Privacy Shield 2.0: Cue for EU-India Data Transfer Mechanism?

Since the implementation of GDPR standards across the EU, data transfer between other countries and the EU has become a widely debated complex issue across the world. Article 44 of GDPR permits the transfer of personal data outside the EU, only when the recipient country has an equivalent level of security to protect the personal data of EU citizens, as guaranteed by the General Data Protection Regulation (GDPR). The biggest dilemma that many countries across the globe face is that they either lack a national legislation on data privacy or if they do have one in place, it may not be considered at par with the standards set by GDPR. Such a situation creates a genuine legal obstacle to the transfer of personal data between the EU and those countries.

Conceptualization of the Privacy Shield

Over the years EU and various other countries have developed certain mechanisms to tackle these obstacles created by requirements mentioned under Article 44. Standard contractual clauses (SCC), binding corporate rules (BCR) are such instruments that the countries and corporates have adopted for the transfer of personal data. The United States of America lacks a comprehensively dedicated legislation for data privacy.  However, the country has many sectorial legislation and regulations ensuring the privacy protection of individuals, yet, the EU has consistently ruled that the USA does not guarantee an equivalent level of protection.  Safe Harbour Framework, one such additional mechanism agreed upon between the Governments of the EU and USA defines a series of principles to be followed and adopted by companies for the transfer of personal data. US companies were required to self-certify these principles mentioned under the safe harbour framework and the US regulators would in turn enforce such framework within their limits and jurisdictions.  In 2013, Edward Snowden rocked the world with some lethal revelations about various global surveillance programs run by the NSA. In light of such a disclosure, an Austrian citizen named Max Schrems filed a complaint stating that the US does not provide adequate protection of personal data against such mass surveillance undertaken by authorities. The European Court of Justice (“ECJ/ Court”), noted that the US could allow any national security, public interest argument and law enforcement requirement to prevail over the Safe Harbour framework. Hence, the ECJ concluded that the safe harbour decision was invalid, as it interfered with the fundamental rights of an EU citizen. This decision is widely known as Schrems I. After courts invalidated the safe harbour decision, the European Commission and the US Department of Commerce came up with the Privacy Shield framework for the continued transfer of data from the EU to the US.  US Corporations who intend to receive personal data from the EU self-certify before the Department of Commerce that they will adhere to certain principles recognised in the Privacy Shield. These principles were developed by the US Department of Commerce in consultation with the European Commission. This led Max Schrems to again file a complaint challenging the validity of the privacy shield and the use of SCCs by companies to bypass the requirements of adequate protection stipulated by Article 44 of the GDPR on the ground that US investigation agencies have unlimited access rights of personal data retained with USA corporations neither Privacy Shield nor SCCs prevents those rights. Accordingly, it was argued that Privacy Shield or SCCs does not ensure the privacy rights of EU citizens. This case soon came to be known as Schrems II. The Court of Justice of the European Union (CJEU) examined the US’s Foreign Intelligence Surveillance Act and the surveillance programmes that such provisions allow and found that US agencies have wider access rights on every data retained with USA corporations and Privacy Shield in any manner takes away these rights of USA investigative agencies.   CJEU accordingly invalidated the EU-US privacy shield mechanism. The judgment in Schrems II had led to a major deadlock between US-EU economic relations, particularly concerning the transfer of data. With no approved mechanism in sight, companies found it difficult to transfer data for achieving their business obligations. On 25th March 2022, the EU commission and US government announced that they had agreed in principle on a new framework for the purpose of cross border transfer of data, known as Privacy shield 2.0. The new framework promises to provide benefits to both sides of the Atlantic and ensure that a balance is created between the new safeguards and the national security objectives of the US, which will ensure the privacy of EU personal data. The text of this new framework has not been released.  The press note released by the White House contains a few details that the framework might incorporate. It states that intelligence collection might be undertaken only where it is necessary to advance legitimate national security objectives and in no way should impact the protection of privacy and civil liberties[1]. In addition, the US intelligence agencies will adapt procedures to ensure effective oversight of new privacy and civil liberties standards[2]. Moreover, a proposal to set up an independent Data Protection Review Court has been mooted for EU individuals seeking claims and damages for breach of their personal data by the US Government. The proposal also details that the adjudicating members or individuals shall be chosen from outside the US Government. If Privacy shield 2.0 does pass the test laid down by the European courts, experts believe that this could trigger an estimated $7.1 trillion economic relationship between the US and the EU. Hopefully, Privacy shield 2.0 will be able to provide a predictable, effective and lasting remedy for transferring personal data from the EU to the USA.

