The Facebook-Cambridge Analytica affair, the Aadhaar case currently being heard by the Supreme Court and the controversy over data collected by NaMo and other apps have brought privacy concerns of individuals into sharp focus once again. The five-judge bench of the Supreme Court, during the Aadhaar hearings, has said that there is a need for a robust law to protect the sensitive information of the citizens.
Many people have pointed out that India is moving rapidly on its digital journey without adequate laws and regulations to protect its citizens. So far, the only protection available is under the Privacy Rules framed under the Information Technology Act, 2000. The privacy rules framed in the IT Act are badly worded, and overlook a lot of loopholes that companies can exploit. The maximum punishment prescribed - a fine of Rs 5 lakh or imprisonment up to three years or both - is also too low to act as an effective deterrent, especially as the Act puts the onus on the citizen to prove that he or she has suffered wrongful loss.
The Justice (retd) Srikrishna-led committee's suggestions for a data protection framework for India makes some very good suggestions, but given the pace of technology change, we probably need to go further. The European Union's General Data Protection Regulation (EU GDPR), which was formulated in 2016 and comes into effect from May 25 this year, can also provide pointers as it is currently the most advanced regulation on data protection and privacy, and goes beyond the laws of other countries. The need to create an Indian law that not only captures the current state of digital data capture but also anticipates issues that can crop up in an era when every Internet of Things (IoT) device captures data and talks to each other is the need of the hour.