As India steps forward to a digital economy, data and information has become its new oil. With estimated 500 million internet users and 300 million smart phone owners, India produces tonnes of personal data every minute. This personal data is flowing freely online, which can be either used or misused by businesses, governments or private individuals. Consequently, data protection and privacy has become essential facet of managing such gargantuan amount of digital information.
In 2017, a nine-judge Constitution Bench of the Supreme Court in the K. S. Puttaswamy v Union of India case, upheld right to privacy as a fundamental right. The apex court considered this right as “intrinsic to life and liberty” which is inherently protected under Article 21 of the Constitution. This has sparked a series of questions and debate on data privacy; the most prominent being Aadhaar. The storage and protection of biometric information under Aadhaar is the primary reason of scepticism; especially when the world is struggling with cyber threats and ransomware attacks like WannaCry. The cynicism around data protection has been further reinforced by the recent Facebook data leak. Personal information of as many as 87 million Facebook users was illegally accessed by data analytics firm Cambridge Analytica. This has raised red alert on data protection infrastructure of smaller companies and start-ups. In fact Indian food delivery start-up Zomato witnessed a security breach last year, where an estimated 17 million user data was compromised. A prospect of a secure data storage infrastructure hence seems to be gloomy.
Data protection and privacy is often ignored or misinterpreted as an elitist concept; understood by the intellectual and affecting the wealthy. However contrary to popular belief compromise of data privacy affects the poor and vulnerable the most. As we can evidently see with respect to Facebook data leaks, the use of personal user information has moved far beyond just targeted online advertisement. British political consulting firm Cambridge Analytica has been found to use Facebook data to manipulate and influence the US elections. Personal data can be deceitfully used to spread hate and strengthen prejudice in the minds of an ordinary online user. Hence possibility of misusing data for spreading fake news and creating disharmony in the society cannot be ruled out. Similarly a data breach at a government agency can pose a national security threat; whereas a breach of personally identifiable information can lead to identity theft. The fact that so much of our society is now interlinked by the internet and computers– our money, our homes, even medical devices – leaves us all vulnerable to a cyber attack. Yet a majority of Indians are either oblivious or indifferent towards their privacy online.
As the concern for data protection intensifies across the globe, countries and international organizations have become vigilant on these data security breaches. In May 2018 European Union adopted the General Data Protection Regulation (GDPR), which is claimed to be the world’s strongest data protection rules. It is designed to modernise laws that protect the personal data of individuals and alter how businesses and governments handle user information. GDPR has provided greater control to individuals over their personal information and the manner in which businesses collect, share and utilize this information.
Given the growing concerns, the Indian government set up a Committee of Experts, headed by Justice B. N. Srikrishna, to study the challenges surrounding data protection in India and suggest a policy framework. The prime objective is to ‘ensure growth of the digital economy while keeping personal data of citizens secured and protected’. The Committee’s landmark report has touched upon some critical points including relation between “data principals” (citizens) and “data fiduciaries” (data managers), the government’s controversial role and the legal dilemma of trying to restrict global data within local legislative jurisdictions.
The draft Personal Data Protection Bill, 2018 framed based on the recommendations of the Srikrishna Committee is thus a watershed in information management legislation. The draft bill defines personal data to include data from which an individual may be identified or identifiable, either directly or indirectly. The draft also provides for penalties in case of failure to take prompt action on a data security breach as well as compensation to the data principal. In cases where personal data is transferred outside the territory of India, the bill states that at least one copy of the data will need to be stored in India. However the key feature of the draft bill is the setting up of a Data Protection Authority that will be in charge of ensuring that entities processing data maintain compliance of the law. The bill has further made a specific mention of more stringent norms for protecting the data of children. The committee has recommended that companies should be barred from data processing such as behavioural monitoring, tracking, targeted advertising or any other type of processing which is not in the best interest of the child.
The most foresighted aspect of the Committee’s recommendation is the right to be forgotten. The right to be forgotten refers to the ability of an individual to limit, delink, delete or correct disclosure of personal information which is misleading or irrelevant. The data principal will thus have the right to restrict or prevent continuing disclosure of personal data by a data processor. In this day and age where we are subscribed to multiple online mobile applications, it is important that our data is not misused after we opt out of their services and thus our right to be forgotten is protected.
The recent times has seen a quantum leap in the world of technology, driven by trends of social media proliferation, growth of e-commerce and boom in online transactions. Given these facts and concerns over data protection, it has thus become imperative for us as prudent individuals to safeguard our data privacy. In this regard, both private as well as public entities processing citizen’s personal data must align their processes and IT infrastructure in sync with the new legal framework of data protection. It is through such secure data protection regime that we can achieve an inclusive and sustainable digital economy.