India is a country at the cross-roads of transformation. As one of the fastest-growing economies, it is expected to be the most populous country in the world in a few years, potentially home to about 20 percent of the world population. Therefore, events in India are becoming increasingly relevant from an economic as well as geopolitical perspective.
The advent of the General Data Protection Regulation (GDPR) has brought significant focus globally and in India on privacy. The interest in privacy goes beyond the transactional and operational aspects. It explores deeper into the basis and relevance for privacy.
It is in this context that a landmark judgment delivered in August 2017 by The Supreme Court of India assumes significance. A nine-judge bench of the Supreme Court delivered the order that privacy is a fundamental right and an intrinsic part of the right to life and personal liberty guaranteed by the Constitution of India. The judgment has settled the debate on the matter and has meant that initiatives and activities of the government, as well as those of private enterprises and organizations, will need to ensure that privacy of individuals is protected.
A committee was formed by the Indian government in 2012 under the chairmanship of the former Chief Justice of the Delhi High Court to draft a paper that would facilitate the authoring of a privacy law for India. The committee suggested a detailed framework to serve the conceptual foundation for the proposed privacy law and mentioned the following features that should be included:
- Technological neutrality and interoperability with international standards. This feature recognizes the need to preserve privacy in the face of ever-changing technology. It also recognizes the need to be in harmony with international regimes to create trust for cross-border data flow.
- Multi-dimensional privacy. This aspect recognizes that privacy protection involves different types of data and different methods of communication and storage.
- Horizontal applicability. The frameworks should not discriminate between the government and private enterprise in matters related to protection of privacy.
- Conformity with the privacy principles. The committee has laid down privacy principles that are in conformity with globally recognized principles such as choice, collection limitation, etc.
- Co-regulatory enforcement regime. The committee has recommended a structure for regulators and emphasized the need for self-regulatory industry or sector-specific bodies.
India has now set into motion discussions for a data protection law. The government has assembled a committee to study various aspects needed to create a bill under the chairmanship of Justice Srikrishna, former Supreme Court judge. The proposed law is expected to address data privacy in a holistic manner. The committee had issued a white paper to solicit opinion from various stakeholders and the public on multiple aspects, including the content of the law.
GDPR has been a significant step that has spurred discussions around data protection and privacy across the globe, and India is no exception. Given the significance of information technology to India’s growth, the interest is natural. In terms of population, India is about 2.5 times that of the EU. The impact and significance of the data protection law in India is likely to be even higher. It is certain that India is on a path that is in sync with the global direction.
Editor’s note: To view ISACA’s resources on GDPR, visit www.isaca.org/GDPR.
Sandeep Godbole, CISA, CISM, CGEIT, CISSP, CEH, Past President of ISACA Pune Chapter
[ISACA Now Blog]