While the fineprint of the draft will be examined in detail in the coming days, there is one clear takeawaythe emphasis on consent
Mumbai: The draft data protection bill prepared by an expert group headed by former Supreme Court judge B.N. Srikrishna was submitted on Friday to IT minister Ravi Shankar Prasad. According to Prasad, the draft bill will be put up for public consultation after which it will be sent for parliamentary approval.
While the fineprint of the draft will be examined in detail in the coming days, there is one clear takeaway—the emphasis on consent in the report. “Consistent with our view that the digital economy should be free and fair, the autonomy of the individual whose data is the lifeblood of this economy should be protected. Thus, a primary basis for processing of personal data must be individual consent…Consent is often uninformed, not meaningful and operates in an all-or nothing fashion," the committee has said, introducing the report’s chapter on processing of personal data.
The committee has identified passwords, financial data, health data, official identifiers which would include government issued identity cards, sex life and sexual orientation, biometric and genetic data, transgender status or intersex status, caste or tribe and religious or political beliefs or affiliations as sensitive personal data under a data protection law.
Detailing further on consent, the committee has said, “Consent needs to be informed…", adding that “consent needs be specific… consent also must be clear… Lastly, consent needs to be capable of being withdrawn as easily as it was given."
Legal and technology experts are welcoming the emphasis on consent. “Based on the initial reading, the consent deliberation is an heartening aspect of the report," said N.S. Nappinai, an advocate specializing in cyber law. “We did have a right to consent, but nothing on withdrawal of consent. Again that is in line with EU GDPR (European Union’s General Data Protection Regulation). They are also talking of a very precise consent," she said.
The GDPR came in to effect in May this year, and it envisages strict rules for handling and protection of personal data of EU citizens.
The consent aspect is at the heart of the entire framework, said Vivek Belgavi, partner and leader, FinTech at PwC India. “There needs to be a mechanism to monitor and validate the system. For instance, if someone reports a breach (of consent), so to prove whether there has been a breach or not, that to be resolved quickly in a time-bound manner, the investigation has to be backed by technology. Otherwise it would consume time and the onus would again fall back upon the consumer which may not be the best thing to happen," he said.