After several months of deliberations, the expert committee chaired by former Supreme Court judge, Justice B.N. Srikrishna Committee tasked with modeling India’s data protection law, submitted its report and a draft bill on data protection titled “The Personal Data Protection Bill” to the Ministry of Electronics and Information Technology on 27 July. Lex Witness brings to you a sum up of the first-hand reactions to the draft.
The expert committee’s recommendations on data protection law were put into public domain to guarantee maximum transparency to the process. While the 176- page report (without annexures) highlights the committee’s deliberations and its reasons for taking several decisions, the draft bill proposes the rights of “data principals” with regards to their data, penalties for violation of “data fiduciaries”; both of which together form the flesh and bone of the country’s proposed law. As the next step, the documents will be reviewed by the Central Government and then forwarded to the Parliament for further deliberation, stakeholder consultation and a final stamp for it to become a binding law of the land.
The need for framing a legislation governing data protection was first underlined by the Supreme Court in August last year as a subset of the landmark judgment where privacy was declared to be a fundamental right (Justice Puttaswamy v UOI). This was backed by the absence of a data protection framework to control the vast amounts of personal data collected by several agencies- state and private day after day. Individuals whose personal information had been collected and shared with agencies including international companies did not have inkling on how their data was being harvested.
At a first glance, the draft bill seems to have delved into unambiguous privacy principles for an individual such as ‘consent’ in light of the issues plaguing the data ecosystem in India. The expert committee has also broadly modeled few of its recommendations on the lines of the European Union’s General Data Regulation (GDPR) which is the most comprehensive data protection law internationally at the moment. There are instances where it has moved beyond the existing international terminology in its use of terms such as “data principles” and “data fiduciaries” over “data subjects” and “data controllers”.
While India’s data protection law is finally taking shape and offers a solid foundation to the future, the documents submitted by the government committee are riddled with loopholes. One hopes that the Parliament will iron out these creases before the law becomes binding. Does the proposed law meet expectations? How well does it balance the privacy rights of individuals versus other agencies? These are some important questions that will be addressed by laying forth the pros and cons of the proposed law that presents itself as a mixed bag for the future of the country’s data protection framework.
The first set of positive takeaways from the bill is the categorization of data into two forms – personal data and sensitive personal data. Personal data which has been defined as meaning “data about or relating to a natural person who is directly or indirectly identifiable” is allencompassing while sensitive personal data has been defined narrowly. It covers an individual’s passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, caste or tribe, religious/political belief.
The second positive takeaway is the emphasis placed on “user consent” and the “limitation placed on purpose and data processing”. Each category comes with its own standard applicable for consent. It holds that a notice should be sent to individuals before data is collected and squarely recognizes privacy principles by adding that the consent obtained by data fiduciaries for collection/processing of personal information must be “free, informed, clear, specific and capable of being withdrawn”.
The committee has certainly gone into great depth on the issue of consent around user data but data experts are not too sure about its holistic enforcement since it is unlikely for people to read into minute details of a lengthy notice. Similarly, the legal consequences of the withdrawal of consent fall on the data principal, i.e., the individual whose data is in question.
The onus of establishing that the consent obtained is in line with these standards would also rest with the data fiduciary. The bill sets an even higher checklist for consent when it comes to sensitive personal information. For instance, the data fiduciary has to ensure that the user is given the choice of separately consenting to the use of different categories of sensitive personal data that would be subject to processing. This shows the intention of the expert committee to transfer more control to a user by having him explicitly consent to parting/processing of his sensitive personal data.
The bill incorporates four key rights of individuals over their data, including the right to access and confirmation (user can ask companies to confirm what data is being used and for what purpose), right to data portability (user can ask for the details of data generated while they were using their services, for instance order history at UberEats), right to correction/updating data and the right to be forgotten (user can restrict/delete usage of data shared earlier on a particular search engine, say Google). These prominent developments will make sure that it is, in fact, the user’s prerogative when it comes to his data, its sharing andthe extent of its sharing.
