Time for India to come up with data protection model: IT secretary
IT secretary Ajay Prakash Sawhney on Thursday said the new decade is of India and it is time for the country to come up with a data protection model that the world follows.
The data protection model for both personal and non-personal is at an infancy stage and there is learning that is coming from various countries as of now, he added.
"We have actually practised for the past several decades where we look at models which have emerged somewhere else and then sort of improve on that. This is 2020 and decade of India.
Ajay Prakash Sawhney
"I truly believe it's India's decade and it's India's time to come up with a model that the world looks at and does some cut and paste, and some improvisation of what comes out of India," Sawhney said at a virtual panel discussion organised by Vidhi Legal.
He said that the idea of creating data trusts is going to be very significant for both personal and non-personal data.
The Personal Data Protection Bill was introduced in the Lok Sabha in February and has been referred to a Joint Parliamentary Committee of both the Houses, headed by BJP MP Meenakshi Lekhi, for examination and report.
"Our framework is something that the world is looking very carefully and I believe this to be recognised as the best thinking at the current level. These are of course subjects that are there at the infancy stage. There is learning already from GDPR implementation and from other countries as well, but as we move not only to personal data protection but also into various aspects of non-personal data," Sawhney said.
The draft of the bill, approved by the Cabinet in December 2019, proposes a penalty of up to Rs 15 crore and up to three-year jail term for company executives for violating privacy norms.
The draft mandates storage of critical data of individuals by internet companies within the country, while sensitive data can be transferred overseas only after explicit consent of the data owner.
The bill has been drafted following a Supreme Court judgement in August 2017 that declared 'Right to Privacy' a fundamental right.
The need for a strong personal data protection regime was further highlighted by the apex court in its judgement in September 2018 in which it held Aadhaar as a constitutionally valid scheme but struck down some provisions in the Aadhaar Act.
As per the provisions of the bill, all internet companies will have to mandatorily store critical data of individuals within the country. However, they can transfer sensitive data overseas after explicit consent of the data owner to process it only for purposes permissible under the proposed legislation.
Critical data will be defined by the government from time to time. Data related to health, religious or political orientation, biometrics, genetic, sexual orientation, health, financial, etc., have been identified as sensitive data.
A company executive in-charge of conduct of the data business would face a jail term of up to three years if found guilty of knowingly matching anonymous data with publicly available information to find out the identity of an individual - called as 're-identify de-identified data' in technical parlance, under the proposed law.
Social media companies will be required to come up with a mechanism to identify users on their platform who are willing to be identified voluntarily.