Draft Data protection bill and its concerns

What is the issue?

The draft data protection bill falls short of nuances in protecting the digital identity of the people and it needs a re-look.

What are the provisions?

• The draft bill notes that the right to privacy is a fundamental right.
• On data portability, it suggested that critical personal data of Indian citizens, which centre notifies, should be processed in centres located within the country.
• Other personal data may be transferred outside the territory of India with some conditions.
• It has recommended setting up a Data Protection Authority to prevent misuse of personal information.
• It also provides for setting up an Appellate Tribunal.
• It suggested that the Aadhaar Act requires several modifications and provisions for regulatory oversight.
• It also provides for penalties and compensation for violations of the data protection law.

What are the concerns?

• The UIDAI will be both the data fiduciary and the regulator for Aadhaar, which creates a conflict of interest.
• Even though personal data can be transferred outside India, data fiduciaries will be required to store a local copy in India, questioning the surveillance requirement of the state.
• The draft says that processing of sensitive personal data should be on the basis of “explicit consent” of the data principal.
• However, over dependence on consent and notice is unlikely to succeed in a country with low digital literacy.
• Though it is mentioned that personal data shall be processed in a fair and reasonable manner, the follow-up measures by the regulator are non-specific.
• Though the draft provides penalty, only ex-post accountability measures are suggested, whereas preventive measures that needs to be taken before a possible security threat are lacking.

What more does the draft could include?

• The data protection framework should include guidelines for the various use cases of authentication, authorisation and accounting.
• The committee does discuss artificial intelligence and big-data analytics but it should be followed up by defining clear-cut guidelines for their safe use.
• There should be detailed analyses of how state surveillance can be achieved without enabling undesirable mass surveillance that may threaten civil liberty and democracy.
• The bill needs to evaluate the data processing requirements of the diverse private sector and how these requirements may infringe upon privacy.
• Finally, protection against both external and insider attacks in large data establishments, both technically and legally has to be ensured at any cost.

Source: The Indian Express