By Rishika Taneja
With the recently presented report and draft bill, the Justice B.N. Srikrishna-led committee of experts has set the foundation for the data protection architecture of the second largest market of internet users in the world. The committee was appointed by the government in the wake of the challenges faced by the Aadhaar program in the Supreme Court.
The draft bill seeks to define the fundamental contours of the relationships between users and companies/government entities with whom they share their data—namely data principals and data fiduciaries/data processors respectively. The bill places an overarching obligation on all data fiduciaries to follow a ‘fair and reasonable’ way of processing personal data. The committee has also recommended consequential amendments to several other laws, including the Information Technology Act and the Right to Information Act.
The draft bill is a notable step in India’s pursuit of a free and fair digital economy, but even as it advances the interest of data protection, it lacks on many fronts.
The bill undeniably empowers citizens against private parties by premising itself on a consent-based framework insisting on the requirement of “explicit consent” for sensitive personal data. However, it also empowers the State against its citizens through broad exemptions in the State’s use of data. These include the processing of personal data and sensitive personal data of the data principal for “any function of the Parliament or State Legislature” or as “authorised by law for the provision of any service or benefit to the data principal”.
Additionally, government authorities are also exempt from securing consent while issuing certifications, permits or licenses by the State. The committee’s justification for these variable standards for the State and private actors is premised on the fact that for “genuine consent” to be operationalised in such circumstances, “collective interests stand to suffer”. The reasoning presented in the report to buttress this provision does not justifiably support why such collective interest may be paralysed only in the event of provision of services by the State, while private entities will need to follow the consent approach despite competing in the same market as the State.
In its justification, the committee observed that the interaction between the State and the citizen is incomparable to that of a consumer entering into a contract with a service provider, where “the option available to a consumer in refusing an onerous contract and choosing another service provider is not available to a person seeking a welfare benefit from the state”. This should not imply ceding consent but perhaps putting in place additional safeguards beyond consent.
Presently, there is a general law that applies to the collection of personal data for intelligence gathering and surveillance. The committee also highlighted the several deficiencies in the interception framework under the Telegraph Act and Rules, especially the oversight mechanism. The data protection draft bill, however, curiously refrains from addressing these issues while the report has cited surveillance laws adopted in the US, Germany and South Africa to guide the thinking of the government on this issue. This is a significant gap in the privacy framework advocated by the committee given the fact that surveillance is perhaps the most potent threat to privacy from the state.
The bill envisages the concept of data localisation whereby data-processing entities, or data fiduciaries, are mandated to store at least one copy of all personal data being processed on a server within the Indian territory. Certain categories of data that will be specified as critical personal data by the government must also be stored in India. But the bill provides no clarity or illustrative examples of what may classify as critical, thereby giving broad powers to the central government.
The committee’s report justifies data localisation by stating that “a policy of storage and processing of personal data within the territorial jurisdiction of a country is advocated to ensure effective enforcement and to secure the critical interests of the nation state.” However, this concept refutes the very tenets of a liberal economy and a seamless worldwide internet, thereby creating potential barriers to trade by imposing additional costs and burden on data fiduciaries to set up data centres in India without any proportional benefit. The committee has cited a lack of evidence of the prohibitive costs of imposing such requirements. However, this reasoning belies policy prudence, which would require a more in-depth study of the impact of these restrictions on market efficiency and innovation.
Long way to go
Notwithstanding the shortcomings of the report and bill submitted by the Srikrishna Committee, it marks a watershed moment in the domain of data protection in India. The bill contains some noteworthy provisions, which the Committee has rightly recognised and inserted. For instance, the recognition of the privacy principles of collection and purpose limitation serving as strong data protection obligations in consonance with EU’s General Data Protection Regulation; the privacy-by-design concept; tall requirements for defining consent; broader definitions including a comprehensive list of what is encompassed under sensitive personal data, including religious and political beliefs and transgender status; horizontal application to both government and private actors; and steep penalties for violations.
While the Justice KS Puttaswamy v Union of India judgement reaffirming the status of privacy as a fundamental right was indeed a big win for the country, there are many battles to be fought.
Rishika Taneja is an advocate, and co-author of Privacy Law: Principles, Injunctions, and Compensation, which was cited by the Supreme Court in KS Puttaswamy v Union of India.