Data Transfer between EU and India

The above discussions and mechanisms have a significant relevance in relation to data transfer between the EU and India. The Indian investigation and intelligence agencies have similar powers to their US counterparts in terms of their right to access or demand or conduct searches in any Indian enterprises and collect all relevant data required.  The fundamental right to privacy recognised in the Puttuswamy case is not absolute. Further, as per Article 19(2) of the constitution, the state can impose reasonable restrictions on the exercise of fundamental rights in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence. Moreover, Section 69, of the IT Act, 2000 provides the Central and State government with the power to intercept or monitor any information stored in a computer resource provided such information is required for:
  • In the interests of India’s sovereignty and integrity.
  • Defence of India,
  • State’s security,
  • To maintain friendly relations with other nations, or
  • To maintain public order, or
  • For preventing incitement to the commission of any cognizable offence relating to the above, or
  • For investigation purposes
The above provisions are similar to the rights available to US investigative agencies. For the same reasons, the Schrems II judgment and Privacy Shield mechanisms are relevant while considering EU-India data transfer. Currently, there are no approved mechanisms for data transfer between the EU and India like the Privacy Shield framework. Hence, the European companies are justifiably reluctant to establish business relations with our country. Since India is a hub of IT-enabled services like BPOs and KPOs, it is desirable to have an efficient and clear legal regime for data transfer to foster a symbiotically advantageous economic relationship between the two sovereigns. Unfortunately, neither of the Governments has taken any urgency to initiate the formulation of rules similar to the Privacy Shield. It is worthwhile to consider whether the new Privacy Shield 2.0 could be considered and replicated in India.  If both the governments can demonstrate their intent, the groundwork for a contusive business environment for data transfer between the two sovereigns can be initiated.
References: [1] https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework/ [2] Id Image Credits: Photo by Pete Linforth from Pixabay

Currently, there are no approved mechanisms for data transfer between the EU and India like the Privacy Shield framework. Hence, the European companies are justifiably reluctant to establish business relations with our country. Since India is a hub of IT-enabled services like BPOs and KPOs, it is desirable to have an efficient and clear legal regime for data transfer to foster a symbiotically advantageous economic relationship between the two sovereigns. 

Related Posts

POST A COMMENT

IS17428 -A New Privacy Assurance Standard in India

Recently, Aditya Birla Fashion and Retail Ltd (ABFR) faced a major data breach on its e-commerce portal. As per the reports, personal information of over 5.4 million users of the platform was made public. The 700 GB data leak included personal customer details like order histories, names, dates of birth, credit card information, addresses and contact numbers. Additionally, details like salaries, religion, marital status of employees were also leaked.  Forensic and data security experts were pro-actively engaged to implement the requisite damage-control measures and launch a detailed investigation into the matter.[1] This demonstrates the need to have wider awareness and establish standardized protocols for personal data management. 

The battle of data protection and privacy currently stands at a juxtaposition with a flourishing data economy. 2021 was a watershed moment in the privacy & data protection dialogue in the country. The need for comprehensive data protection law was louder than ever and there were major initiatives on the legislative and executive front.

In June of 2021, the Bureau of India Standards (BIS) introduced IS 17428 for data privacy assurance. It is a privacy framework designed for organisations to handle the personal data of individuals that they collect or process. The certification provided by BIS for IS 17428 can be deemed as an assurance extended to the customers/users by the organizations of well-implemented privacy practice. The BIS being a statutorily created standard-setting body of our country will bring some welcome change in our data management.  

IS 17428 is divided into 2 parts[2]:

  • Part 1 deals with the Management and Engineering parameters that are mandatory for an organization to comply with. This part provides for establishing and cultivating a competent Data Privacy Management System.
  • Part 2 deals with the Engineering and Management guidelines which enable the implementation of Part 1. These guidelines are not mandatory in nature but a reference framework for an organization to implement good practices internally.

