Months after the Cambridge Analytica scandal broke, a government-appointed panel has submitted a draft Bill that will override all existing laws on individual privacy.

The proposed Personal Data Protection Bill, along with a report on protection of privacy, was submitted to the government on Friday.

The report, titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians”, has been much-awaited for its implications on data handling and processing practices by government departments and companies, both Indian and foreign.

The report has suggested steps for protecting personal information, outlined the role of data processors, provided guidelines for data storage, and penalties for infringing on privacy.

Information Technology Minister Ravi Shankar Prasad said that given the monumental nature of the proposed law, the government would prefer wide-ranging consultations on the matter. “We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation.”

The draft Bill builds on the Supreme Court judgment that advocated privacy as a fundamental right and creates a framework for all stakeholders to be more responsible while dealing with personal data. There is a thrust on creating an institutional structure — through a Data Protection Authority — and on the importance of ‘Privacy by Design’. The proposed law will have an impact on 50 existing laws.

Focus areas

Justice Srikrishna said the report focusses on what kind of data can be stored. It also identifies circumstances under which data has to be mandatorily stored in India, and others where it can be stored with mirroring provisions. The report asserts that critical data has to be stored in India. Critical data could be related with army personnel, atomic energy, etc. Even personal financial data could be critical.

He stated that this report was only the first step, and that as technology changes, it may become necessary to fine-tune the law. The report touches on a variety of issues, including consent, rights of children, data protection authority and right to recall data.

The government had constituted a 10-member committee in July 2017 to recommend a framework for securing personal data in the increasingly digitised economy as also to address privacy concerns and build safeguards against data breaches.

Commenting on the report and the draft Bill, Nasscom-DSCI (Data Security Council of India) said that policies that govern data protection, storage and classification need to be carefully crafted, given the global footprint of the IT-BPM sector. The report also defines the mechanism for setting up the Data Protection Authority.

comment COMMENT NOW