Committee to Draft Data Protection FrameworkBut Will New Panel's Efforts Actually Lead to a New Law?
In light of India's lack of a framework for data protection, the government has formed a 10-member committee to recommend a framework for securing personal data in the increasingly digitized economy.
Although the government is still working on making amendments to its Right to Privacy Act 2014 with no definite date to release them, it has formed a new committee, headed by Justice B.N. Srikrishna, former judge of the Supreme Court, to address privacy concerns and devise recommendations for building safeguards against data breaches.
Although some security practitioners commend the government's efforts toward rolling out data protection policies, they question whether the committee will develop policies that actually get implemented, given the unsuccessful outcomes of earlier committees' efforts.
"We have been toying with the idea of having a separate data protection legislation for over 10 years now, which for reasons best known to the government is yet to come on the table. Forming one more committee is definitely not a solution," says Vaishali Bhagwat, a Pune-based cyber advocate.
According to a statement from the Ministry of Electronics and Information Technology, or MeitY, the committee will:
- Study various issues relating to data protection;
- Make specific suggestions on principles to be considered for data protection in India and suggest a draft data protection bill.
Members of the new committee, in addition to Srikrishna, are:
- Aruna Sundararajan, secretary, Department of Telecom;
- Ajay Bhushan Pandey, CEO,UIDAI;
- Ajay Kumar, addl secretary, MeitY;
- Rajat Moona, director, Indian Institute of Technology, Raipur;
- Gulshan Rai, national cybersecurity coordinator;
- Rishikesha T. Krishnan, director, Indian Institute of Management, Indore;
- Arghya Sengupta, research director, Vidhi Centre for Legal Policy;
- Rama Vedashree, CEO, DSCI;
- A joint secretary from MeitY - member convener.
Vedashree believes that MeitY is focused on speeding up the process of developing necessary policies. "The committee and the chair is yet to meet and decide on the approach and methodology," Vedashree says. "The committee will consult industry, government ministries and institutions like RBI and TRAI while coming up with a framework."
The committee aims to help create a comprehensive data protection and privacy framework that meets the expectations of global stakeholders, Vedashree says. The framework is essential, he says, "given the proliferation of digital payments, biometrics-based authentication and also the footprint of digital technologies in all sectors - G2C services, B2C (especially e-commerce), BFSI, healthcare, smart cities, etc."
Will the Committee Deliver?
Some security practitioners are skeptical that this committee, unlike previous panels, can develop policies that are actually implemented.
"I am happy data protection in our country is gaining prominence," says Shivangi Nadkarni, CEO at Arrka Consulting. "Let's hope it doesn't turn out to be just another report. There are many noises being made about various committees and policies, but finally something has to move. All these are good initiatives, but what remains to be seen is the outcome."
The skepticism is understandable because other committees have developed reports that did not lead to action by the government. Case in point: The privacy report by the Justice A.P. Shah Committee. In 2012, the panel devised detailed policies on data protection and privacy that were never implemented. "This was a fairly elaborate report. However, the recommendations never got implemented for reasons known only to the government," Bhagwat says.
"We have several recommendations now in place and it's about time we rolled out a bill on which the government could invite comments," she says. "We are ready to go on a legislation rather than being still stuck at the policy-designing stage."
Stakeholders have a lack of will to implement new laws because the government generally takes little action against those who fail to comply with current laws, including Section 43A of the IT Act, some security experts contend. "Even assuming laws are good, what about their implementation? Bhagwat asks. "Today, as a user, if I feel my data is getting misused, who do I approach and how?"
Any new data protection laws will have little impact unless they include strict penalties for noncompliance, Bhagwat says. "Companies should lose their license in case they fail to have proper security measures in place," she says.
A Practical Approach to Data Protection Framework
A new data protection and privacy law should cover all entities - including the government - that deal with personal information of anyone residing in India, Nadkarni says. "It shouldn't be restricted to only 'body corporates' - as the current IT Act does," she says.
Nadkarni offers suggestions on what a new privacy law should include:
- Definition of PII: Data privacy hinges on how personally identifiable information is defined and interpreted so that it's not left open to ambiguity and interpretation.
- Clarity in roles: It's important that the law places responsibilities on both data controllers and data processors.
- Privacy principles and rights: These should align with requirements elsewhere around the world, including the EU's GDPR, taking into account what's appropriate for India.
- Dealing with violations: The law should create appropriate and accessible mechanisms for addressing violations and grievances.
- Limits on government: The law should clearly outline the boundaries for government intervention with appropriate checks and balances so authorities cannot misuse their power.