Even as privacy debates intensify and data security concerns spiral the world over, the much-awaited (and much delayed) Justice BN Srikrishna Committee report on the draft Personal Data Protection Bill 2018 was finally submitted to the minister of law and justice, Ravi Shankar Prasad, on Friday, July 27.
Various cross-sections of the society have been waiting for, the report — which was a year in the making — with trepidation as the Bill will have far-reaching implications on data handling and processing practices employed by both Indian and foreign companies and government departments. The draft bill raked up controversies for its reported contents even before it was released.
Amid rising data theft, breaches, and leaks in India, the Supreme Court had directed the Indian government to formulate a Data Protection Bill to ensure and strengthen people’s rights over personal data and the right to privacy. Accordingly, the Justice Sri Bn Krishna Committee was formed in July 2017 to deliberate on a data protection framework for the country.
The European Union (EU) and the UK have already introduced one of the toughest data protection laws in the world, the General Data Protection Regulation (GDPR), which is applicable to companies across the world processing data belonging to EU residents. Indians, meanwhile, were looking forward to a similar, strict Data Protection Bill that would address the security flaws of the present Aadhaar and other systems and enable close monitoring of data usage and breaches by the Indian government, companies, and individuals, along with protection of personal data.
However, the Personal Data Protection Bill 2018 draft released in the public domain last week does everything but what it is meant to do — that is ‘protect’ the personal data of Indian citizens. From recommendations to make the Unique Identification Authority of India (UIDAI) the constitutional authority for the Aadhaar Act to defining a fiduciary relationship between the data ‘principal’ (the natural person whose data is being collected) and data fiduciary, a lot has to be examined in the draft.
The Bill has evoked mixed reactions, with most veering towards dissent, including from some expert committee members. Apart from fuelling a critical discourse on social media, the bill has received some support as well — from policymakers and industry representatives.
Earlier Inc42 had explained that the Bill strengthens the UIDAI’s powers when it comes to Aadhaar-related legal action by maintaining that only the UIDAI can approach courts in case of any Aadhaar disputes.
Inc42 also reported that the Draft Data Protection Bill also proposes the removal of Section 8(1)(j) — which accounts for the right to privacy — of the RTI Act. The Section 8(1)(j) aims to fine-tune the balance between one’s personal information and the need for transparency in public.
Here are the several other points taking the heat up many notches in the already intense Data Protection Bill debate in India:
- The jurisdiction of the Bill under Section 2 is vast, including both territorial and extraterritorial provisions along the lines of the GDPR. In horizontal application, the Bill applies to both governmental and private actors as well as any data processing within India, as well as to any processing by the State, Indian companies or Indian citizens.
- After RBI requirements for payment companies to store data in India, data localisation rules to be imposed under Section 40 emphasise that one copy of all personal data to which the law applies are to be kept in a server within India. Further, certain categories of data, which are to be specified by the government as critical personal data are to be stored in India alone. At the same time, requirements for cross-border transfer of data are also imposed.
- In line with the “importance” of data, the Bill introduces new definitions of “personal data” and “sensitive personal data”. Personal data refers to any data of a natural person which allows direct or indirect identifiability. Sensitive personal data includes financial data, biometric data, positive additions such as religious and political beliefs, caste, intersex/transgender status, and official government identifiers like PAN etc.
- For data processing, the Bill includes purpose and collection limitation, detailed notice requirements, by no storage limitation, data quality requirements, and the principle of accountability.
- “No means No” has become a positive part yet a burden of the Bill. The committee has highlighted consent as the primary ground for processing. The consent, which is required to be free, informed, specific, clear and capable of being withdrawn, is necessary for the performance of a contract. If the data principal has to withdraw consent, all legal consequences will be theirs.
- However, the Bill creates several exceptions and exemptions for processing of data by the State. An additional ground for processing data under Section 13 (Chapter III) includes the processing of data required for the function of the State (authorised by the law), Parliament, or the legislature. This includes processing of data for the provision of any service or benefit to the data principal from the State. A broad list of exemptions have been included and are applicable on legal proceedings, research, domestic purposes, journalistic purposes, and manual processing.
- Another ground has been created for data processing on other reasonable purposes under Section 17. Under this, the Data Protection Authority of India (DPA), which is to be established under the Bill, will specify the purposes, including a broad and vague range of activities such as whistleblowing, preventing unlawful activities, debt recovery, and processing of publicly available data.
On a positive note, Chapter VI provides some basic rights to data principals including the right to access and correction, the right to data portability, and right to be forgotten. The Bill does not provide a right to erasure and also rights against automated decision making and profiling are not provided.
