A report, prepared by think-tank Vidhi Centre for Legal Policy, has claimed that India’s existing data protection norms are inadequate and address only a portion of what jurisdictions across the world have done for data protection.
The report titled, ‘Building an effective data protection regime’ has been drafted by Ms. Sreenidhi Srinivasan and Ms. Namrata Mukherjee, research fellows at Vidhi Centre for Legal Policy.
“Privacy and data protection are gradually gaining ground in Indian public consciousness as issues warranting discussion and debate. Given the staggering amount of personal information being collected and shared routinely, the extent to which an individual can exercise control over her information stored with any entity is a key issue. Critical to its satisfactory resolution is the role that consent and choice play in facilitating assumption of control by an individual over information about her… While India is only now identifying what constitutes the right to privacy and to protection of information, jurisdictions around the world have already taken giant strides in this field,” it states.
The report favors express recognition of the right to protection of personal data, as the clear way forward. It suggests that obligations be placed on organizations handling personal data, rights of control be conferred on data subjects, and effective enforcement machinery be established to ensure compliance with obligations and protection of rights.
While in India, the current data protection rules cover only body corporates handling personal information, the report recommends application of the rules to all entities and persons handling personal data- both public and private sector bodies alike. It however suggests that certain specialized functions such as those related to crime and investigation, national security, taxation be subject to only specific rules.
The report goes on to point out that the scope of the IT rules is unclear with respect to the sort of information covered by it. It thereby suggests that the data privacy norms be extended to processing of all personal data, and not merely sensitive personal data.
Further, it recommends that the consent of an individual be obtained before collecting all personal information, and not just sensitive information. In the event consent cannot be obtained, it suggests that data be processed only in specified circumstances: (1) the processing is necessary for performance of a contract that the data subject has entered into with the data controller; or (2) the processing is necessary for compliance with a legal obligation prescribed in law; (3) the processing is necessary for discharging a public duty by a public authority, prescribed in law; or (4) the processing is necessary for protecting the life or health of the data subject or any other person.
Furthermore, it recommends introduction of a limited right to erasure, enabling data subjects to seek erasure in certain cases: (1) where the data is no longer necessary for the purpose for which it was collected, (2) processing was based on the data subject’s consent and she subsequently withdraws such consent, (3) data was unlawfully processed, (4) data has to be erased in compliance with a legal obligation.
Emphasizing on the lack of a suitable enforcement mechanism, the report proposes establishment of an independent supervisory authority, such as a privacy commissioner, that individuals may approach in case of non- compliance by any organisation of any of the data protection rules. Such authority, it suggests, should be empowered to require compliance by organizations and also award penalties in case of breach. The powers of a supervisory authority, as per the report, should include: (1) power to determine whether there has been non-compliance with data protection norms, (2) issue notices seeking further information and conducting inquiry to determine compliance, (3) issue appropriate directions, including requiring organizations to comply and imposing penalties.
The report also proposes a framework for management of personal data, which could serve as a model for a data protection statute or be assimilated in the IT Rules.
Read the report here.
This article has been made possible because of financial support from Independent and Public-Spirited Media Foundation.