The Ministry of Electronics and Information Technology (MeitY), Government of India has constituted a 10-member committee of experts under the Chairmanship of a former Judge of Supreme Court of India, Justice B N Srikrishna, and comprising of members from government, academia and industry to study and identify key data protection issues and recommend methods for addressing them. The committee will also suggest a draft Data Protection Bill.
According to media reports, the committee members include the Secretary of the Department of Telecom, CEO of Unique Identification Authority of India (UIDAI, which issues the national ID, Aadhaar) and the National Cyber Security Coordinator.
Currently, there is no overarching data protection regulation in India. The “Information Technology (Amendment) Act, 2008” added provisions regarding data privacy and data protection. Provisions were introduced through Section 43A for compensation to person affected by an organisation for being negligent in implementing and maintaining reasonable security practices and procedures regarding sensitive personal data and information. Section 72A mandated punishment for disclosure of ‘personal information’ in breach of a lawful contract or without the information provider’s consent.
MeitY publishes notifications and advisories to supplement or clarify the provisions from the IT Act 2000 and and the Amendment Act from 2008.
In addition, in certain sectors like finance, regulators have been addressing data privacy and data protection. For example, the financial regulator (The Reserve Bank of India), securities market regulator (Securities and Exchange Board of India) and insurance sector regulator (Insurance Regulatory and Development Authority of India), have issued guidelines and prescribed requirements periodically.
As the Indian government continues its push towards a digital economy, a comprehensive data protection framework and keeping the personal data of citizens secure and protected is becoming increasingly important.
There have been several high profile data leaks during the past year. Over 85% of the country’s population have now enrolled in the national identity program, Aadhaar and the unique 12-digit ID linked to a citizen’s basic demographic and biometric information is becoming increasingly indispensable as it is linked to widening range of government services, from claiming benefits to tax filing. In the meantime, some government departments revealed details of beneficiaries of the schemes they run, putting them up on their websites for anyone to access.
In July, the Directorate of Social Security in the state of Jharkhand revealed the names, addresses, Aadhaar numbers and bank account details of 1.4 million beneficiaries of Jharkhand’s old age pension scheme, who had seeded their bank accounts with Aadhaar. In April, the Kerala government’s pension department published personal details of 3.5 million pensioners, who had linked their Aadhaar number and bank account as required by a “direct benefit transfer” scheme.
In October last year, 3.2 million debit cards issued by Indian banks were compromised and had to be cancelled and reissued. The breach was said to have originated in malware introduced in the systems of a IT systems vendor, which provides ATM, point of sale (PoS) and other services to these banks. In July 2017, names and email ids of millions of subscribers of telecom services provider, Reliance Jio, were made available on a website.
There’s an ongoing debate on privacy going on in India at the moment. Recently a Constitution Bench in the Supreme Court of India said that privacy is not absolute and cannot prevent the State from making laws imposing reasonable restrictions on citizens. It is listening to petitioners challenging Aadhaar on the grounds that it violates the right to privacy. The basic question is whether there is a fundamental right to privacy that is guaranteed by the Indian Constitution and the final judgement is expected to be delivered by August.