But isn’t there an exception in case of health data, which can be transferred outside the country?
That’s based on consent. Broadly categorising health data as sensitive and in the future, declare it as critical, could place restrictions on cross-border transfer. Of course, an individual may be able to transfer data outside the country based on consent. For instance, the use case of gene profiling to be done outside the country.
Apart from your dissenting views, what are your thoughts on the larger privacy law draft?
I think it’s a good draft. Any entity that is handling personal data is made accountable. Currently, the provisions of the IT Act apply for only body corporates but the government agencies are not covered. Maximum personal data is collected by the government agencies in most countries, including India. Equal obligation on all entities collecting data, whether government or corporate, is a great step forward.
Second, the concept of data protection authority is a good one. Third, the privacy by design principle is very well articulated. In the long term, the success depends on best practices that we can adopt and drive in the country.
What happens to your dissent note as well as the criticisms of the draft law given by civil society?
Now the committee has submitted its report. The minister stated in the media briefing that they conduct wide consultations. I do hope that there will be consultations with the civil society, industry and political stakeholders because at the end of the day, the bill has to be taken to the Parliament. I have confidence that the government will do consultations and be receptive to concrete feedback.
There’s a section where data processing exceptions are given to the state where consent is not required to collect or process data?
I think states will always need some have enabling provisions for situations such as health emergencies or natural disasters, etc. There are enough checks and balances that the government cannot just flout the law. In case of emergency situations, we can’t expect the consent of all people is obtained before relief can be provided to them.
But credit scoring is also listed as a possible use case of this provision...
I agree [it’s not an emergency].
You said that the criminal prosecution provision is too harsh. Why do you feel so?
The enforcement mechanism and recommended penalties are quite adequate. As privacy awareness is becoming very strong in the country, in the long run, any entity that is collecting and processing personal data, they need to win the trust of the consumer. Unless it’s a very fraud company, they will all care about the trust of the consumer. I am confident that the industry will become very mature with the privacy awareness and enforcement. Already, several enterprises have implemented privacy programmes and best practices. Plus, there are now penalties and nobody wants to be hauled up for violating privacy when you are a b2c company. Imagine the nightmare for a business when it’s immediately a criminal and non-bailable offence.