Govt releases white paper on data protection framework

The article by Komal Gupta was published in Livemint on November 28, 2017

A nuanced approach towards data protection will have to be followed in India, keeping in mind the fact that individual privacy is a fundamental right limited by reasonable restrictions, according to a white paper issued by the government on a data protection framework.

The government has sought public comments till 31 December on the white paper, which is aimed at securing digital transactions and addressing customer and privacy protection issues.

The white paper, drafted by the committee of experts on data protection framework, was released by the ministry of electronics and information technology on Monday.

On 31 July, the government constituted a 10-member committee of experts headed by former Supreme Court justice B.N. Srikrishna to study various issues relating to data protection and make specific suggestions on the principles to be considered for data protection as well as suggest a draft Data Protection bill.

Other members of the committee include telecom secretary Aruna Sundararajan, Unique Identification Authority of India chief executive Ajay Bhushan Pandey, and additional secretary in the information technology ministry Ajay Kumar.

The committee seeks to put the onus on stakeholders and the public through a questionnaire on issues such as collection of personal data, consent of consumers, penalties and compensation, code of conduct and an enforcement model that should be set up.

“The sensitivity of the data could also develop based on its combination with other types of information. For example, an email address taken in isolation, is not sensitive. However, if it is combined with a password, then it could become sensitive as it opens access to many other websites and systems, which may expose the individual to harm such as cyberattacks and phishing frauds,” the white paper said.

It is also possible that personal or even non-personal data, when processed using big data analytics, could be transformed into sensitive personal data. Therefore, there may be a need to create safeguards which will prevent misuse of personal information in these contexts of use, it added.

The white paper also seeks “to designate certain lawful grounds under which data can be processed, even in the absence of consent.”

In some situations, seeking consent prior to a data processing activity would not be possible, or it may defeat the purpose of the processing. For instance, where law enforcement officials need to apprehend a criminal, seeking the consent of the criminal prior to processing would defeat the purpose of the investigation, it said.

“It seems to be an eminently reasonable white paper which raises the right questions. However, it lacks analysis of data protection vis-a-vis Aadhaar,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.

Safeguarding privacy rights needs much more than a data protection law; it needs a larger consultation that includes issues like surveillance as well, added Prakash.