The dawn of the information age opened up great opportunities for the beneficial use of data. It also enhanced the perils of unregulated and arbitrary use of personal data. Unauthorised leaks, hacking and other cyber crimes have rendered data bases vulnerable. But it is the conflict between the massive scope for progress provided by the digital era and the fear of loss of individual autonomy that is foregrounded in any debates about data protection laws. It is against this backdrop that the White Paper made public by the Justice B.N. Srikrishna Committee to elicit views from the public on the shape and substance of a comprehensive data protection law assumes significance. To some, in this era of Big Data analytics and automated, algorithm-based processing of zettabytes of information, the fear that their personal data may be unprotected may conjure up visions of a dystopian world in which individual liberties are compromised. Therefore, it would be appropriate to draw up a law using the rights-based approach of the European Union’s General Data Protection Regulation, 2016, in which data protection is comprehensive and exemptions limited. Some may prefer the American model in which the norms are stringent for government departments processing personal information, while private entities have to abide by the norms of giving notice and receiving consent. An enlightened citizenry will only help itself in participating in the search for a good data protection framework.
India does not have a separate law for data protection, though Section 43A of the Information Technology Act provides a measure of legal protection of personal information. In 2012, the Justice A.P. Shah Committee recommended a set of principles for a legal framework for protecting privacy. Drawn from OECD guidelines, these principles were centred on sufficient notice and disclosure to citizens when data are collected, limitations on data collection and use, and norms related to data security and accountability. The Srikrishna Committee has also flagged seven major principles. It wants the law to be technology-agnostic and enshrine the principle of informed consent. It favours data minimisation and accountability of those who process and control data. It privileges a holistic approach as the law would apply to both government and private entities, but with “differential obligations”. This is where the law requires careful drafting and strictly defined concepts. It is legitimate to collect personal data in the public interest, but this information should be protected and used only for the purposes it was collected. Above all, the law must provide for a suitably empowered statutory authority to enforce its promised protection to citizens’ data.