Why India needs a new law to stave off data breaches
The alleged Facebook data breach reportedly indicates the manner in which information provided by individuals can be handled by big digital companies. The role of political consultancy Cambridge Analytica in the whole saga reportedly shows how data can be used for monitoring and influencing people, among other things. Therefore, it is the need of the hour to roll out a new law to tackle such issues as the current framework can hardly cope with the times.
But first, let’s understand the current data-protection framework. The Information Technology Act covers health records, sexual orientation, biometric information, financial information and others. But it leaves out information such as interests and hobbies, given by users to social media firms such as Facebook. In the light of this, the law should cover any piece of information that can identify an individual, regardless of its pseudonymisation or anonymisation.
Back in India, another thorny problem is that app or site cannot retain longer than necessary only a particular kind of data. This type includes health records, sexual orientation as well as biometric and financial information. The law should be extended to all forms of personal information. Similarly, individuals should be given the right to withdraw consent and demand removal of personal information from the app or site.
In the event of a data breach, the Indian law allows an individual to claim compensation for non-adoption of security. It also states imprisonment for the offender and grants compensation to the offended for disclosure of his information without his consent. In this context, the law extends to entities outside India collecting data of Indian users (like Google and Facebook). But in the event of a breach, enforcement is a challenge. To address this issue, a government paper has suggested international cooperation, mutual legal assistance treaties, local representative offices of foreign entities, fines on global revenue of a foreign entity, action against local branch office or subsidiary, and others.
Another interesting aspect to have emerged from the alleged Facebook data breach is that the reported violation was not communicated to individuals concerned for many years after the event. The law must require companies to inform the individuals in case of any data breach.
Given the gaps in the current legal framework, a strong case may be made for a new data protection law in India. The new law should ensure the following: Clear and concise privacy notices, transparent manner in which consent is obtained, notification to individual in case of data breach, recourse for a person in case of privacy violation, and strong enforcement.
Namita Viswanath is principal associate at law firm Induslaw. Views are personal.