Clear method for data collection must, says BN Srikrishna

India’s legal framework on personal data protection should ensure that the purpose for which data is collected is clearly explained and it should lay down a clear methodology for procuring data, retired Supreme Court justice BN Srikrishna said on Sunday.

When data is collected without the consent of the individual, like in the current circumstances where a lot of data is being collected in connection with the Covid-19 pandemic, the law should ensure data anonymisation, he added

“Under what circumstances can data be taken away without consent of the principal? Take for instance, the situation of Covid. Data is necessary for statistical probability. If someone wants to do research on impact of Covid, they will need a lot of data on it. This is where the aspect of “data anonymisation” comes in, where only numbers and no personal information can be utilized”, Srikrishna pointed out.

He was speaking at a Webinar organized by law firm Shyam Padman Associates on the topic “The Challenges in Personal Data Protection in the absence of (a) Data Protection Law in India”.

Srikrishna, who headed the committee which, in 2018, proposed the draft of the Personal Data Protection Bill said that the line between right to privacy of an individual and the right of the state to access data is a fine one and the data protection law should guarantee that data collected is only to the extent to which it is required.

“The legislative enactment must categorically explain the purpose for the collection of data. There should be a rational connection (between the data collected and the purpose for which it is acquired). There should be no absurdity in the connection. There is also the need for proportionality. The law should not go beyond what is absolutely required”, he explained.

The state, he said, can take away rights of an individual, only if it can ensure that it is for the greater good of the public.

“For instance, in the case of Aarogya Setu, the state, in a positive move, did not make it mandatory”, Srikrishna said, referring to India’s contact tracing app.

The central government came out with a draft Personal Data Protection (PDP) Bill in December 2019. The bill regulates personal data of individuals and governs the processing of such data by both government and companies incorporated in India.

Justice Srikrishna said the bill falls short on certain aspects including absence of data localization which enables transfer of data outside India .

“Can the State can access data of a person who is a suspect. The answer in the legislation is yes. Unfortunately, in my opinion, the PDP of 2019 has watered down this provision which allows the state to unilaterally infringe the fundamental right (of privacy) in the name of sovereignty and security”, he said while expressing hope that the Supreme Court will look into such aspects if the data protection law is challenged.

The Supreme Court’s seminal 2017 judgment in the case of Justice KS Puttaswamy v. Union of India in which the court had held right to privacy as a facet of the fundamental right to life was instrumental in initiating debate on the absence of data protection laws in India.

“The SC asked, ‘Where is the law on Data Protection?’ And everyone started looking at each other, with no clue about this. It is then the committee on the formulation of a Personal Data Protection Bill was founded”, Srikrishna said.