About 10 days ago, the Committee of Experts chaired by Justice Srikrishna (Srikrishna Committee), appointed by the Ministry of Electronics and Information Technology (MeitY) last year, released its final recommendations on what India’s data protection framework should look like. It also released a draft Personal Data Protection Bill, 2018, (PDP Bill).
In this piece, I juxtapose the PDP Bill with the Telecom Regulatory Authority of India (TRAI)’s recommendations on privacy and data ownership and the Reserve Bank of India (RBI)’s diktat on localising payment systems data. (See here and here for collated lists of articles on other aspects of the PDP Bill).
So, what do you think will happen to the RBI circular and the TRAI recommendations when (any version of) the PDP Bill gets enacted? Let us begin with some recent history.
In July, 2017, the Indian government tasked the Srikrishna Committee with developing a comprehensive data protection law for India. The committee then released a white paper for public comments, and later, in January, 2018, conducted four public consultations – one each in Delhi, Bangalore, Hyderabad, and Mumbai. Six months later, ending all the speculation around the timing of their release, the Committee came out with its final recommendations and the PDP Bill. Meanwhile, in August, 2017, TRAI began its own consultation on privacy, data security, and data ownership in the telecom sector. TRAI’s deliberations ran in parallel to the Srikrishna Committee’s own exercise, and culminated with the telecom regulator releasing its privacy recommendations on 16 July, 2018, less than two weeks before the Srikrishna Committee released its own.
TRAI was not the only regulator to have jumped on the data protection bandwagon, pending the release of the Srikrishna Committee’s final recommendations. In April, earlier this year, the country’s financial regulator — the RBI — mandated that payment systems data be localised, which means it has to be stored only in India. While TRAI’s recommendations are just that — recommendations — the RBI’s mandate came into force immediately. Payment systems providers have until 15 October, 2018, to comply with the norm and inform the RBI about their compliance.
The actions of TRAI and the RBI did not go down well with the Srikrishna Committee. Soon after TRAI released its recommendations, it was reported that the Committee was upset with the timing of the telecom regulator’s move, as it would delay the release of its own final recommendations. As regards the RBI’s move, at the press conference to release the Committee’s final recommendations, Justice Srikrishna opined that the financial regulator had jumped the gun with its circular. The Committee’s displeasure with TRAI and the RBI aside, sectoral regulators will play a key role in taking forward India’s data protection framework. Justice Srikrishna has himself previously recognised this.
The PDP Bill is only the first step towards developing a comprehensive data protection framework for India. Sectoral regulators, TRAI and the RBI included, will no doubt play a key role in operationalising the PDP Bill and developing privacy principles and norms for their respective sectors. While the PDP Bill envisages the creation of a new authority — the Data Protection Authority — to oversee the implementation of the law, it also requires this authority to consult and work with other sectoral regulators.
Given that the PDP Bill will be the parent law, any action that TRAI, the RBI, or any other regulator takes on data protection will have to be in line with its provisions. Any action by any regulator that is inconsistent with the parent law when it comes into force will have to be revisited. With this in mind, it is unlikely that TRAI’s sweeping privacy recommendations, which expand its jurisdiction to well beyond telecom, will translate into concrete regulation in their current form. The “digital ecosystem” that the telecom regulator talks about regulating will, in any case, be subject to the country’s data protection law.
Is TRAI Expanding Its Jurisdiction?
TRAI’s attempt at expanding its jurisdiction is not new, and can be traced back at least to 2008, when it first attempted to regulate “value-added services”. In the past decade, these efforts at regulating more than just telecom have continued, albeit the terminology has changed — “value-added services” have become “application services”, “over-the-top services”, and now, the “digital ecosystem”.
TRAI’s privacy recommendations — its latest attempt at over-regulating — differ from the PDP Bill in certain key areas.
In TRAI’s view, users own their personal information, and data controllers (called data fiduciaries under the PDP Bill) are “mere custodians” of this data. The PDP Bill grants users no ownership rights, but creates a fiduciary relationship between data fiduciaries and users, such that the former are required to act in the best interests of the latter.
Further, while the PDP Bill only holds data fiduciaries liable under the law, and data processors only under certain conditions, TRAI is of the view that both controllers and processors should be liable. TRAI’s recommendations and the PDP Bill also differ on data localisation. The telecom regulator has not made any concrete recommendations on this issue, and has deferred to the Srikrishna Committee.
On the other hand, the PDP Bill specifies different degrees of data localisation for different categories of data, and mandates that critical personal data will be stored and processed only in India. Interestingly, the draft law does not specify what critical personal data is, and leaves it to the central government to define. It is likely that the government will designate telecom data to be critical personal data.
Unlike the TRAI recommendations, the RBI circular appears to be broadly in line with the PDP Bill. However, the lack of clarity on what constitutes critical personal data is an issue for financial information as well. Just like telecom data, it is entirely likely that the government will designate financial data to be critical personal data. Should that be the case, then all financial data, and not just payment systems data, will need to be locally stored and processed only in India.
The PDP Bill is likely to be modified before it is enacted into law. No matter the final shape of the law, however, the fact that sectoral regulators have a crucial role to play in shaping India’s data protection law remains unchanged.