 

The Context – Privacy & Data Protection laws in India

 

The Data protection bill was expected to be tabled in parliament back in 2019 but was postponed due to the ongoing pandemic. The country was hoping to pass the bill last year, however, it was sent to the Joint Parliament Committee (JPC) for perusal. The JPC made its report on the bill public in the month of December 2021.

Also, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 had been implemented back in 2011, primarily to safeguard the sensitive personal data of individuals that are collected, processed, transferred, or stored by any organisation and enumerate security practices. The rule lays down certain practices and procedures to be followed by a stakeholder while dealing with sensitive personal data. International Standard IS/ISO/IEC 27001 is one such acceptable standard.

Later ISO27701 was specifically introduced that focused on Privacy Information Management.  However, our Indian enactment has not specifically endorsed any such standards though Standards formulated by the industry association that is approved and notified by the Central Government are also deemed appropriate.  In this background, BIS introducing a standard is a welcome initiative as it will help in bringing uniformity in terms of the implementation of privacy practices across Indian industries.

Components of Part 1 of IS 17428[3]

 
Development of Privacy Requirements:

While developing the privacy requirements of the organisation in relation to the data collected or processed, the organisation has to take into consideration various factors such as jurisdiction, statutory requirements and business needs.

Personal Data Collection and Limitation:

The organisation is permitted to collect the personal information of the individuals, provided the same has been consented to by such individuals.

Privacy notice: 

The organisation is bound to provide a notice to individuals while collecting information from them and when such collection is through an indirect method employed by the organisation, then it is the duty of the former to convey by the same in an unambiguous and legitimate means.

The contents of a privacy notice at the minimum should include the following[4]:

  • Name and Address of the entity collecting the personal data
  • Name and Address of the entity retaining the personal data, if different from above
  • Types and categories of personal data collected
  • Purpose of collection and processing
  • Recipients of personal data, including any transfers
Choice and Consent:

As mentioned earlier, while collecting information, the organisation should get the consent of the individual at the initiation of the process while offering such individuals the choice of the information that they consent to disclose. This entire process should be done in a lawful manner and according to the privacy policies implemented by the organisation.

Data Accuracy: 

The data collected by the organisation should be accurate, and in case it is inaccurate, it should be corrected promptly.

Use Limitation: 

The data collected by the organisation should be used for the legitimate purpose for which it was agreed upon and it shall not be used for any other purposes.

Security: 

The organisation should implement a strict security program to ensure that the information collected is not breached or compromised in any manner.

Data Privacy Management System: 

The organisation is required to establish a Data Privacy Management System (DPMS). The DPMS shall act as a point of reference and baseline for the organisation’s privacy requirements/objectives.

Privacy Objectives: 

The privacy objective of the organisation shall be fixed and set out by the organisation itself. While determining the objectives the organisation shall also look into various factors such as the nature of business operations involving the GDPR processing of personal information, the industry domain, type of individuals, the extent to which the processed information is outsourced and the personal information collected. Moreover, the organisation shall also ensure that the objectives are in alignment with its privacy policy, business objectives and the geographical distribution of its operations.

Personal Data Storage Limitation: 

The organisation shall be allowed to retain the information collected from the individual only for a specific time period as required by the law or the completion of the purpose for which it was collected in the first place. The individual shall have the right to delete their personal information from the organisation database upon request.

Privacy Policy: 

The organisation shall create and implement a privacy policy that shall determine the scope and be applicable to all its business affiliates. The senior management of the organisation shall be in charge of the data privacy function. Moreover, the privacy policy should be in consonance with the privacy objectives of the organisation.

Records and Document Management

The organisation shall keep a record of its processing activities which shall, in turn, ensure responsibility towards the compliance of data privacy. The possible way to achieve such a standard is to lay out procedures that help to identify various records. While laying out procedures, the organisation shall take into consideration certain factors such as a record of logs that demonstrate affirmative action and options chosen by individuals on privacy consent and notice, evidence of capture events related to access or use of personal information, and retention period of obsolete documents.

Privacy Impact Assessment: 

A privacy impact assessment shall be carried out by the organisation from time to time. Such an assessment shall help in estimating the changes and the impact that they can possibly have on the data privacy of the individuals.

Privacy Risk Management

The organisation shall put in place and document a privacy risk management methodology. The methodology shall determine how the risks are managed and how the risks are kept at an acceptable level.