- No harm, no notification. Section 32 requires data breach notifications to be made to the DPA only if the breach is likely to cause ‘harm’ to the data principal. Leaving the discretion to the data fiduciary to judge if the data breach causes harm to the data principal is a concern.
- The Bill prescribes steep penalties including penalties higher than INR 5 Cr or 2% of annual global turnover (of the company in question) for violations like failing to conduct a DPA. A penalty of higher than INR 15 Cr or 4% of the annual global turnover of the company in question is prescribed for violations such as processing of personal data in contravention of the Bill. Complaints can be filed by an aggrieved data principal to adjudicating officers appointed under the Bill. Appeals from their orders will go to an Appellate Tribunal and thereafter to the Supreme Court.
- The Bill also prescribes a list of non-bailable and cognizable criminal offences. This includes a maximum fine of INR 2 Lakh or imprisonment of three years for obtaining, transferring, or selling personal data in violation of the law. If the data is serial presence detect (SPD), then this goes upto 5 years or INR 3 Lakh. Similar provisions apply to re-identification of data.
Srikrishna Committee Member Calls Data Protection Bill Regressive
The first voices of dissent against the Personal Data Protection Bill 2018 came from some of the Justice Srikrishna Committee members itself.
A member of the expert committee and the CEO of NASSCOM’s Data Security Council of India, Rama Vedashree, noted that the data localisation requirement in the Bill is regressive and against the “fundamental tenets of the liberal economy”. She added that portraying localisation as a tool for developing the domestic market is “fuelled by unfounded apprehensions and assumptions.” She added that localisation could be a trade barrier in key markets.
Further, Vedashree disagreed with the classification of passwords and financial data as sensitive personal data. “The concept of Sensitive Personal Data is primarily used for providing higher level protection to the data subject from instances of profiling, discrimination and infliction of harm that are identity-driven,” she said, adding that most countries don’t classify passwords and financial data as sensitive personal data.
On the inclusion of criminal offences for data breaches in Bill, Vedashree said she believes it is draconian. “The steep civil penalties and fines are sufficient as a deterrent,” she argued.
Another voice of dissent from within the committee came from Professor Rishikesha T Krishnan, an IIM Indore professor, who emphasised that the requirement that every data fiduciary should store one live, serving copy of personal data in India is against the basic philosophy of the Internet and imposes additional costs on data fiduciaries without a proportional benefit in advancing the cause of data protection.
He further believes that the observations and recommendations regarding the Aadhaar Act are outside the scope of the committee’s work.
Vedashree and Krishnan’s notes of dissent are part of the report submitted.
‘Privacy And Security Are At The Heart Of The Data Protection Bill’
Even as dissent against the bill is flowing thick and strong on social media and other platforms since its release in the public domain, there are several opinions supporting it as well.
Nikhil Kumar, fellow and head of developer ecosystem India Stack at think tank iSPIRT, that believes privacy and security is at the heart of the Data Protection Bill.
One of the proponents of the bill, independent Member of Parliament (MP) Rajeev Chandrasekhar, said: “Justice Srikrishna Committee report on data protection and the draft Personal Data Protection Bill 2018 is a step closer towards ensuring a legal framework for the consumers and data protection. This is a big boost to digital India.”
The bill has received support from the industry as well. Shivangi Nadkarni, co-founder and CEO of Arrka, an advisory and consulting company that enables enterprises to manage their information risks, said, “In today’s day and age, where cyber attacks happen regularly and data gets stolen or leaked out, an entity that has your data would be required to inform you of a data breach if your data is among the affected cases and the breach is likely to cause harm to you. This is a big step forward from the current situation where no entity in India is obliged to inform you if your data has been compromised.”
When asked about the potential boundations on innovation by startups imposed by the data localisation provisions of the Bill, Nikhil Kumar of iSPIRT replied that the bill doesn’t stifle innovation. “I don’t think the Indian startup ecosystem has to worry, just be more responsible and worry about the data being recorded/stored.”
Information Technology minister Ravi Shankar Prasad said that given the monumental nature of the proposed law, the government would prefer wide-ranging consultations on the matter. “We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation,” said Prasad.
Meanwhile, the man of the moment, Justice Srikrishna, said the report focuses on what kind of data has to be mandatorily stored in India, identifies the circumstances for data localisation, and also identifies other instances where data can be stored with mirroring provisions. Justice Srikrishna stated that this report was only the first step and that as technology changes, it may become necessary to fine-tune the law.
How much of these “wide-ranging consultations” and “fine-tuning” of the law happen, and how far the Indian Personal Data Protection Bill is amended to become a “global model” is something the entire country, in fact, the world, will be waiting and watching.