Why India can't afford to delay data privacy law
Data theft is turning out to be an all-consuming monster in India and there seems to be no mechanism to halt it in its tracks. According to a report by the Internet and Mobile Association of India (IAMAI), the number of internet users in the country is expected to reach 500 million by June 2018.
The government of India under its flagship scheme "Digital India", which aims to transform the country into a digitally empowered society and knowledge economy, has made the delivery of public services using online platform(s) resulting in increased access to the internet. Consequently, the digital footprint of Indians is set to increase with a colossal amount of data being generated - voluntarily or involuntarily - by users.
However, the framework under which data is collected, processed and stored is nearly non-existent in India. Most Indians using internet have no or little idea about data privacy, and this blissful ignorance exposes and makes them vulnerable to threats such as illegal data harvesting, ID theft, profiling without their consent etc. The data generated by our activities online can be analysed in ways we might not even know about. A case in point is the recent controversy surrounding Cambridge Analytica, where mass harvesting of data of Facebook users took place without their knowledge or consent and the results were subsequently used to influence the voters in India.
At present, Section 72A of the Indian Information Technology Act, 2000, provides for data protection, by making it a punishable offence to disclose information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract. However, its enforcement remains under question as the people tasked with enforcement lack subject knowledge and technical know-how, leaving users exposed, vulnerable and without any real protection against their data being misused.
The Supreme Court, while declaring the "Right to Privacy" a fundamental right, also held that the same extends to both physical as well as virtual world. Justice Sanjay K Kaul in his judgment had observed that privacy in the digital age includes the "right to be forgotten" and hence empowers individuals with control of the information they put out enabling them to seek removal of data concerning them.
The right is not absolute in nature and is subject to reasonable restrictions such as that information which may have a social ramification or necessary for compliance of legal obligations etc. This "Right to be Forgotten" has to be made an integral part of the existing data protection regime in India. Reference in this regard can profitably be made to regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Some progress in this regard was made in 2017 when BJD MP Baijayant Panda moved a private member's Bill in Parliament by the name of Data (Privacy and Protection) Bill, 2017, which envisaged a right to "informed consent", wherein, only upon giving an express and affirmative consent can a person's data be collected, used or sold. The Bill, in principle, proposed to give every citizen a right over data produced by him/her. "Express consent" of the individual was required before the data in question could be collected, used or sold.
Under the provisions of the proposed legislation, a quasi-judicial body would have allowed juristic persons to file grievances against private as well as government bodies against any breach of privacy. This was a great leap forward as this would have created a specialised body with experts at the helm, who would be best equipped to handle the situation wherein the individual whose privacy had been compromised would have approached and could have had his breach of privacy addressed in a fast, reliable and time-bound manner.
The government constituted the 10-member committee headed by justice Srikrishna in August 2017. The committee is likely to submit the draft for a new law regarding data privacy and protection by May 2018. The white paper released by the committee suggests that it is in favour of a new law which would be applicable to both government and non-government sectors, to collect and process data after consent. It also proposes to fix accountability on data controller for any data processing; establishment of a high-powered statutory authority for enforcement, supported by a decentralised enforcement mechanism; and penalties for wrongful data processing to ensure deterrence.
The current provisions of law, which the masses are nearly oblivious about, face a problem in implementation and are mostly inept in delivering their aim. The Bill moved by Panda which called for an independent data protection authority can be used as a guide in order to come up with a strong data privacy law.
The government, in light of recent incidents like Cambridge Analytica and growing importance of effective data protection should take notice, step in and fill the gap which exists in current law and policy regime.
Government's push towards delivery of services through internet needs to be backed by a full-bodied and dynamic framework to ensure that the data being generated by users is not used without their consent and also to give them the right to decide how this data may be used. It will also bring accountability to data handlers, both government and non-government actors.