Grievance Redress:  

A grievance redressal mechanism shall be established by the organisation to handle the grievances of the individuals promptly. The organisation shall ensure that the contact information of the grievance officer shall be displayed or published and that they have the channel of receiving complaints from the individuals. Moreover, the organisation shall also make it clear as to the provision for escalation and appeal and the timelines for resolution of the grievance.

Periodic Audits: 

The organisation shall conduct periodic audits for the data privacy management system. The audit shall be conducted by an independent authority competent in data privacy, internal or external to the organization, at a periodicity appropriate for the organization, at least once a year.

Privacy Incident Management: 

Privacy breaches and data privacy incidents shall be reported regularly and the organisation shall come up with a mechanism to manage such incidents. The process shall involve identifying the incident at the first stage and investigating the root cause, preparing analysis and correcting the incidents in the second stage. The last stage is basically informing the key stakeholders including Data Privacy Authority about the breach or incident.

Data Subject’s Request Management: 

The organisation shall develop a mechanism to respond to requests from individuals concerning their personal data. This process shall include the means to verify the identity of the individual, provision access to the information and the means to update the information.

 

How IS 17428 would help in Privacy and Data Protection? 

 

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (RSPP and SPDI rules) had been the only law for organisations to follow. The rules did not prescribe or detail any specific requirements or standards in relation to personal data management and in the absence of formulated standards for the protection of the sensitive personal data of individuals, industry bodies were struggling to have uniform procedures. 

This being the case, introducing specific standards for personal data management will bring more clarity and will help companies to adhere to an approved standard prescribed by a government agency. Moreover, principles narrated in this standard are in accordance with the Internationally recognised privacy principles and will help Indian companies to proffer confidence when dealing with their commercial counterparts.

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.

 

The proposed data protection legislation and the IS 17428

 

The IS 17428 standard has been inspired primarily from the principles dictated from OECD privacy principles, GDPR and ISO27701. The proposed data protection legislation on the other hand has many divergences from the above instruments in many respects. For Instance, the IS standard has an elaborate description provided for the privacy objective of the organisation and the factors that need to be taken into account. Most of these objectives are covered under Sections 22 and 23 of the draft Bill but nevertheless, the standard has recommended a few other factors such as geographical operation, industrial domain and type of individuals as specific factors to be taken into consideration while drafting the privacy objectives. How much discretionary privacy standards can be created, what is allowed freedom for industries in this regard is unclear.

Section 28 of the draft bill talks about the records and document management of the data collected or processed and the standard covers almost every bit of the section. In addition to the consideration mentioned under the bill, the standard goes forward and echoes the need to establish a policy on the preservation of obsolete policies and process documents. Data and record-keeping should be for a defined period. The majority of other legislation prescribes an average of 7 years of data-keeping. Keeping any data beyond such a reasonable period may not serve many purposes. Why this standard has prescribed such obsolete data retention is again unclear.

The standard could be made effective by only having an enactment for data protection legislation in place. For instance, the grievance redressal mechanism, though the standards do envisage an appeal mechanism, they do not establish appeal machinery. This part of the standard can be put to use only after the Data Protection Authority as per section 32 is constituted. The standard also calls for an investigative process in the event of any breach or compromise of data. The organisation is welcome to conduct an onsite or internal investigation into the breach or incidents, but once again an independent authority to investigate in a legitimate and fair manner is required.

In short, I am afraid, has it failed to take into account the special requirements contemplated under the PDPB, 2019 which may eventually become the law of the country thereby, once this law is enacted, this standard will also be required to be modified. The government has not made any announcement as per the RSPP and SPDI rules, that IS 17428 is an appropriate standard certifying the compliance of personal data management. In the absence of such explicit endorsement, the ambiguity continues as to whether the adoption of this standard is sufficient compliance under the said rules.

Finally, with the Data protection bill around the corner, the Data Protection Authority envisaged being constituted under the legislation which shall have the power to issue code, guidelines, and best practices for protecting the privacy of data subjects. How IS 17428 standards framed by the BIS will be looked at by the DPA or the proposed rule will offer a different set of practices shall be an interesting development to observe.

