• Associate Sponsor

Expect robust data protection legislation by year-end: Ravi Shankar Prasad

Ravi Shankar Prasad also warned all companies dealing with data and said that if any data of an individual is released by name without his or her specific consent, the companies will have to suffer serious consequences.

Written by Sandeep Singh , Anil Sasi | New Delhi | Updated: September 14, 2017 10:32 am
IT Minister Ravi Shankar Prasad said the proposed legislation would be based on a structured report that is expected to be submitted by a committee tasked with identifying key data protection issues. (Source: File Photo)

The government expects to put in place a “robust” legislative framework for data protection by the end of this year, Law and IT Minister Ravi Shankar Prasad said on Wednesday. Speaking to The Indian Express, Prasad said the proposed legislation would be based on a structured report that is expected to be submitted by a committee tasked with identifying key data protection issues. The proposed law, he said, would walk the “fine balance” between the need to respect data sovereignty of Indians and making data available for those supporting innovation.

“I hope the data protection law should come by the end of this year. You are dealing with an issue which is of seminal importance and I have myself requested that there should be widest debate among the stakeholders. Those advocating privacy and those supporting innovation — all should be heard. My view is that India’s data protection law must become a milestone,” Prasad said.

The legislation for data protection comes in the backdrop of the Supreme Court Constitution Bench’s verdict on August 24 declaring right to privacy a fundamental right and the impact of the ruling by the nine-judge bench on the case involving Aadhaar, the validity of which has been challenged in court. While the privacy judgement was limited to the issue of right to privacy, the matter of whether Aadhaar violates right to privacy will be dealt with by the five-judge bench hearing the petitions since 2015.

On the Aadhaar case, Prasad said: “We have got a very good case, we will argue it. Beyond that, on a matter that is subjudice, I can’t make a comment.”

The Ministry of Electronics and Information Technology’s expert group, headed by retired Supreme Court judge B N Srikrishna, that is working on drafting a data protection legislation, is currently engaged in wide-ranging discussions with stakeholders.

Legal backing to data protection notwithstanding, Prasad also warned all companies dealing with data and said that if any data of an individual is released by name without his or her specific consent, the companies will have to suffer serious consequences.

“If any specific instance is brought to our notice, we will take action. The company can use data for only a specific purpose of checking fictitious accounts or for maintenance of records internally for safety and they can’t even display the number. Action will be taken if a company uses data for some other purpose,” he said.

The ten-member committee working on the draft data protection law includes representatives from the Department of Telecommunications (DoT), the IT Ministry, the Unique Identification Authority of India (UIDAI) and the academia. India’s existing data privacy framework dates back to 2008, with this being defined under provisions of the Information Technology Amended Act, 2008 (ITAA) under Sections 43-A and 72A of the Act.

Compensation for failure to protect data (Section 43-A) was introduced by way of an amendment in 2008, which states the liability of a body corporate to compensate in case of negligence in maintaining and securing “sensitive data”.

Subsequently, IT Rules 2011 were issued by WIPO (World Intellectual Property Organisation) defining in detail the term “sensitive data”, something that is lacking in the current Indian legislative framework and the rules governing them. The current legislative framework also fails to mention the case of enterprises that store data and their liability in case of a breach and the resultant compensation to consumers.

There are several templates for data protection globally, including a new regulation in the EU that entered into force in May 2016. The European Commission, in January 2012, proposed a comprehensive reform of data protection rules in the EU that aim to give back to citizens control over their personal data, and to simplify the regulatory environment for business.

It lays down the liability of data breach on the data controller, with provisions providing for compensation to any person who has been subject to data breach, from the data controller. The data protection reform is being seen as a key enabler of the Digital Single Market, which the Commission has prioritised. The official texts of the regulation and the directive were published in the EU official journal. The regulation shall apply from May 25, 2018.

For all the latest Business News, download Indian Express App

  1. R
    Reader
    Oct 3, 2017 at 11:39 pm
    A centralized and inter-linked biometric database like Aadhaar will lead to profiling and self-censorship, endangering freedom. Personal data gathered under the Aadhaar program is prone to misuse and surveillance. A centralized and interlinked database can lead to commercial abuse. Aadhaar project has created a vulnerability to identi-ty fraud, even identi-ty theft. Easy harvesting of biometrics traits and publicly-available Aadhaar numbers increase the risk of impersonation, especially online and banking fraud. Centralized databases can be hacked. Biometrics can be cloned, copied and reused. Thus, biometrics can be faked. High-resolution cameras can capture your fingerprints and iris information from a distance. Every eye hospital will have iris images of its patients. You can change your password if it is compromised. But if someone gets a copy of your biometric data, which can be used for authentication, what would you do?
    (0)(0)
    Reply
    1. R
      Reader
      Sep 16, 2017 at 11:00 pm
      UK’s Biometric ID Database was dismantled. Why the United Kingdom's biometrics-linked National Identi-ty Card project to create a centralized register of sensitive information about residents similar to Aadhaar was scrapped in 2010?? The reasons were the massive threat posed to the privacy of people, the possibility of a surveillance state, the dangers of maintaining such a huge centralized repository of personal information, and the purposes it could be used for, and the dangers of such a centralized database being hacked. The other reasons were the unreliability of such a large-scale biometric verification processes, and the ethics of using biometric identification.
      (0)(0)
      Reply
      1. R
        Reader
        Sep 16, 2017 at 10:59 pm
        The US Social Security Number (SSN) card has no biometric details, no photograph, no physical description and no birth date. All it does is confirm that a particular number has been issued to a particular name. Instead, a driving license or state ID card is used as an identification for adults. The US government does not collect the biometric details of its own citizens.
        (0)(0)
        Reply
        1. R
          Reader
          Sep 16, 2017 at 10:59 pm
          A centralized and inter-linked biometric database like Aadhaar will lead to profiling and self-censorship, endangering freedom. Personal data gathered under the Aadhaar program is prone to misuse and surveillance. A centralized and interlinked database can lead to commercial abuse. Aadhaar project has created a vulnerability to identi-ty fraud, even identi-ty theft. Easy harvesting of biometrics traits and publicly-available Aadhaar numbers increase the risk of impersonation, especially online and banking fraud. Centralized databases can be hacked. Biometrics can be cloned, copied and reused.
          (0)(0)
          Reply
          1. A
            Ash
            Sep 14, 2017 at 3:17 pm
            Well it's good they are planning to lock the barn door after the horse has been stolen.There have been umpteen instances of Aadhar data being openly available on govt s.People have not even had to hack govt systems.Recently EQUIFAX ,a credit agency in the USA,was hacked and 133 MILLION SENSETIVE RECORDS EXPOSED.Now I suppose Equifax too would have had robust systems in place.It would seem that we cannot ensure systems will not be hacked. Recently a gang was caught in India issuing fake AAdhar cards.They managed to clone fingerprints of authorised operators and were then able to log in to AAdhar network and submit fake applications.We caught one,can we be sure there aren't more operating?How long,and how many fake IDs were issued?Most probably terrorists and Pakistani Embassy officials may have some of these fake IDs.Remember agencies caught a pak embassy man holding a fake AAdhar ID some time back. Really need to reevaluate whether we should be promoting Aadhar in present form.
            (0)(0)
            Reply
            1. Load More Comments