What is the issue?
The draft data protection bill falls short of nuances in protecting the digital identity of the people and it needs a re-look.
What are the provisions?
- The draft bill notes that the right to privacy is a fundamental right.
- On data portability, it suggested that critical personal data of Indian citizens, which centre notifies, should be processed in centres located within the country.
- Other personal data may be transferred outside the territory of India with some conditions.
- It has recommended setting up a Data Protection Authority to prevent misuse of personal information.
- It also provides for setting up an Appellate Tribunal.
- It suggested that the Aadhaar Act requires several modifications and provisions for regulatory oversight.
- It also provides for penalties and compensation for violations of the data protection law.
What are the concerns?
- The UIDAI will be both the data fiduciary and the regulator for Aadhaar, which creates a conflict of interest.
- Even though personal data can be transferred outside India, data fiduciaries will be required to store a local copy in India, questioning the surveillance requirement of the state.
- The draft says that processing of sensitive personal data should be on the basis of “explicit consent” of the data principal.
- However, over dependence on consent and notice is unlikely to succeed in a country with low digital literacy.
- Though it is mentioned that personal data shall be processed in a fair and reasonable manner, the follow-up measures by the regulator are non-specific.
- Though the draft provides penalty, only ex-post accountability measures are suggested, whereas preventive measures that needs to be taken before a possible security threat are lacking.
What more does the draft could include?
- The data protection framework should include guidelines for the various use cases of authentication, authorisation and accounting.
- The committee does discuss artificial intelligence and big-data analytics but it should be followed up by defining clear-cut guidelines for their safe use.
- There should be detailed analyses of how state surveillance can be achieved without enabling undesirable mass surveillance that may threaten civil liberty and democracy.
- The bill needs to evaluate the data processing requirements of the diverse private sector and how these requirements may infringe upon privacy.
- Finally, protection against both external and insider attacks in large data establishments, both technically and legally has to be ensured at any cost.
Source: The Indian Express