References:

[1] https://economictimes.indiatimes.com/industry/cons-products/fashion-/-cosmetics-/-jewellery/abfrl-faces-data-breach-on-its-portal/articleshow/88930807.cms

[2] The IS 17438 was established on November 20, 2020 and notified in the official gazette on December 4, 2020. Please see the notification available at: https://egazette.nic.in/WriteReadData/2020/223869.pdf (last visited Jan 18, 2022).

[3] Supra note 2.

[4] Sub-clause 4.2.2 of the IS Requirements: “Privacy Notice”.

 

 

Photo Credits:

Image by Darwin Laganzon from Pixabay 

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.

Related Posts

POST A COMMENT

Bulk Data Sharing & Procedure Notification - A Data Breach?

  • 31 July, 2019
  • Indran M.B

In this digital era, data has become one of the most valuable assets to own. Elections have been won and international alliances have toppled because of support that could be garnered by utilizing data analytics. While heated debate surrounding data breaches by private entities baffles the world, at home, it is accused that the Indian Government has monetized from sale of personal data of Individuals, in the pretext of public purposes” under a notification released by the Ministry of Road Transport and Highways in March 2019 titled “Bulk Data Sharing & Procedure”.

In July 2019, a parliamentary debate pertaining to “sale of data” by the State was raised because the Government had provided access to databases containing driving license and vehicle registration details to private companies and Government entities and generated revenue out of them.  The two databases of Ministry of Road Transport and Highways named Vahan and Sarathi were under discussion.  These databases contained details such as vehicle owner’s names, registration details, chasis number, engine number, and driving license related particulars of individuals.  These details amount to personal information by which an individual could be identified (“Personal Data”).  

The sale of data was pursuant to a notification released by the Ministry of Road Transport and Highways in March 2019 titled Bulk Data Sharing & Procedure wherein a policy framework on sale of bulk data relating to driving license and vehicle registration was introduced.  Among other things, this writeup discusses whether such sale of Personal Data for revenue generation is acceptable in light of privacy as a fundamental right and the Data Protection Bill 2018? and whether such access constitutes data breach? 

 

Bulk Data Sharing & Procedure Notification 

The “Bulk Data Sharing & Procedure” notification by the Ministry of Road Transport and Highways states the purpose for which bulk data access would be  provided: 

it is recognized that sharing this data for other purposes, in a controlled manner, can support the transport and automobile industry.  The sharing of data will also help in service improvements and wider benefits to citizens & Government. In addition, it will also benefit the country’s economy”.  

As per the notification, only such entities that qualify the eligibility criteria would be provided access to bulk data.  The eligibility criteria are that an entity should be registered in India with at least 50% Indian ownership, such bulk data should be processed/stored in Servers/Data Centers in India, and the entity should have obtained security pre-audit report from CERT-In empanelled auditor.  The bulk data access would be provided for a price.  

Commercial organizations could have such data for an amount of INR 3 crores and educational institutions could have them for 5 lakhs.  As per the notification, the bulk data will be provided in encrypted form with restricted access.  Such entities would be restricted from any activity that would identify individuals using such data sets.  The entities would be required to follow certain protocols for data loss prevention, access controls, audit logs, security and vulnerability.  Violation of these protocols is punishable under the Information Technology Act, 2000. 

The Ministry of Road Transport and Highways has in accordance with this policy framework provided database access to 87 private companies and 32 government entities for a price of 65 crores resulting in Personal Data of all individuals being accessible to them.  The Data Principal (the individual whose information is in the database) has no knowledge or control over any use or misuse of his/her information.   

In any data protection framework worldwide, the Data Principal’s consent should be sought stating the purpose for which data ought to be used.  It is only pursuant to Data Principal’s consent that any information can be processed.  On the contrary, providing access to Personal Data to third party private companies without any consent of the Data Principal will keep them out of effective control.  This is against the basic principles of data protection. 

 

Proposed Legislation for Data Protection 

India is on the verge of a new Data Protection Act as the bill is being placed in the Parliament.  The Data Protection Bill, 2018 contains certain provisions to address the above-mentioned issues.  Section 5 of the Data Protection Bill states when personal data can be processed.  Personal Data shall be allowed only for such purposes that are  clear, specific, and lawful.  Section 5 is extracted below: 

  1. Purpose limitation— (1) Personal data shall be processed only for purposes that are clear, specific and lawful. (2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.

