#The data protection bill drafted bythe Srikrishna panel ticks many boxes
Given the vast (व्यापक) amounts of personal data being collected by private companies and state agencies, and their flow across national jurisdictions(न्याय अधिकार), the absence of a data protection legal framework in India has been a cause for deep concern. This is even more so because in many cases individuals whose data have been used and processed by agencies, both private firms and state entities, are oblivious to the purpose for which they are being harnessed(तैयार करना). The need for legislation(विधान/ क़ानून) was also underlined last year with the landmark judgment in Justice K.S Puttaswamy v. Union of India that held the right to privacy to be a fundamental right. Against this backdrop, the draft legislation on data protection submitted by a committee of experts chaired by Justice B.N. Srikrishna to the Ministry of Electronics and Information Technology after year-long public consultations provides a sound foundation on which to speedily build India’s legal framework. It seeks(तलाश करना/खोजना) to codify(सुव्यवस्थित करना) the relationship between individuals and firms/state institutions as one between “data principals” (whose information is collected) and “data fiduciaries(वैश्वासिक)” (those processing the data) so that privacy is safeguarded by design. This is akin to a contractual relationship that places obligations(कर्तव्य) on the entities(वास्तविकता) entrusted with data and who are obligated (विवश करना) to seek the consent(सहमति)of the “principal” for the use of personal information. The draft legislation puts the onus(कर्तव्य) on the “data fiduciary” to seek clear, informed, specific and free consent, with the possibility of withdrawal of data of the “principal” to allow for the use and processing of “sensitive personal data”.
In many ways, the draft legislation mirrors the General Data ProtectionRegulation, the framework on data protection implemented in the European Union this May, in providing for “data principals” the rights to confirmation, correction of data, portability and “to be forgotten”, subject to procedure. It envisages(कल्पना करना) the creation of a regulatory Data Protection Authority of India to protect the interests of “principals” and to monitor the implementation of the provisions of the enabling data protection legislation. Taken together, the draft bill and the report mark a welcome step forward, but there are some grey areas. The exemptions (बचाव)granted to state institutions from acquiring (प्राप्ति) informed consent from principals or processing personal data in many cases appear to be too blanket, such as those pertaining(संबद्ध होना) to the “security of the state”. These are hold-all phrases, and checks are vital(महत्वपूर्ण). The report recommends a law to provide for “parliamentary oversight and judicial approval of non-consensual (गैर अनुवादात्मक) access to personal data”. Without such an enabling law, the exemptions provided in the bill will fall short of securing accountability from the state for activities such as dragnet(महाजाल) surveillance(निरीक्षण). The grey areas must spark public and parliamentary debate(बहस) before a final legislation comes to fruition(सफलता).