Personal data protection: Firms need to do more

Source: The post is based on an article “Personal data protection: Firms need to do more” published in The Business Standard on 1st September 2022.

Syllabus: GS Paper 2 – Fundamental Rights

Relevance: data protection and concerns associated with it

Context: This article discusses the issues associated with data and the ways to tackle it.

What is the current issue with personal data protection?

Lack of legislation protecting personal data allows Indian organizations to collect data as they want, often needlessly.

The data is often sold, or monetized in other ways, and is frequently held in insecure servers.

It opens the door to widespread misuse of data and to cybercrime, potentially targeting every Indian.

It is also a barrier to efforts to set up data centers for overseas clients.

It is a serious problem and is only expected to increase in scale as more segments of the economy get digitized.

However, one of the reasons why Indian firms may not be investing enough in this area is because of a lack of regulatory compulsion.

What provisions can be included in a data protection law?

It should lay down clear, broad definitions of what constitutes private data. Those definitions should be open to review and updates as technology develops.

There must be norms that data will not be collected needlessly.

The data that is collected should be a small detail clearly stating purposes, keeping the data-owner informed and seeking his or her permission at every stage.

There should also be clear norms for the security of any data collected and stored with the collector and storage center should be held liable for breaches with huge penalties.

Victims should be in a position to easily bring class-action civil suits seeking damages in such cases.

Data-owners should also have the “right to forget”.

Once the purpose of the data has been served, the data-owner should have the option to ask for deletion.

There should be a transparent process for granting clearance to any agency to launch a data collection-cum-surveillance exercise against an individual or organisation.

Print Friendly and PDF