Need special law to regulate State’s tech surveillance: Justice Srikrishna : 27-11-2019

The Indian government should frame new laws to regulate the monitoring of its citizens by state agencies that may use technology tools, said Justice BN Srikrishna.

“There should be a special law passed because this kind of access can happen on various platforms,” the former Supreme Court judge told ET in an exclusive interview.

Justice Srikrishna led a panel that finalised a personal data protection framework for the country and a draft data protection bill that was submitted to the government in July 2018.

Pointing to the need for a separate legislation that governs the terms under which the government can resort to surveillance, Srikrishna said there should be clarity on “under what circumstances, who can do it, and what is the procedure” for such actions by the state.

He was commenting on the revelations earlier this year that a vulnerability was exploited to inject malware in the messaging app WhatsApp that affected 121 users in India. WhatsApp has accused Israeli cyber intelligence firm NSO of injecting the malware Pegasus to snoop on over 1,400 people globally.

Separately, Justice Srikrishna also called for speedy enactment of the proposed personal data protection bill.

“There is no law today which protects our privacy and nothing prevents an officer from taking away a citizen’s data,” he said.

The government has notified that the personal data protection bill will be placed before Parliament in the current session.

“Move they must and fast. Because data protection has become a buzzword in the country and simultaneously they (government) must ensure that breaches are stopped, security has to be improved,” Justice Srikrishna said.

Commenting on the issue of diluting the data localisation clause to enable only critical data to be stored in India, Justice Srikrishna said that one copy of all personal data of Indian citizens needs to be stored within the country as this will enable “access” in case of law and order situations.

Other options to source Indian user data from foreign locations — through the MLATs (mutual legal assistance treaties), for instance — are too long-drawn and can take anywhere from 18 months to two years, he said. The Srikrishna Committee has recommended that critical data be stored exclusively in India while one copy of all personal data is required to be stored within the country.

The government is yet to announce its final stance on the issue of data localisation.

It has also set up a separate committee under Infosys cofounder S Gopalakrishnan to determine how to regulate nonpersonal data.

Justice Srikrishna said that principles such as the doctrine of estate under the property laws — which says that if a property doesn’t belong to anyone then it belongs to the government — should be applied to community data. He also said that all non-personal data should remain anonymous when it is shared and should not be submitted for analysis with an aim to profiling people.

“Community data doesn’t belong to any person, (then) whose consent are you going to take?” he said.

Justice Srikrishna said the committee under him was tasked with looking at personal data. It had only flagged some of the issues with non-personal data, such as who controls it. “If there are complex issues which need to be addressed, it’s better to (keep them) separate (from the personal data protection bill),” he said.

Source : Economic Times