The 10-member “committee of experts” headed by former Supreme Court Justice B N Srikrishna is finally set to submit the draft of the Data Protection Bill after a number of delays. The draft will later be introduced in the Parliament, subject to the government’s agreement on the same (with or without modifications).
While the draft may not be implemented retrospectively to keep Aadhaar controversies out of its ambit, there are reportedly many measures (such as data needs to be stored locally) suggested in the draft that could give private companies, from startups to MNCs, a run for their money, given that a large number of Indian business run on a thin margin of profit.
While a certain transition period is expected for startups as well as other companies comply with the law, startups have their own expectations from the report. A Zomato spokesperson told Inc42, “The expectation from the Srikrishna Committee is that while it should be in sync with global standards, it should also incorporate the nuances of India’s business scenario.” The spokesperson added that the Srikrishna committee “must look into defining personally identifiable information in view of India’s scenario, data portability, and non-digital information handling.”
Unlike GDPR, the development of the draft Data Protection Bill in India, so far, has been revolutionary in nature rather than evolutionary.
Speaking to Inc42, Anirudh Rastogi, founder and managing partner, TRA Law explained, “The GDPR is the culmination of a process that began, concretely, with the OECD Privacy Guidelines in the 1980s. As a result, it’s also grounded in privacy principles that emerged decades ago, many of which need to be re-looked at when applied to a Big Data/IoT world. For instance, data minimization is a principle in the GDPR, where businesses are required to only use only that much data that is needed for a specific purpose. When coupled with the requirement that consent has to be clear, and purpose specific, we are looking at a situation where businesses must go back to the data subject and collect their consent for every new potential use case.”
As users’ consent has been at the core of data privacy regulations, Anirudh added that in theory, this sounds like a great plus for user privacy. However, it also creates the problem of consent fatigue, where an individual is faced with the prospect of reading multiple privacy notices and consent to specific use cases, repeatedly, across multiple devices, platforms, and services.
“This framework — the “notice and consent framework” — is the bedrock of most data protection frameworks around the world, but is broken. India would do well to address this in its new data protection law. Since we’re starting from scratch, we can develop a framework that works today. Notice-and consent-based frameworks were developed in a much simpler time, where we weren’t flooded with privacy notices from multiple web services and applications, constantly. Of course, consent is fundamental, but operationalising consent needs a re-look.” — Nehaa Chaudhari, Public Policy Lead, TRA Law
In contrast to the GDPR development, India has apparently been on a fast track while developing the draft, despite the delay. However, right from introducing the data protection bill in the parliament to getting it enacted is still way to go. A glass, half filled, half empty. A battle half won.
Let’s take a look at some of the twists and turns which put the Indian government under pressure to push data protection and privacy rollout at the earliest!
Data Protection Bill Draft: The First Breakthrough
While the data debate has always existed in bits and pieces, the Indian discourse on data and the right to privacy and to ‘choose’ what information one accesses on the Internet caught the people’s imagination only after the Aadhaar project (along with the leaks) came into light and Facebook’s now-defunct (In India) plan of providing ‘Free Basics’ (with controlled freebies) was shot down.
The data debate in India has seen participation from all quarters — right from popular comedians AIB to activists who came together to save the Internet from being controlled by some third party/service provider. With the TRAI having turned down Facebook’s Free Basics programme, it was perhaps the campaign in the name of net neutrality that made people at large aware of the importance of data privacy and the information they can access on the Internet.
However, the biggest major breakthrough relating to data protection happened only on August 24, 2017, when a nine-member bench of the Supreme Court (SC) of India, in its 547-page historic judgment, gave a unanimous verdict that the Right to Privacy is a fundamental right. The judgment was a huge setback to the government’s Aadhaar policy.
“Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state.” — The Supreme Court of India
The Indian government had so far maintained that there was no such ‘right to privacy’ in the Constitution. The Supreme Court overruled this and observed: “Every individual should have a right to be able to exercise control over his/her own life and image as portrayed to the world and to control the commercial use of his/her identity. This also means that an individual may be permitted to prevent others from using his image, name, and other aspects of his/her personal life and identity for commercial purposes without his/her consent.”
