A good beginning: on draft data protection bill

The data protection bill drafted by the Srikrishna panel ticks many boxes

July 31, 2018 12:02 am | Updated 12:24 am IST

Given the vast amounts of personal data being collected by private companies and state agencies, and their flow across national jurisdictions, the absence of a data protection legal framework in India has been a cause for deep concern. This is even more so because in many cases individuals whose data have been used and processed by agencies, both private firms and state entities, are oblivious to the purpose for which they are being harnessed. The need for legislation was also underlined last year with the landmark judgment in Justice K.S Puttaswamy v. Union of India that held the right to privacy to be a fundamental right. Against this backdrop, the draft legislation on data protection submitted by a committee of experts chaired by Justice B.N. Srikrishna to the Ministry of Electronics and Information Technology after year-long public consultations provides a sound foundation on which to speedily build India’s legal framework. It seeks to codify the relationship between individuals and firms/state institutions as one between “data principals” (whose information is collected) and “data fiduciaries” (those processing the data) so that privacy is safeguarded by design. This is akin to a contractual relationship that places obligations on the entities entrusted with data and who are obligated to seek the consent of the “principal” for the use of personal information. The draft legislation puts the onus on the “data fiduciary” to seek clear, informed, specific and free consent, with the possibility of withdrawal of data of the “principal” to allow for the use and processing of “sensitive personal data”.

In many ways, the draft legislation mirrors the General Data Protection Regulation, the framework on data protection implemented in the European Union this May, in providing for “data principals” the rights to confirmation, correction of data, portability and “to be forgotten”, subject to procedure. It envisages the creation of a regulatory Data Protection Authority of India to protect the interests of “principals” and to monitor the implementation of the provisions of the enabling data protection legislation. Taken together, the draft bill and the report mark a welcome step forward, but there are some grey areas. The exemptions granted to state institutions from acquiring informed consent from principals or processing personal data in many cases appear to be too blanket, such as those pertaining to the “security of the state”. These are hold-all phrases, and checks are vital. The report recommends a law to provide for “parliamentary oversight and judicial approval of non-consensual access to personal data”. Without such an enabling law, the exemptions provided in the bill will fall short of securing accountability from the state for activities such as dragnet surveillance. The grey areas must spark public and parliamentary debate before a final legislation comes to fruition.

Top News Today

Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.