Indian data protection norms insufficient: report
New Delhi: Indian data protection laws are inadequate and only address some of the security, privacy and other issues addressed by similar laws in other countries, a report said.
The report, authored by Sreenidhi Srinivasan and Namrata Mukherjee, research fellows at Vidhi Centre for Legal Policy, analysed the current rules and norms in place for data protection.
“At a time when India is seeking to develop as a digital economy, it is imperative to have in place an effective regime for protection of personal information,” the report said.
India is pushing digital (and cashless) transactions, some linked to the biometrics-based Aadhaar number which has been assigned to around a billion Indians by the Unique Identification Authority of India.
ALSO READ | India’s privacy non-law
The paper compared the Indian data protection regime with international ones and found it lacking on several counts.
The paper identified a lack of a statute expressly recognizing privacy rights of an individual and rights over their personal data, especially in an interplay with non-state actors and firms.
The Vidhi paper enumerated important components of a robust data protection regime: entities required to comply with data protection norms; the kind of information to be protected; consent for collecting information; and the individual’s right to access his or her information held by another organization.
The 77-page report also provided a framework for management of personal data, which could serve as a model for a data protection statute or be assimilated in the IT Rules.
ALSO READ | Sustaining transition to a digital economy
The paper argued for extension of data protection to all personal data and not merely sensitive personal data (the first includes passwords, financial information, health conditions, medical history, sexual orientation, biometric information). It also suggested seeking consent of individuals before collecting all personal information.
Rahul Matthan, partner at Trilegal and a Mint columnist appreciated the work done by Vidhi on data protection, but says he’d like a model of data protection more suited to the Indian context.
“Their approach seems to be to analyse the way international statutes have been written and try to see what’s appropriate in the Indian context. While that is the global best practice for new sector legislation I think there is merit in also considering an approach that allows us to build something from the ground up which is appropriate for us in our context,” he said.
ALSO READ | Going digital is good, but beware of risks
Matthan pointed to flaws in the consent model for protecting data. “For instance, the consent framework, which is a world standard, is universally recognized as flawed and very hard to administer given the amount of data being collected from us and in the context of the Internet of Things where machines collect data automatically,” he said.
Pranesh Prakash, policy director at think tank Centre for Internet and Society, said the paper did not delve into a 2012 report of a group of experts on privacy chaired by justice A.P. Shah. That report made suggestions including a technology-neutral law on privacy applicable to both government and private agencies. “I look forward to examining the report and working with Vidhi and others to advance a robust data protection regime in India,” Prakash said.