The apex court, taking note of data privacy legislation around the world, in Europe in particular, asked the government to introduce a data protection bill for better clarity and understanding of the right to privacy.
Srikrishna Committee And The Seven-Point Data Protection Framework
Amid growing public discontent over the massive Aadhaar data leaks, and also taking a cue from the Supreme Court’s judgment, the Indian government, on July 31, 2017, set up a committee of experts to work on the data protection framework to examine issues related to data protection, recommend methods to address them, and draft a data protection law.
The Srikrishna committee, chaired by for Supreme Court Justice B N Srikrishna, comprises the following members — department of telecom secretary Aruna Sundararajan, UIDAI head Ajay Bhushan Pandey, Ministry of Electronics and Information Technology (MeitY) additional secretary Ajay Kumar, IIT-Raipur director Rajat Moona, national cybersecurity coordinator Gulshan Rai, IIM-Indore director Rishikesha Krishnan, Vidhi Centre for Legal Policy’s Arghya Sengupta, and Data Security Council of India’s Rama Vedashree.
The Srikrishna committee released a white paper on 27 November 2017, inviting various stakeholders to send their comments, suggestions, and other inputs on the Data Protection Bill draft, which, if found valid by the committee, would be incorporated in the draft.
The data protection framework released by the Srikrishna committee recognised the following seven pointers as the key principles of a data protection law:
- Technology agnosticism: The law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance.
- Holistic application: The law must apply to both private sector entities and the government. Differential obligations may be carved out in the law for certain legitimate state aims.
- Informed consent: Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful. The law must ensure that consent meets the aforementioned criteria.
- Data minimisation: Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject.
- Controller accountability: The data controller shall be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data for processing.
- Structured enforcement: Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms.
- Deterrent penalties: Penalties on wrongful processing must be adequate to ensure deterrence.
Anirudh stated, “In its white paper, the Srikrishna Committee looks at not only the EU’s GDPR, but also data protection laws from the United States, Canada, South Africa, Australia and the UK. India’s new data protection law can look to not just the GDPR, but also privacy frameworks from other countries. That said, while we should have had a strong privacy law long before, we are also now uniquely situated to develop a privacy/data protection framework that works for India in the 21st century, and works for a Big Data/IoT driven world.”
The Controversy: ‘Rhetoric’ To Divert Attention From Fundamental Rights Of Citizens
While many were of the view that the seven principles would guide the Srikrishna committee to help formulate one of the best data protection laws in the world, former Supreme Court Judge M Jagannadha Rao asserted that the “rhetoric” in the white paper released by the Srikrishna Committee was meant to divert public attention from the fundamental rights of citizens to other issues that are not relevant from the point of view of fundamental rights of citizens.
Justice BN Srikrishna had earlier averred that data privacy across the country is not a problem as such but data protection is.
In a letter addressed to the Srikrishna committee, Justice Rao stated that the white paper referred to the collection of data but “not to the boundaries of the right to collection of data which is the essence of the Supreme Court judgment.”
“There is absolutely no discussion on these vital aspects, as to where the privacy rights start and where the state’s surveillance must stop,” he wrote.
Not only Justice Rao but many other lawyers, organisations such as Save Our Privacy and the Internet Freedom Foundation, have also written to the Srikrishna committee. It remains to be seen whether the inputs provided by these parties have been incorporated in the draft.
What Does The Data Protection Bill Draft Say?
After initially refusing to disclose the content of the draft, the MeitY, after one Paras Nath Singh filed an RTI, disclosed the minutes of meetings of the Srikrishna committee, according to which Aadhaar was just a subset of the draft’s subject matter. The chairman of the committee, Justice Srikrishna, formed four different working groups to address aspects like big data and emerging technologies, the scope and exemptions of the law, the grounds of processing data, the rights and obligations of parties, and enforcement of the law.
Right to be Forgotten: The Srikrishna committee report incorporates some of the core strengths of EU’s new Global Data Protection Regulation (GDPR) including the Right to be Forgotten; it has reportedly allowed data principals to approach the data ombudsman with requests for the Right to be Forgotten, which will be granted on the basis of criteria laid out in the draft law. However, unlike the GDPR, it is subject to the data ombudsman.
