New Delhi: The panel set up to draft a data protection framework for the country concluded its final meeting on Wednesday and will submit the report to the government by the first week of August, three persons aware of the development said.
In a meeting that lasted two-and-a-half hours, the panel discussed a host of issues including the amendments needed across various Acts, penalties for violation, and what kinds of data would come under the definition of personal data.
“This is most likely the final meeting. The panel will submit its report to the government in a few days. The government can then put it up in the public domain,” a person present in the panel meeting said requesting anonymity.
The 10-member committee, chaired by former Supreme Court judge B.N. Srikrishna, was set up by the government in July last year. The panel has been tasked with identifying overall data protection issues in India and recommending ways to address them. The panel’s recommendations are, however, not binding on the government.
The Union government had hoped that the first draft of the recommendations on data protection legislation by the committee would be completed by June.
“As many as 70 Acts including RTI and Aadhaar will need to be amended so that they come under the framework of the new data protection law,” a second person said requesting anonymity.
User-generated data is integral to the business models of major communication and social media networks as it makes them valuable to advertisers, who in turn use it to help companies target goods and services at the right audience.
There were dissenting voices in the panel. “We have suggested that dissent notes must be a part of the report,” a third person aware of the matter said.
“We don’t think that all financial data is personal data. There are many countries with data protection laws that don’t recognize financial data as personal data. Also, there should be penalties for violation as we believe treating a violation as a criminal offence is too draconian,” the third person said.
The Telecom Regulatory Authority of India (Trai) said in recommendations made public on 16 July that entities that control or process personal information and data are mere custodians and do not have primary rights over it. Users should be given the right to choose the information they want to share and be forgotten if they so desire, Trai had suggested.
Moreover, the existing framework for protection of personal data of telecom consumers is not sufficient and hence all entities that process personal user data such as apps and browsers, should be brought under the same rules which are applicable to telcos till a data protection framework is in place, it had recommended.
“Trai’s recommendations are largely in line with the white paper of the committee,” the second person cited above said.
Trai has, however, stayed away from making any recommendations on subjects which have ramifications beyond the telecom space. There are six such issues: the rights and responsibilities of data controllers; technology-enabled audit of personal data use; measures to encroach creation of data-based business; data sandboxing; legitimate exceptions to privacy regulations; and cross-border data flow.