The draft bill proposes establishing an independent authority, namely, the Data Protection Authority of India (DPAI) and an appellate body whose key responsibility is to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the law and promote awareness of data protection. Appeals from the decisions of the DPAI will be heard by the appellate body. The DPAI is vested with wide powers including conducting inquiries and acting against any data fiduciaries for violations of the data protection regime. It is also required to take prompt and quick action in cases of a security breach, monitor cross-border transfer of data, monitor technological developments and commercial practices that may affect the protection of personal data, among the myriad of duties assigned to it under the bill.
According to Amber Sinha of CIS, the creation of the DPAI would help to provide the much-needed judicial authority to the process. “It is extremely important to have a specialized DPAI to monitor workings in an ideal model for data protection and that’s the philosophy the authority has followed”, he said. He further pointed out that the requirement of data security under Section 33 was very encouraging.
Considering that the country is on the cusp of having its own data protection law, the creation of the sole authority for monitoring and checking its progress is surely a positive sign. It is to be seen how far along the way the authority will go in being independent, specialized, transparent and unbiased in its composition and decision making.
The draft law recognizes the need to safeguard the personal data of children since they are a vulnerable group. Therefore, it prohibits profiling, targeting, behavioral monitoring of and targeted advertising to children by data fiduciaries. It goes a step further by recognizing non-consensual grounds such as processing required for carrying out functions of the state, processing pursuant to a court order, processing to address an emergency situation and processing for purposes related to employment etc.
To ensure that protection of personal data of the data principal continues to remain a core responsibility of the data fiduciary, the committee has incorporated adequate technical and organizational safeguards, says Shankar Narayanan, Senior Resident Fellow at Vidhi Centre for Legal Policy. He adds that mechanisms such as conductingdata audits and data protection impact assessments have been included to ensure that the highest level of security safeguards are maintained to protect the integrity of the data being processed.
The draft bill specifies stringent penalties for contravention of its provisions which will go a long way in acting as deterrents to rule breakers. These are prescribed in two brackets amounting to 2% of the total worldwide turnover of the data fiduciary or up to Rs 5 crores; or 4% of the total worldwide turnover of the data fiduciary or up to Rs 15 crores, depending on the nature of the violation.
While the bill lays down strict safeguards for consent over user data, where it lacks is the excess power it grants to the state functionaries to process personal data. Under Section 13, it is specifically stated that the state can process personal data for any function of the Parliament, or the state as long as it is to “provide a benefit or service” to the individual; thereby diluting the strict standards laid down for obtaining an individual’s consent. Effectively, it provides the state with unrestricted discretion in its dealings with personal data including passwords/financial/generic/biometric data from which it could be a possibility to infer that the provision has been incorporated to endorse the Aadhaar scheme.
One thing that stands out upon deconstruction of the bill is how the state has been lodged with excessive powers and unrestricted discretion under various sections. Where it mentions the importance of user consent of data (Section 12), it also carves out an additional exception through Section 13 allowing for processing of personal data for functions of the Parliament or state legislature. It states that personal data may be processed if considered necessary for the exercise of a function of the state for providing “any service or benefit” to the data principal or for the issuance of license, certification or permit for any action or activity of the data principal.
The second instance which creates a reservation about misuse by the Central government is through the vast powers vested to it through the creation of the DPAI and an appellate tribunal. The envisaged authority comprising a chairperson and six other members appointed by the Central government itself doesn’t seem too promising and cannot be expected to be synonymous with being autonomous. While a certain amount of delegation to the Central government is necessary for the functioning of the DPAI, there are provisions where the delegationmay have gone beyond the level of necessity. For instance, the Centre is vested under provisions of Section 107 to make regulations dealing with qualification, appointment, salaries, removal of adjudicators and appellate tribunal – both of which are tasked with acting on disputes/complaints against violations under the bill.
Under provisions of Section 98 of the bill, the Central government can issue directions to the authority on questions of policy to which the authority will then be bound, virtually giving the upper hand to the Central government on issues regarding security/integrity of the state.
