Blog: Data Privacy Law : a Pandora’s Box ?

I got that feeling after reading the following :

India’s landmark data privacy law won’t apply to the very cause behind its existence : Aadhar

Extract :

Crimes :

Include obtaining, transfer, disclosure and sale of personal and sensitive data, if it causes harm to the person whose data it is (data principal), and re-identification and processing of previously de-identified personal data.

[ How a citizen will ever get to know that someone to whom he gave personal data , has caused him harm , through misuse of data ?

How must this aggrieved citizen go about to “ prove “ that a “ harm “ has been caused to him by such misuse ? Would he even remember to whom did he give what personal data – and for what legitimate “ use “ ?

By filing court cases against 200 search engines / mobile apps / e-com sites / govt agencies ? ]

Punishment :

For “ intentional or reckless behaviour ” that leads to the crimes, which it wants to be made cognisable and non-bailable.

In case the crime has been committed by a company or body corporate, including government departments, the responsibility would lie with the person in charge of conducting the company’s business or the head of a government department.

[ If such a “ transfer / sale / disclosure “ of personal data cannot be proved to have caused “ harm “, will that behaviour not be “ intentional or reckless “ ? ]

Compensation :

To be paid to “ data principals “ in case any harm is caused to them for infringement.

[ Who decides what was the “ quantum “ of harm and what is the commensurate “ quantum “ of compensation ? Won’t this differ from one case to another ? ]

Absolves :

The in-charge of all responsibility if he or she shows that the crime was committed without his/her knowledge or that all reasonable efforts had been taken to prevent the crime from being committed.

[ All data flows from one computer to another computer or even to some other

internet-connected device , such as a car / refrigerator / smart watch / TV etc .

Most of the time such transfers are happening round the clock, with no one watching /

no one knowing / no one asking for any permission from anyone !

According to one expert , by 2022 , there will be 50 internet connected devices in each

home ( IoT – Internet of Things ) – each sending out a lot of your personal / private

data, to their respective manufacturers / ISPs / Operating Systems )

Will anyone know what device is sending out which information to whom and when ? ]

Data collected under Aadhaar :

Would be out of the scope and purview of the proposed law.

This recommendation may not find favour with those who have opposed the unique identification system on the ground that the collection and dissemination of Aadhaar data leaves citizens vulnerable.

[ What about Aadhar-linked data collected by government agencies for hundreds of

Direct Benefit Schemes , which it has shared with Banks and Financial Institutions ? ]

Registration :

All data collectors would have to get registered with the DPA.

[ Each and every business establishment which is selling any product or service , online

( includes all search engines / e-com sites / mobile apps ), will need to register .

Soon that will cover 50 million MSME of India !

Would this cover all FOREIGN data collectors as well over which Indian Laws have no

jurisdiction ? Is this , at all practical / feasible ? ]

========================================================

Data Ombudsman :

To adjudicate complaints between “ data principals “ and “ data fiduciaries “