The government-appointed Srikrishna committee on Monday released a white paper as part of its work to prepare a data protection framework. The committee has called on stakeholders to discuss and debate various issues under the ambit of the ambitious legislation, which includes issues pertaining to data transfer and accumulation, informed consent, data portability, as well as appointment of a data authority.
The committee has sought views from all stakeholders by December 31 post which it
will work on writing the draft of the Bill.
“A firm legal framework for data protection is the foundation on which data driven innovation and entrepreneurship can flourish in India. Fostering such innovation and entrepreneurship is essential if India is to lead its citizens and the world into a digital future committed to empowerment, experiment and equal access,” the paper said. It added that the committee‘s view is that the law must be cognisant of international practices and at the same time it must be aware of the views of Indians.
The Srikrishna Committee, set up by the ministry of electronics and IT, has identified seven principles for the data protection law, which include technology agnosticism, where it states that the data protection law must be flexible to include changing technologies, data minimisation — stating that data sought and processed must be minimal and as necessary, and informed consent.
“Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful. The law must ensure that consent meets the aforementioned criteria,” the ten-member expert committee said.
The other principles include accountability of data controller, penalties for wrongful processing and enforcement of data protection framework by a statutory authority.
Rahul Dev, technology lawyer and patent attorney at Tech Corp Law Group, said the committee will need to draw a clear line between data privacy and intellectual property owned by companies in the form of user data.
“For example, as per the white paper’s note on purpose and use of data, an ecommerce company may not be justified to use the user’s earlier collected data to launch and market a new mobile wallet service without obtaining the user’s consent,” Dev said. The committee has also highlighted key issues relating to data protection in the light of new technologies including internet of things and machine learning based on big data. It notes that the “biggest challenge in regulating emerging technologies such as big data, artificial intelligence and the internet of things, lies in the fact that they may operate outside the framework of traditional privacy principles.”
On Aadhaar, the committee said that despite its attempt to incorporate various data protection principles and safeguards, Aadhaar
has come under public criticism and the committee will analyse the “interplay between any proposed data protection framework and the existing Aadhaar framework.”
“The advent of the internet of things also poses a challenge to the degree of anonymity that can be achieved,” the committee said in the paper. “New devices capture data in forms which are unique. An example is that of a person’s gait being uniquely identified by a wearable activity tracker. Such data can perhaps never be completely de-identified. The current methods of using aggregated anonymised data might not be secure enough when applied to such data.”
Some industry members hailed the paper, and said it has touched important points such as data portability and data-driven access to services.