Privacy violation may now lead to penalty of INR 10 million and prison sentence of three years. The data privacy bill also talks about penalising companies found violating the law as well.
After the SaveTheInternet.in movement for net neutrality, the Internet Freedom Foundation (IFF) has launched its community project, ‘Save our Privacy’, in order to safeguard individuals’ right to privacy. This model bill is titled ‘Indian Privacy Code, 2018’ and has been drafted by lawyers such as Raman Jit Singh Chima, Apar Gupta, Gautam Bhatia, Kritika Bhardwaj, Maansi Verma, Naman N Aggarwal, Praavita Kashyap, Prasanna S, Ujjwala Uppaluri, Vrinda Bhandari. This initiative has come into force after the Facebook-Cambridge Analytica scandal have made people aware about the breach in data privacy of individuals. The draft bill has been submitted to the Justice Srikrishna Committee which will deliberate on a data-protection framework for the country.
The draft proposes that, “all data collected, processed and stored by data controllers and data processors prior to the date on which this Act comes into force shall be destroyed within a period of two years from the date on which this Act comes into force”. The collection of personal data without consent will only be considered valid when:
- It is necessary for the provision of an emergency medical service.
- Prevent, investigate or prosecute a cognizable offence.
- Exempted by a privacy commission that the draft seeks to institute.
The new draft policy envisages a penalty of up to INR 10 million and a prison sentence of three years for people who “collect, receive, process or hold personal data” in contravention of the provisions of the proposed law. The punishment goes up to INR 100 million and five years in prison for “sensitive data”. It talks about penalising companies found violating the law as well.
The move is a welcome move as currently the user data in the country is under potential threat as big social media companies that have been accused recently for data mining and sharing user information with private firms for advertising and marketing purposes. The decision might have severe implications on several foreign as well as Indian companies. Companies collect, aggregate, store and process Indian user data unhindered. “Like we keep diabetes and blood pressure in check, controls are needed for data,” B N Srikrishna said. “Companies like Amazon, Google, Microsoft, and Flipkart are extremely nervous.”
Lawyer Apar Gupta said, “India has reached its privacy moment. Every week we see a new controversy and realise that personal data controls our life. One credible solution on this is to engage the public on a policy solution such as data protection law. To make this a public movement we have simplified a nuanced law to seven core principles. We will rely on a wider community of activists and public advocacy to make sure an intersectional issue such as privacy has several leaders and public spokespersons.”
The seven core principles of the draft bill as given on the website are-
- Individual rights are at the center of privacy and data protection.
- A data protection law must be based on privacy.
- A strong privacy commission must be created to enforce privacy principles.
- The government must respect user privacy.
- A complete privacy code must come with surveillance reform.
- The Right To Information needs to be strengthened and protected.
- International protections and harmonisation to protect the open internet must be incorporated.
“We have attempted to draft a comprehensive Citizens’ Privacy Code that places the individual at its heart, and carries forward the Supreme Court’s remarkable privacy judgment. We also want to make it thoroughly inclusive – the draft code is online, and any person who wishes can comment on it, and on every clause,” said Gautam Bhatia.
The move has come after the European privacy law came up with General Data Protection Regulation (GDPR), a data protection and privacy law for all individuals within the European Union (EU) and the European Economic Area (EEA). The GDPR mainly focuses on ensuring that users know, understand, and consent to the data collected about them.