Justice BN Srikrishna, who chaired a 10-member committee that proposed a Personal Data Protection Bill for India three years ago, hit out at the Government, stating that citizens have no recourse from frequent data breaches as the bill to protect their data is still hanging fire.
"This is happening because there is no law controlling it. The draft was submitted, they sat on it for two years and made all kinds of changes. It is now pending before the JPC (Joint Parliamentary Committee)," Justice Srikrishna told Moneycontrol.
His comments come in the light of the massive breach at Domino's Pizza, where user information related to 18 crore orders has been made public. Security researchers Moneycontrol spoke to said the leak happened due to a compromise in the Amazon Web Services (AWS) key, similar to what had happened during the Mobikwik breach. The last six months have seen a series of data breaches- from BigBasket to JusPay to Mobikwik, Upstox, and Air India.
While some experts said users can use provisions under the Consumer Protection (e-commerce) rules 2019 or Section 43A or Section 72A of the IT rules 2011, that has provisions for data protection, there haven't been precedents where companies have been held accountable.
"Those are vague things scattered in different places, that is the reason why we need a new law. IT rules were not framed with personal data protection in mind. Under the Personal Data Protection (PDP)Bill, if your data is stolen, then the data fiduciary who stores your data is responsible. If the PDP was law, Domino's would have been liable as the data fiduciary here," Justice Srikrishna said.
The recommendations in the PDP bill include the setting up of a Data Protection Authority or a DPA, an independent regulatory body responsible for the enforcement and effective implementation of the data protection law. In the framework, while the individual is defined as the 'data principal', the entities with whom the individual shares his/her personal data are defined as the 'data fiduciaries'.
"Notwithstanding any contractual relationship, an individual expects that her personal data will be used fairly, in a manner that fulfils her interest and is reasonably foreseeable. This is the hallmark of a fiduciary relationship. In the digital economy, depending on the nature of data that is shared, the purpose of such sharing and the entities with which sharing happens, data principals expect varying levels of trust and loyalty," the bill states.
The Ministry for Electronics & Information Technology (MEiTY) had set up a 10-member expert committee under Justice Srikrishna in August 2017 to identify key data protection issues and recommend methods to address them.
The committee released the proposed Personal Data Protection Bill (India) in July 2018. Legislation is still some time away as the Joint Committee of Parliament is still examining the Bill and recently sought an extension for the fourth time up to the Monsoon session to submit its report.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
