The government expects to put in place a “robust” legislative framework for data protection by the end of this year, Law and IT Minister Ravi Shankar Prasad said on Wednesday. Speaking to The Indian Express, Prasad said the proposed legislation would be based on a structured report that is expected to be submitted by a committee tasked with identifying key data protection issues. The proposed law, he said, would walk the “fine balance” between the need to respect data sovereignty of Indians and making data available for those supporting innovation.
“I hope the data protection law should come by the end of this year. You are dealing with an issue which is of seminal importance and I have myself requested that there should be widest debate among the stakeholders. Those advocating privacy and those supporting innovation — all should be heard. My view is that India’s data protection law must become a milestone,” Prasad said.
The legislation for data protection comes in the backdrop of the Supreme Court Constitution Bench’s verdict on August 24 declaring right to privacy a fundamental right and the impact of the ruling by the nine-judge bench on the case involving Aadhaar, the validity of which has been challenged in court. While the privacy judgement was limited to the issue of right to privacy, the matter of whether Aadhaar violates right to privacy will be dealt with by the five-judge bench hearing the petitions since 2015.
On the Aadhaar case, Prasad said: “We have got a very good case, we will argue it. Beyond that, on a matter that is subjudice, I can’t make a comment.”
The Ministry of Electronics and Information Technology’s expert group, headed by retired Supreme Court judge B N Srikrishna, that is working on drafting a data protection legislation, is currently engaged in wide-ranging discussions with stakeholders.
Legal backing to data protection notwithstanding, Prasad also warned all companies dealing with data and said that if any data of an individual is released by name without his or her specific consent, the companies will have to suffer serious consequences.
“If any specific instance is brought to our notice, we will take action. The company can use data for only a specific purpose of checking fictitious accounts or for maintenance of records internally for safety and they can’t even display the number. Action will be taken if a company uses data for some other purpose,” he said.
The ten-member committee working on the draft data protection law includes representatives from the Department of Telecommunications (DoT), the IT Ministry, the Unique Identification Authority of India (UIDAI) and the academia. India’s existing data privacy framework dates back to 2008, with this being defined under provisions of the Information Technology Amended Act, 2008 (ITAA) under Sections 43-A and 72A of the Act.
Compensation for failure to protect data (Section 43-A) was introduced by way of an amendment in 2008, which states the liability of a body corporate to compensate in case of negligence in maintaining and securing “sensitive data”.
Subsequently, IT Rules 2011 were issued by WIPO (World Intellectual Property Organisation) defining in detail the term “sensitive data”, something that is lacking in the current Indian legislative framework and the rules governing them. The current legislative framework also fails to mention the case of enterprises that store data and their liability in case of a breach and the resultant compensation to consumers.
There are several templates for data protection globally, including a new regulation in the EU that entered into force in May 2016. The European Commission, in January 2012, proposed a comprehensive reform of data protection rules in the EU that aim to give back to citizens control over their personal data, and to simplify the regulatory environment for business.
It lays down the liability of data breach on the data controller, with provisions providing for compensation to any person who has been subject to data breach, from the data controller. The data protection reform is being seen as a key enabler of the Digital Single Market, which the Commission has prioritised. The official texts of the regulation and the directive were published in the EU official journal. The regulation shall apply from May 25, 2018.