Create an independent Privacy Commission to probe data breaches, says Shashi Tharoor
28/March/2018

The law must prescribe fines or even imprisonment for the handling or collection of data, in contravention to the standards prescribed under the data protection framework.

The oft-quoted (and contested) adage of our times, ‘Data is the new oil’, is back in the limelight with the uncovering of the Cambridge Analytica scandal. The confession of Christopher Wylie about how Cambridge Analytica harvested data from millions of Facebook profiles, without taking the consent of the users, is alarming. The scandal, along with the instances of Aadhaar data leaks, has exposed the fault lines in the data protection regime in India.

On 22 July 2015, the attorney general of India at the time argued before the Supreme Court that the right to privacy was not guaranteed as a fundamental right under the Constitution of India. While the Supreme Court formed a Constitution bench to determine the nature of the right to privacy in India, I submitted ‘The Data Privacy And Protection Bill, 2017’, a private member’s bill I had drafted, to the Lok Sabha on 4 July 2017 for introduction and consideration. For various reasons, mainly related to Parliament disruptions on the handful of Fridays allocated to private members’ business, the bill has yet to be introduced, so I am not at liberty to divulge its contents. But the principles it seeks to uphold are vital to the current discussion on data security.

My Bill envisages a comprehensive framework to protect the right to privacy of all, in furtherance of the recommendations of the Justice A.P. Shah committee and international best practices. Nearly two months after the Bill was submitted, a nine-judge bench of the Supreme Court, in its landmark judgment in Justice K.S Puttuswamy v Union of India, unanimously and unambiguously held that the right to privacy was a fundamental right guaranteed under articles 14, 19 and 21 of the Constitution.

While that should simplify matters for all of us — since privacy is now recognised as a constitutional right — there is an urgent need to enact a comprehensive data protection law to implement it. The Justice Srikrishna committee is looking into the matter and its final report is awaited. Meanwhile, it is important for policymakers to be clear about certain essential principles on privacy, which I have incorporated in my Bill.

The law must be clear on what it seeks to protect, which in this context is the personal data of each Indian citizen. Personal data is the type of data which, if linked to other information, can be used to identify the concerned individual. Within the sphere of personal data, the law must recognise and distinguish sensitive personal data, which encompasses information relating to a person’s sexual preferences, political and religious views, ethnicity, race, financial information, DNA, biometric data and so on. The level of protection for sensitive personal data should be more stringent than in the case of other personal data.

Consent is the cornerstone of any comprehensive framework on data protection, and it must be obtained by the data-controller or processor before collecting, processing, using and disseminating personal data. The underlying principle for a consent-based mechanism is that personal data is owned by the subject — the person who generates the data. It is important to understand that privacy, which arises out of the right to life and liberty, is not a creation of the Constitution; instead, “these rights are recognised by the Constitution as inhering in each individual as an intrinsic and inseparable part of the human element which dwells within”, as the Supreme Court has succintly explained. So every one of us whose personal data is collected has the right to be informed about the particular purpose of the exercise, the duration for which the data will be stored, the manner in which it has to be obtained, and how our consent can be withdrawn.

Once the consent to use personal data is withdrawn, the collector should destroy any record of the data collected. There should be a general bar on disclosing data, except to the person to whom it pertains. The consent of the subject should be required to transfer any personal data.  The subject should also have the right to access her own data at all times, so that she may check and update it as necessary. The law must prescribe fines or even imprisonment for the handling or collection of data in contravention of standards prescribed under the data protection framework.

Consent should be meaningful. We must ensure that the subject can make an informed choice and still retain control over the data collected, unlike the prevailing scenario in which websites merely intimate the us

Source: https://theprint.in/opinion/create-privacy-commission-to-probe-data-breaches-says-shashi-tharoor/452