Moreover, the relevant enactment regulating driving license and vehicle registration i.e. Motor Vehicle Act does not explicitly permit the State to sell or provide third parties access to Personal Data for generation of revenue.  Therefore, there is no clear, specific, or lawful indication of such access in the enactment.  The question arises whether access to bulk Personal Data can be interpreted as an “incidental purpose” that “data principal would reasonably expect”.  The data principal has provided this information only for the purpose of grant of motor vehicle license and vehicle registration.  The Data Principal ought not have expected his/her data to be sold by the Government. 

Section 13 of the Data Protection Bill is also of relevance here because it authorizes the State to process Personal Data for provision of services, benefit or issuance of certification, licenses or permits.  Section 13 is extracted below: 

Section 13 – Processing of personal data for functions of the State. — Personal data may be processed if such processing is necessary for excise of the functions of the State authorised by law for: (a) the provision of any service or benefit to the data principal from the State. (b) the issuance of any certification, license, or permit for any action or activity of the data principal of the State. 

 

By this section, the State is authorized to use Personal Data for grant of license or permits or to provide any benefit or service.  However, whether the State is authorized to give access to Personal Data to third party private companies is unclear. 

Section 17 of the Data Protection Bill tries to shed some light on this anomaly.  The section states that Personal Data may be processed for “reasonable purposes” after considering if there is any public interest involved in processing the same.  What constitutes reasonable purpose is yet to be specified by the Data Protection Authority to be constituted.  Section 17 is extracted hereunder: 

  1. Processing of data for reasonable purposes. — 

(1) In addition to the grounds for processing contained in section12 to section 16, personal data may be processed if such processing is necessary for such reasonable purposes as may be specified after taking into consideration— 

(a) the interest of the data fiduciary in processing for that purpose; 

(b) whether the data fiduciary can reasonably be expected to obtain the consent of the data principal; 

(c) any public interest in processing for that purpose; 

(d) the effect of the processing activity on the rights of the data principal; and 

(e) the reasonable expectations of the data principal having regard to the context of the processing. 

(2) For the purpose of sub-section (1), the Authority may specify reasonable purposes related to the following activities, including— 

(a) prevention and detection of any unlawful activity including fraud; 

(b) whistle blowing; 

(c) mergers and acquisitions; 

(d) network and information security; 

(e) credit scoring; 

(f) recovery of debt; 

(g) processing of publicly available personal data; 

(3) Where the Authority specifies a reasonable purpose under sub-section (1), it shall: (a) lay down such safeguards as may be appropriate to ensure the protection of the rights of data principals; and (b) determine where the provision of notice under section 8 would not apply having regard to whether such provision would substantially prejudice the relevant reasonable purpose. 

 

Section 17, therefore, clarifies that when there is any public interest involved, the State may provide access to publicly available personal data to third parties.  This read with Section 13 indicates that State is not required to get the consent of Data Principal in order to provide services and benefits.   

 

Whether the State has provided access to personal data for public interest or to provide services and benefits? 

The Bulk Data Processing & Procedure notification states that the purpose of providing access of bulk Personal Data is to “support the transport and automobile industry” & “help in service improvements and wider benefits to citizens & Government”.  Supporting the transport and automobile industry and improving services may qualify as public interest, whereas, mere revenue generation will not.  However, there is no clarification from the Government as to how these private companies to whom database access is being provided assist in public interest.  Further, whether all driving license and registration details related data can be classified as publicly available information is again contentious and questionable as the information provided therein is intended to be provided only to license holders & vehicle owners and is partially masked. 

In the event if this Personal Data is not construed as public data or these public companies have been given access to personal data in the absence of any public interest, it would result  in personal data breach by the Government Departments where the head of Department will be held liable as per section 96 of the Data Protection Bill. 

It is quite preposterous to note that on the one hand Data Protection Bill is being tabled in parliament and on the other, the Government is selling Personal Data of the general public for economic gains.  Whether it results in the exploitation of personal and private data on the pretext of public interest without an individual’s consent needs to be ascertained. 

Image Credits:

Photo by Markus Spiske on Unsplash

 

It is quite preposterous to note that on the one hand Data Protection Bill is being tabled in parliament and on the other, the Government is selling Personal Data of the general public for economic gains.

Related Posts

POST A COMMENT