The government looks to adopt the principles of deterrent penalty and fixing accountability on entities followed globally in the proposed data protection law, a top official has said. The data protection law in the works will be applicable on private entity as well as on the government, according to Electronics and IT Secretary Ajay Prakash Sawhney. “Structured way of accountability and deterrent penalty — these are all principles that are enshrined in personal data legislation across the world. We have tried to adopt this as per Indian requirement. I hope to see it becoming reality at the earliest,” Sawhney said at the India Data Leadership Summit. “Any kind of legislation on data protection should be technology agnostic. It should be holistic — law and requirement should not just be applicable to the private sector but also to government when they make use of data,” Sawhney said.
He said that India is looking to adopt data protection principles followed world over and will adopt them to suit requirement of the country. The Europe Union’s Global Data Protection Regulation (GDPR) has provision to impose an administrative fine of up to EUR 20 million euro (about Rs 160 crore) for specific violations or in the case of an undertaking, up to 4 percent of the total worldwide turnover of the preceding financial year, whichever is higher.
The proposed data protection framework in India recommends a penalty based on per day violation and linking the upper limit to global revenue of the entity controlling data but has not specified any amount or percentage. The work on the data protection framework in the country started after the Supreme Court ruled that privacy is fundamental right of Indian citizen and asked the government to frame rules around it.
The government established a panel under former Supreme Court judge Justice BN Srikrishna which submitted its recommendations to the Ministry of Electronics and IT (Meity). Meity held public consultation on the data protection framework based on recommendations made by Justice Srikrishna panel. “We have received a large number of suggestions and comments on the proposed legislation. We will be coming out with something which we can take to Parliament hopefully by the end of this year,” Sawhney said.
He said that “informed consent” is considered extremely important part of personal data regimes all over the world and so is the case in proposed legislation in India. Sawhney said data legislations across the world mandate that entities should take consent and use the data for the purpose they have been taken for and within the period for which the data has been collected.
“Simply because data is available, simply because you have created an engine that is generating humongous amount of data doesn’t mean that you become owner of data. Some data may not be generated by an individual but still may traced down to a person. The new data regime which will actually comes in thinks of it as data entrusted to a data fiduciary,” Sawhney said.
He said that Justice Srikrishna committee has used the term of data trustee or fiduciary which is an entity entrusted with data of individuals and is expected to do the right thing using data and not trample upon their rights and privacy. Talking about data localisation, Sawhney said Indian citizens have the right to data privacy and can approach high courts or Supreme Court for their rights to be protected.
“Against whom do you file your petition? You file it against government because you expect that government is bound to protect your right. Government can protect your right only when it has some leeway to protect your rights. If all of that data resides somewhere else, it is controlled somewhere else, it is used somewhere else with no controls at all. Who do you go to when it comes to data privacy?”. He said that to make right to privacy meaningful government need to come up with ecosystem where there is possibility of protecting rights of Indian citizens and everyone should have recourse to protection that law can provide.