Exclusive Analysis: New Rights in Proposed Data Privacy BillPanel of Experts Outlines Gaps, Addresses Implementation Challenges
The B.N. Srikrishna Committee, in its report on a proposed data protection bill, spells out a number of consumer privacy rights, including the "right to be forgotten." What challenges would organizations face if these provisions become law?
Information Security Media Group assembled a panel of three security experts to offer analysis of the proposed legislation in an exclusive, in-depth audio interview (see link below image). This is part two of the discussion. To hear part one, which dealt with other provisions of the draft bill, see: Exclusive Analysis: India's Proposed Data Privacy Bill's Provisions.
A Conditional Right
Delhi-based Pavan Duggal, advocate, Supreme Court of India and cyber law expert, says the proposed "right to be forgotten" in the bill is conditional by nature. "The right to be forgotten is not a complete right that is being proposed under the proposed bill. It's a right not to display information and not [actually] the right to remove information," Duggal explains. "So it's a very conditional right that is being done. India needs to relook at the entire issue of intermediary liability ... to actually force them to give a complete right to be forgotten to Indian citizens."
Mumbai-based Shivangi Nadkarni, co-founder and CEO of Arrka Consulting, stresses that the other rights mentioned in the proposed bill also could have a big impact. "The right to access, the right to confirmation, the right to correction are [all] ... very powerful," she says. "Today ... I have absolutely no control over the data that [entities] pick up about me. ... There is a whole bunch of below-the-surface data that gets picked up, which is meta data, online identifiers, device identifiers and location data. That data spreads across so many entities [without your knowledge]. ... Today I have no idea ... who has access to my data."
Bangalore-based Gagandeep Singh, head of the risk advisory practice for Asia Pacific and Japan at Aujas Networks, says that organizations will face bigger challenges than just implementing new consumer rights if the draft bill becomes a law.
"The bigger challenge is [when] it has to be determined where the 'right to be forgotten' is clashing with data retention policies [required] by some other standards or external compliance requirement of the organization," he says.
In the panel discussion (see audio link below images), the experts discuss:
- The challenges involved in implementing privacy by design;
- What policies need to be focused on when moving to privacy by design;
- Innovations in privacy by design.
Duggal, a practicing advocate at the Supreme Court of India, is an authority on cyber and ecommerce law who has authored many books, articles, blogs and columns on cyber law and cybersecurity.
Nadkarni, co-founder and CEO of Arrka Consulting has over 22 years of experience in information risk and privacy, e-commerce and networks. She previously headed the global application security and identity management practice at Wipro, establishing India's first licensed certifying authority for digital signatures in collaboration with Sify.
Singh is head of the risk advisory practice for Asia Pacific and Japan at Aujas Networks. Singh was deputed to UIDAI as its CISO from Aujas. He previously worked at Hewlett Packard in technology services, leading network and security solutions business development for telecom, large enterprise and government verticals.
( Principal Correspondent Suparna Goswami and Senior Editor Varun Haran contributed to this report )