Data Localisation: The committee report has reportedly perceived that personal data are too ‘critical’ to be taken outside. While a clear intention was laid out in the white paper submitted in November last year with an entire chapter (Chapter 9) dedicated to data localisation, there are now reports that the draft will likely recommend that Internet companies store personal data locally.
Formation of Data Protection Authority: According to the draft, an independent data protection authority (DPA) should be constituted to monitor and ensure the enforcement of the proposed law as well as investigation and grievance-handling.
User Consent: As per the draft, consent will be required for collection of any kind of personal data. Such consent will be invalid if it is not based on the informed choice by the user and must be specific, clear, and capable of being withdrawn.
However, as mentioned by Nehaa, addressing the consent issue is not as simple as it appears. She expounded that the GDPR does address this to some extent — when it requires privacy notices to be simple and accessible. This is definitely something that the Indian law should seek to import. Similarly, the GDPR also recognizes other grounds of processing data — consent is not the only ground for data processing under the GDPR.
“This is also something that India’s new law should take into account. However, the other grounds of processing as identified in the GDPR are not particularly clear — our law, while importing the idea that consent should not be the only grounds for processing of data, must do a better job of articulating what these other grounds are,” said Pushan Dwivedi of TRA Law.
Unlike the GDPR, where all stakeholders have been given a transition period of 24 months to implement the regulation, the Srikrishna committee hasn’t come out with a recommendation in this regard so far. However, the Zomato spokesperson told Inc42, “There should be at least a 12-18 month window given to organisations to be compliant with data protection mandates.”
Our Take On The Data Protection Bill Draft
Data, today, has become the eyes and ears of every company, institution, and governments the world over. However, as evident from the Facebook-Cambridge Analytica data fiasco, data is neither free nor can it be taken for granted. This has been further reinforced by the implementation of the GDPR by the European Commission on May 25. The GDPR has changed the entire business game and the liabilities of Internet and data companies, making it harder for them to take consumer data for granted. It has also made data collection and storage a costly affair.
Facebook found itself in the middle of a controversy (in fact more than one) and Cambridge Analytica had to shut shop after being accused of trading data without users’ consent. In India, right from the UIDAI, which is handling a billion people’s data, to private companies, political parties like the Congress, and even PM Narendra Modi’s App have been accused of trading users’ data without their consent. However, due to the lack of clear legal understanding, doubtful explanation of existing IT Act, and the government’s unwillingness to recognise people’s right to privacy, hardly any significant action has ever been taken against any of these parties.
Therefore, in a country like India, it’s not the law that brings change on the ground but the implementation, which is subject to the party in power. Further, the government has the full authority to accept, reject, or modify the report of the Srikrishna Committee on the Data Protection Bill draft before introducing it in the Parliament. Once it enters the hallowed halls of the Parliament, it’s is likely to undergo further changes. We don’t know whether the law that sees the light of the day will even carry the soul of the seven key principles laid out in the data protection framework. It may emerge completely unrecognisable from what it is now.
However, from a point where the government had refused to even recognise the right to privacy as a fundamental right to a place where it has shown at least some commitment towards the formulation of a data protection law is half the battle won. The other, more crucial, half will be won or lost once the Data Protection Bill becomes an act and is implemented.
And, as Anirudh pointed out, Unlike GDPR, India’s law will also be guided by the Supreme Court’s decision on the fundamental right to privacy. The Court has recognized that just like other fundamental rights, the right to privacy is also not absolute. However, any restriction on the fundamental right to privacy will
(a) need a valid law
(b) be in furtherance of a legitimate state aim
(c) need to be proportional
There must be a nexus between the object sought to be achieved and the means that the State is using to achieve the objectives. The Supreme Court has identified, illustratively, what could be legitimate aims of the state, including “national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits.
Therefore, the judgement recognising the right to privacy as the fundamental right with further guidelines passed by the 9-member bench of the Supreme Court in August last year will remain a guiding path. And, if the Data Protection bill enacted by the Parliament does not meet the requirement, the Supreme Court(if not the President) might take a notice of the same and recommend the essential changes to be done in the law to fit into the Constitution of India.