Information Technology Law: Experts point to lack of laws on government use of citizens’ data
They pointed out that the current Information Technology Act 2000 governs the use of personal data by private companies, but that there is no policy to govern the government’s use of personal data.
The India Data Accessibility and Use draft policy, released by the Ministry of Electronics and Information Technology (MeitY) on Monday, has proposed an India Data Accessibility and Use Office (IDO) and will provide measured access to data properly” anonymized” to governments, startups, researchers and businesses.
Citizens’ data will be protected in accordance with existing policies “within the legal framework of India”, according to the draft policy.
The intention to treat non-personal data as a community or national resource is laudable, but data monetization should not come at the expense of privacy, said
Salman Waris, Partner, TechLegis. Otherwise, it would defeat the very purpose of data protection law, Waris said.
Discover the stories that interest you
Questions have also been raised about the safe implementation of data anonymization and monetization measures proposed under the new policy.
The draft stipulates that the legal framework for the protection of personal data will be governed by the laws and rules in force in India.
Current provisions on the protection of personal data under the IT Act do not apply to government agencies and therefore the new policy should protect against a repeat of the Vahan-Sarathi case some three years ago, said NS Nappinai, a Supreme Court lawyer and founder of Cyber Saathi, which raises awareness of cyber threats, especially against children.
Also read: MeitY’s data policy project aims to unlock government data for everyone
In 2019, a bulk data sharing policy allowed the Union Department of Transport to share personal information gathered from vehicle records and driver’s licenses, with more than 170 private parties, including manufacturers cars and insurance companies.
The government earned over Rs 111 crore from these transactions until they were scrapped in June 2020, citing potential misuse of personal information and privacy concerns.
“Simply relying on the IT Act will not suffice as it does not apply to government entities, only legal persons. Data sharing between governments is fair from a governance perspective, but when it is involves giving access to data to private entities, we must ensure the effective implementation of the anonymization of personal data,” said Nappinai.
The government has invited all stakeholders to provide feedback on the new policy until March 18.
The project is an update to existing government policies on data sharing and comes after a committee was established under Infosys co-founder S (Kris) Gopalakrishnan in 2019 to draft a framework around data sharing not personal data (NPD) or anonymized data of Indians.
Non-personal data is stripped of personally identifiable information.
The draft policy will be a good test of governance structures around data anonymization, interoperability and sharing, as well as practices such as creating high-value datasets given that there are has hundreds of government agencies and power units involved, said Parminder Jeet Singh, executive director of Policy for Change. , a think tank.
“Once these models have been carefully deliberated and evolved, the government should not stop there. Between 80 and 90 percent of citizens’ data is held by private companies, so the government should pass a law to allow data sharing for and between companies as well,” said Singh, who was also a member of the Gopalakrishnan committee on the NDP.
Companies have raised concerns about IPR infringements stemming from some of the committee’s recommendations.
The scope of the latest version of the Data Protection Bill – after recommendations from a joint committee of Parliament – has been widened to include non-personal data.
“…Therefore, it (the Data Accessibility Policy) deals with non-personal data and as such would overlap with the PDP bill if and when passed,” TechLegis’ Waris said.
The policy will apply to all data and information generated, created, collected or archived by central government and authorized agencies.
State governments may also adopt the provisions, as appropriate, in accordance with the policy document.
Researchers, startups, companies, individuals, and government departments will be able to access data through licensing, sharing, and data evaluation within the overall framework of data security and privacy.