India moves closer to first data privacy law as Srikrishna panel submits report, focus on individual users’ consent

Recommending what it termed a “fourth way to privacy, autonomy and empowerment” that was distinct from other international experiences, the Justice BN Srikrishna Committee on Friday proposed a draft Personal Data Protection Bill that could form the basis of India’s first data privacy law.

The committee, which said it had combined the principles of individual ‘privacy’ with using data for ‘empowerment’, also proposed the constitution of a Data Protection Authority (DPA) of India with the mandate of protecting the interests of users who it described as “data principals”, and preventing the “misuse of personal data”. It called for financial penalties and jail terms in the case of violations.

The committee – set up to recommend a legislative framework for data privacy in 2017 – submitted its report and the proposed bill to the Union minister for law and justice, and electronics and Information Technology, Ravi Shankar Prasad.

The proposed bill makes individual consent the centrepiece of data sharing, awards rights to users, imposes obligations on “data fiduciaries”— all those entities, including the State, which determine purpose and means of data processing. It also lays out provisions on data storage, making it mandatory for a copy of personal data to be stored in India, and called for amendments to other laws, including the Right to Information. Though the bill does not mention it directly, the report also suggests changes to the Aadhaar Act.

The committee argued that such a law would protect “individual privacy, ensure autonomy, allow data flows for a growing data ecosystem, and create a free and fair digital economy”.

In its report, the committee said: “It is the duty of the state to put in place a data protection framework which, while protecting citizens from the dangers to informational privacy originating from state and non state actors, serves the common good.”

Receiving the report, in response to a question on broad timeline for the bill to become a law, Prasad said, “I hope you understand we can also have some more feedback, consultations, go to Parliament, which can either pass it or refer it to a standing committee. And being a very monumental law, even for myself, I would like to have the widest possible consultation process.”

The proposed bill sparked a range of responses. While it was celebrated by some experts as a landmark effort, others argued that it vested too much power in the hands of the government and offered too many “exceptions” for the non-adherence of data privacy laws.

Nandan Nilekani, the former chairperson of UIDAI, called it an ‘extraordinary effort’. “It reflects original thinking, and addresses both opportunities and challenges that are specific to India.” He added that the committee has recognised individual data had to be protected, while simultaneously recognising the need to use data to improve lives of people.

Raman Jit Singh Chima, policy director at Access Now and volunteer with saveourprivacy.in, said that while the introduction of a DPA in the bill was a positive step, it vested too much power in the hands of the government in terms of the appointment of DPA. “There is also no attempt to change how wiretapping and surveillance happens in this country... India is one of the only major democracies that still allows civil servants to tap phones. The present bill does not attempt to change that, and that is surprising and troubling,” he added.

Lawyer and author of Privacy 3.0, Rahul Matthan, said common citizens are the winners but expressed caution. “I am concerned about the chilling effect it can have on innovation, because it requires stringent procedural reforms to be followed. It is a strong, GDPR style law.” General Data Protection Regulations is a European Union’s all-encompassing data privacy law.

In its report, the committee recognised that the existing laws India did not protect an individual’s data privacy and cited the example of Facebook sharing data of 87 million users, including five million Indians, with Cambridge Analytica. Data has both the “potential to empower and harm”, the committee said.

Acknowledging the Supreme Court’s verdict declaring the right to privacy as a fundamental right, the committee said it was important to aspire to a “free and fair” digital economy — where freedom was defined as enhancing individual autonomy with regard to personal data and fairness was defined as a regulatory framework where this individual right was respected.

The bill would apply to data being collected, processed, disclosed and shared within Indian territory; to all India entities processing data; as well as to personal data processed by data fiduciaries not present in India but involving data principals within India. This would expand the ambit of the bill to include key technology and business firms operating in the Indian market.

There are two underlying themes of the bill — obligations on fiduciaries and rights to principals. Obligations would include “purpose limitation” — data will be used only for “clear, specific and lawful” purposes — and ‘collection limitation” — only data necessary for the purpose would be collected and be held as long as “reasonably necessary” for the purpose.

The bill lays out obligations for fiduciaries to ensure no harm to the user, with transparency and security safeguards; a data protection impact assessment is embarked upon before new technologies are introduced; data policies are audited by a data auditor; and they have data protection officers. At the same time, recognising the agency of the individual, the bill also makes it clear that personal data can only be processed ‘on the basis of consent’ of the data principal that is ‘free, informed, specific, clear, capable of being withdrawn’.

User rights also include the right to obtain information on whether personal data has been processed, a summary of the data; they have the right to correct, complete and update their data. And they also have a ‘right to be forgotten’, which would restrict or prevent continuing personal disclosure. It is to enforce this expansive set of rules that the bill then proposes the constitution of the Data Protection Authority of India with a range of powers. The bill also assigns penalties on data fiduciaries for violating provisions; sets up an appellate tribunal; and imposes punishment for offences such as obtaining, disclosing, transferring, selling, offering to sell personal data against the act.