On Sunday, Retired Supreme Court Justice BN Srikrishna said that India’s legal framework on personal data protection should ensure that the purpose for which data is collected is clearly explained & it should lay down a clear methodology for procuring data.
He added that when data is collected without the consent of the individual, like in the current circumstances where a lot of data is being collected in connection with the Covid-19 pandemic, the law should ensure data anonymisation.
The retired Judge pointed out that “Under what circumstances can data be taken away without consent of the principal? Take for instance, the situation of Covid. Data is necessary for statistical probability. If someone wants to do research on impact of Covid, they will need a lot of data on it. This is where the aspect of “data anonymisation” comes in, where only numbers & no personal information can be utilized".
Justice BN Srikrishna was speaking at a Webinar organized by law firm Shyam Padman Associates on the topic “The Challenges in Personal Data Protection in the absence of (a) Data Protection Law in India”.
Justice Srikrishna, who headed the committee which, in 2018, proposed the draft of the Personal Data Protection Bill said that the line between the right to privacy of an individual & the right of the state to access data is a fine one & the data protection law should guarantee that data collected is only to the extent to which it is required.
He explained that “The legislative enactment must categorically explain the purpose for the collection of data. There should be a rational connection (between the data collected & the purpose for which it is acquired). There should be no absurdity in the connection. There is also the need for proportionality. The law should not go beyond what is absolutely required".
He said, the state, can take away the rights of an individual, only if it can ensure that it is for the greater good of the public.
“For instance, in the case of Aarogya Setu, the state, in a positive move, did not make it mandatory”, the retired Judge said, referring to India’s contact tracing app.
The Central Govt. came out with a draft Personal Data Protection (PDP) Bill in Dec 2019. The bill regulates personal data of individuals & governs the processing of such data by both Govt & companies incorporated in India.
Justice Srikrishna said the bill falls short on certain aspects including absence of data localization which enables transfer of data outside India .
“Can the State can access data of a person who is a suspect. The answer in the legislation is yes. Unfortunately, in my opinion, the PDP of 2019 has watered down this provision which allows the state to unilaterally infringe the fundamental right (of privacy) in the name of sovereignty & security”, he said while expressing hope that the Apex Court will look into such aspects if the data protection law is challenged.
The Top Court’s seminal 2017 judgment in the case of Justice KS Puttaswamy v. Union of India in which the court had held right to privacy as a facet of the fundamental right to life was instrumental in initiating debate on the absence of data protection laws in India.
“The SC asked, ‘Where is the law on Data Protection?’ & everyone started looking at each other, with no clue about this. It is then the committee on the formulation of a Personal Data Protection Bill was founded”, Justice Srikrishna said.
Source Link
