protection Regulation (GDPR) taking effect last month, Google and Facebook had been hit with privacy complaints that could carry fines of up to $9.3 billion in total, according to an agency report. “Like we keep diabetes and blood pressure in check, controls are needed for data,” Srikrishna told Bloomberg in an interview. “Companies like Amazon, Google, Microsoft, and Flipkart are extremely nervous.”
How the recommendations can disrupt businesses
Apart from general restrictions on the use of private data, the committee will also look at data privacy from an Indian angle. For example, Srikrishna says that a mere click of an English-language consent form is inadequate in a country with almost two dozen official and hundreds of other languages and low literacy. “Should we then have pictograph warnings for consent, like they have on cigarette packs?” he said in the interview. The committee’s recommendations, which will become the basis of a data privacy law, will certainly disrupt a lot of businesses in india where the concept of privacy is still alien. A large amount of personal data is being accessed by different businesses as smartphone reaches the interiors of the country, businesses spread online and even villagers take to digital payments. The new law will rein in online businesses by forcing them to tweak their data policies.
Source: Economic Times