Top

Loose legal terms in Data Act pose risk

Experts say terms open to different interpretations.

Hyderabad: Cyber security experts are concerned that there are many loose legal terms in the Personal Data Protection Bill, 2019, which has been sent to a Joint Parliamentary Committee for review. It leaves a lot of room for everybody, and it gives more power to the government to look into the personal data of individuals, they said.

The experts did however say that the Bill would help create "cyber hygiene" and curb fake news.

Palash Verma, Information security analyst at Cyber Ops, told Deccan Chronicle that the “Bill has very loose legal terms that give a lot of room to anybody. The idea behind the Bill is to protect the data of Indian citizens. But it has been phrased in a manner that rather than increasing privacy it will reduce privacy. It will allow companies to access personal data as the phrasing of the Bill is not legally strongly".

Commenting on the division of data, he said that data has been divided into personal, sensitive and critical personal. As stated in the Bill, critical personal data will never leave India. It will not be processed by any third party outside of India. Sensitive personal data like health care data and Aadhaar card details might be given to certain third parties with exceptions.

Allaying apprehensions that exemptions in the bill are problematic, he said, “All the rules have been set and there are various expectations through which the bill can be bypassed. For sensitive data and critical data there are exceptions like search engines can access data which is problematic.”

One is that any agency of the government can be exempted from the applicability of the law.

Mr Sai Krishna, chairman of the Global Cyber Security Forum is critical of this. “They state the reason is that it is in the interests of national security. It is contradicting the Supreme Court judgment of 2017, which mandates the government to declare a specific objective for collecting private data. This bill gives blanket approval to any government agency to process citizens’ data. On one side you claim that you are the hero of your data and it is a fundamental right and on the other side the bill gives access to the government. The purpose should be clearly defined — the purpose as stated by apex court,” Mr Krishna said.

In an email conversation with this reporter, Mr Khushhal Kaushik, founder and CEO of Lisianthus Tech and a globally known ethical hacker, said, “Each social media intermediary is classified as a ‘critical data fiduciary’, which will enable users in India to voluntarily verify their accounts. Any user undergoing such voluntary verification must be provided with a mark of verification that is visible to all users of the service. This will curb anti-national activities and fake news and fake profile.”

Mr Kaushik, who is the first Indian cyber security expert to get an article published in Unesco’s Annual Magazine, said, “After enacting this Bill into a law, the problems of data theft would be stopped and now you will be the owner of your data. Without your permission no one will be able to use your data. If he does then he will have to face legal action.”

He said, “If someone wants to take the data out of your country, then they have to take the permission of the government, without which the data of the government cannot be taken out, which is a good thing. Much more has been left in this bill which strengthens it and it will be further consolidated but the government should insist on bringing the data centre to India so that the bill and the security of the country can be strengthened further.”

Mr Kaushik added that the government had curbed private companies but the government will store data with itself. “If there is any data breach from the government, who will be responsible? Nothing is 100 per cent secure,” he said.

"Cyber hygiene will come into the picture. With SMS service providers a lot of violations are happening. This bill will provide better immunity to citizens and penalise companies who misuse your data,” added Mr Krishna.

Next Story