Privacy expert, Shankar Narayan from Vidhi think tank, however, disagrees to
“Amendments are necessary to the Aadhaar Act for bolstering privacy protections for residents as well as reconceptualizing the UIDAI into a regulatory role that can ensure consumer protection and enforcement action against violations with appeals to an appropriate judicial forum. The amendments that are recommended are limited to those warranted by the need to bring the Aadhaar Act in line with the suggested data protection framework. These amendments, when reading with several provisions in the draft data protection bill, ought to alleviate data protection related concerns surrounding Aadhaar”. An Expert Committee
excessive powers being granted to the Central govt under the bill. According to him, sufficient flexibility has been provided within the proposed law to enable it to make decisions in a few areas. For example, the central government can notify categories of personal data, which it considers strategically important to categorize as critical personal data for storage within India. The delegation of these powers, however, is in no manner excessive, he believes.
Certain aspects of the bill have drawn praise from all quarters but its insistence on the local storage of personal data isn’t one of them. Section 40 of the law holds that every data fiduciary shall ensure that there is a copy of each personal data stored on a server located in India. It further states that critical personal data, as categorized by the Central government would solely be stored on Indian servers or data centers. Crossborder transfer of personal data would be allowed subject to model contract clauses and transfer of sensitive personal data outside the bounds of Indian territories would be carried out on the satisfaction of the Central government.
Those against data localization have criticized it since it could have a severe impact on the country’s long-term innovation and economic growth plans by restricting cross-border data flow in the information technology and global inhouse centers, GIC’s. GICs in India now number about 1,100, employing more than 800,000 individuals and generate approximately USD 23 billion in revenue and the Indian service sector contributed to about 66.1% of India’s GDP in 2015–16.
The biggest beating of data localization would be taken by multinational internet giants such as Facebook, Google, Amazon that are driven by digital data. Many consider it to be regressive move since it contradicts India’s vision to be a global IT hub; one that is heavily reliant on crossborder sharing of data.
Trepidation on Aadhaar Privacy activists have expressed apprehension about what the new data protection law means for the Central government’s Aadhaar unique identification scheme that is facing its final challenge at the Supreme Court. The report has recognized the need for an amendment to the provisions of the Aadhaar Act to ensure that it falls in line with the envisioned privacy safeguards.
Although the draft law’s focus on Aadhaar is limited and it does not even mention the UIDAI, there are certain provisions in the bill that raise concerns on permissions it could have indirectly given to the state with regards to Aadhaar. For instance, Section 13 of the draft law warrants that personal data may be processed if considered necessary for the provision of “any service or benefit” to the data principal from the state. This essentially deconstructs to the state not having to rely on user consent for the processing of personal data in situations where it deems it to be for any service or benefit. Similar treatment is afforded to the processing of sensitive personal data by the state under Section 19. This appears to cover Aadhaar authentication and biometric processing by the state.
The report maintains that the final fate of the Aadhaar scheme will be determined by the judgment of the Supreme Court that is awaited but providing the state statutory powers to override user consent could prove to be dangerous and at crossroads with the objective of the data protection framework. Depending on the outcome of the case, the Central govt can move the recommended amendments to the Aadhaar Act.
One of the major flaws that have emerged is in the way the committee has handled the issue of mass surveillance. The proposed law does not deal with surveillance separately but instead, its
Implications on the issue can be seen under Section 42 of the bill which covers exemptions granted for the security of the state. The provision holds that processing of personal data “in the interests of the security of the state” shall not be permitted unless it is authorized by a law made by Parliament and is pursuant to a procedure established by such law.
Considering a large number of security and investigative agencies operating in a legal vacuum, this comes as a welcome step. It would necessitate checks and balances in the way personal data is processed. The process would be regulated as the personal data would be shared with investigative agencies once it is found to be necessary and proportionate to achieve the specific purpose. While this appears to be a positive step, the bill misses a chance to reform the current surveillance framework. The new provisions are not novel in terms of the current legal norms prescribed in the Telegraph Act and the IT Act. It also fails to specify surveillance rules for non-state actors. For a comprehensive law on surveillance reform, specific provisions for state and non-state actors must be laid down.
