The Justice B.N. Srikrishna-led committee on Data Protection in India was set up to ensure “growth of the digital economy while keeping personal data of citizens secure and protected”.
In its recently released report the committee has laid down its provisional views on formulating a comprehensive data protection framework and has invited public comments.
The report has covered a number of issues surrounding data protection and privacy along with introducing perspectives from other countries.
But according to some experts there are some important aspects that could be added to the committee’s final report.
- A broad-ranging framework must be defined for the nation as a whole with respect to data protection. With technology evolving rapidly the law will need to keep pace but it must keep the individual privacy rights at its heart.
- The Committee must also state definitively that privacy along with being a right and a moral obligation, also has value to the economy as it improves trust and influences voluntary participation in the digital economy.
Experts have urged that while balance between privacy and practical considerations must be maintained there must be no leniency given to practices that violate privacy .
Innovation is possible only in environments that aren’t surveillance-oriented or where personal information is in any way compromised. The control of data must remain with individuals who generate it so the data protection laws must enable the right kind of innovation.
- The Committee’s suggestions include creation of a strong Data Protection Authority (DPA) . While the committee’s recommendations comprise suggestions like applying the rules to both government and private data collectors, issuing fines against violators and compensation to complainants, it fails to grant the DPA with the authority to impose penalties, which is needed. The Right to Information Act, is a good example as it provides the information commissions with such an authority .
Practical Considerations Must Be Addressed
The report highlights the several practical constraints related to the implementation of the rights suggested by it – ranging from challenges on data storage to exemptions. A data protection law can be successful, only when it recognizes and addresses these challenges.
Another important question to be tackled is the time period necessary for data controllers to comply with the new data protection law.
Under the RTI Act, a period of 120 days was provided for government departments to comply. The General Data Protection Regulation of EU grants data controllers a time period of two years to get prepared for the roll out.
Since protecting personal data once released is next to impossible data controllers will need to abide by higher standards with respect data protection. A long moratorium period which enables them to prepare themselves will be worth it in the long run , as the costs associated with it would be lower than any damage that may occur due to lenient exemptions .