The advent of the digital age has revolutionized the world and transformed the lives of the people. This age promises everything to be achieved simply with our fingertips. The tedious tasks of shopping, communication, traveling and welfare services, are just a few clicks away. However, as the saying goes “All good things come with a price” is proved apt in this situation. The collection of the vast amount of personal data by private firms and government in the name of providing quality services has always been a cause of deep concern in India. In a country like India, where there is no specific law for the protection of one’s privacy, people face insurmountable trouble in dealing with any kind of data leak or use of data in an inappropriate manner by “data fiduciaries”.
To deal with such problems, the government last year set up a committee to draw out a framework for the protection of data. The committee chaired by B.N Srikrishna submitted its report to the Ministry of Electronics and Information Technology in July this year. The committee has come up with a draft Data Protection Bill which seems to promise protection to the “data principals”
The Bill has tried to touch almost all the aspects. It defines how the data should be used. The Bill makes it mandatory for data fiduciaries to provide some necessary information to data principals at the time of collections of data. This information include the purpose for which the data is to be processed, categories of data being collected, information vis-a-vis any cross-border transfer of the personal data, the right of the data principal to withdraw the consent, etc. The draft Bill also provide some rights to data principals like right to confirmation- whether the data is being processed or has processed, right to correction, right to be forgotten etc. The Bill seems very ideal in the sense of giving rights to the data principals to protect them from any harm; but is far from ideal. The Bill sure grants rights to protect the people from any harm but these rights are not absolute. It says that personal data of people can be processed for any function of parliament or any state legislature. It does not define for what functions the data can be processed by the governments and this expose people to surveillance by the governments. The government will be able to use the data in any way it sees fit. Another important issue is that if the data principal withdraws consent for the processing of data necessary for the contract to function, all legal consequences will be borne by the data principal only. This will deter the data principals from withdrawing the consent and will lead to exploitation of their data.
The most contentious issue of this bill is the data localization. The Bill makes it mandatory for data fiduciaries to store at least one copy of personal data on a server located in India. Against this several private firms have raised their voice because this will be an extra investment for the firms. Setting up of data storage units will incur huge investments and will be an unnecessary burden for the firms. This might deter firms from investing in India and that may impact the economy. On the other hand, localization of data may help the Indian agencies to get the required information of potential accused and help them to expedite the investigations.
The Bill is a right step in making a data protection framework but before it becomes a law all the concerns it has raised should be dealt with diligence.