“As far as government processing and surveillance are concerned, there are dilutions for sure. The restrictions placed under exemptions to the consent requirement can be misused to evade the need to get consent. The standards that surveillance has been subjected to need to be greater too. Broad and sweeping powers have been granted to the state under exemptions. In the ideal scenario, once the surveillance is complete, after a reasonable amount of time the person should be notified”, Amber Sinha of CIS said.
The contours of the proposed law are wide enough to potentially overlap with around 50 statutes and regulations as identified by the Srikrishna committee. Existing laws in both the public and private sector will require to be amended to be in line with the proposed law which can be a complex task. The legislation set to come in conflict with the new data protection law are spread across sectors including health, telecom, defense, financial and corporate.
“Various allied laws are relevant in the context of data protection because they require or authorize the processing of personal data for different objectives. All such laws, however, will have to be applied with the data protection law, as the latter will be the minimum threshold of safeguards for all data processing in the country. Similarly, the law will operate in tandem with extant legislation. In the event of any inconsistency, it will have an overriding effect. In other words, no other law will operate in derogation of it. However, it a higher standard for protection of personal data is imposed by another law, it may operate in addition to the proposed data protection law”, the report stated. The report has specifically identified for amendment of provisions of the Aadhaar Act, the RTI Act, and the IT Act. In the health sector, draft legislation, Digital Information Security in Healthcare Act (DISHA) was launched in March and aims at regulating the generation,
“Operations of giant multinationals, data analytics firms, ecommerce companies, social media companies, telecom companies are going to be affected as they rely on cross- border sharing of data, upon which stringent conditions have been imposed by the Srikrishna committee”.
collection, storage, transmission, access and use of all digital health data and associated personally identifiable information. Experts are calling this a great initiative but also point how it has come to become a cause of concern to the healthcare sector that’s grappling with the protection of data. “As of now, there is not much clarity on how the data of the healthcare sector is to be treated under the new data protection law. The proposed law in isolation comes across as a strong directive to govern data security in the health sector as well but the rest will depend on its implementation which is likely to face hurdles because of a large number of legislation and agencies involved”, said a health care official.
The committee’s recommendation of amending Section 8 (1)(j) of the RTI Act that pertains to the disclosure of personal information in larger public interest creates an imbalance between the need for transparency and the need to protect personal information recognizing the principle of individual privacy. Until now, Section 8 (1)(j) had said that there was no need to reveal personal information which was unrelated to the public interest or caused an invasion of privacy. If amended, the proposal holds if such information is likely to cause harm to a data principal and such “harm outweighs the aforementioned public interest”, can the information be exempted from disclosure.
Section 8(1)(j) in its current form served as a strong provision that helped to balance any conflict between revealing information in larger public interest as against withholding it for any violation of individual privacy. This balance is set to be lost if the amendment as proposed in the bill goes through. It opens up wide discretion to the information officer to decide whether harm is caused to data principal outweighs the public interest, in the absence of a neither of the two being defined.
All in all, the fulfillment of conditions to establish the ‘harm test’ appears to be too wide, ambiguous and unlimited’ in their scope. Deeming it to have a retrograde effect, privacy experts say that in times of rampant corruption as these where the RTI Act was an aid to the common man to get information from third parties, the ‘harm test’ could prove getting such information more difficult.
No doubt it is very encouraging and appreciative of the country’s consciousness to have its own data protection regime, it is definitely important to understand at the same time as to how well can we articulate and bring various ends together when it comes to striking a balance between legislation, regulation and of course privacy aspects.
www.grandmasters.in | 8 Years & Counting
www.rcls.in | 8 Years & Counting
www.itlegalsummit.com | 8 Years & Counting
www.bfls.in | 8 Years & Counting
www.maels.in | 8 Years & Counting
www.plcs.co.in | 8 Years & Counting
Copyright © 2020 Lex Witness - India's 1st Magazine on Legal & Corporate Affairs Rights of Admission Reserved
