Last year, the Supreme Court of India ruled that individual privacy is a fundamental right guaranteed by the constitution. That decision had strong implications on how the government and the private sector handle the data of the Indian people. Also, there has been a push for data privacy legislations throughout the world. Against that backdrop, a committee was formed under Former Justice Srikrishna to recommend a way forward for India in terms of protecting individuals’ right to data privacy. A few days ago the committee submitted its final report. A recommended bill also accompanied the report. Together, the report and the bill are the most comprehensive effort to protect personal data in India.
According to the report, the accompanying bill’s jurisdiction should include all processing of personal data in India. The government might grant exception to some companies if the data they process is of foreign nationals not living in India. The law should not have any retrospective applicability. Instead, it should be phased in gradually and applied only to data processing that takes place after the law is passed.
For the enforcement of the law, the commission recommends that a DPA (Data Protection Authority) should be set up as an independent regulatory body. Responsibilities of the DPA should include monitoring and enforcement of the data privacy laws, legal affairs, policy and standard setting, research and awareness, and inquiry, grievance handling and adjudication.
In a positive development, the report recommends that consent should be required for processing of all personal data. Consent would be invalid if it is not informed, specific, clear, and capable of being withdrawn. Further, the report specifies that explicit consent is required for processing of any sensitive personal data, which it describes as “passwords, financial data, health data, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual.”
In an attempt to make Data Fiduciaries (data collectors/processors) more responsible, the committee recommends that Data Fiduciaries should communicate clearly with Data Principals (whose data is being collected/processes) and report any data breaches to DPA and in some cases to Data Principals. It further stipulates that Data Fiduciaries must store at least one copy of any data they process inside India. While hoping to make Data Fiduciaries more responsible, the report also grants Data Principals specific rights. It highlights that people should have the right to access and correct their data if need be. Individuals are given the “right to be forgotten” on the basis of the sensitivity of their data, scale of disclosure, whether the data is publicly recognizable, the relevance of the personal data to the public, and the nature of the disclosure.
Provisions for transfer of personal data are also found in the committee’s recommendations. Cross border transfer of personal data is allowed as long as the transferor is held accountable for any violations that cause harm to the Data Principal. To ensure accountability, the committee proposes to have model contract clauses which penalize the transferor in case of any violations. However, not all data should be transferred abroad. Any sensitive personal data that is deemed to be critical to India’s strategic interests should be strictly prohibited from being transferred abroad.
Since there are different statutes in existence that deal differently with data processing in India, the commission’s recommendations include proposals to standardize the data privacy legal code across those statutes as well. As a result, the proposal includes some amendments to the Aadhaar Act and the RTI (Right to Information) Act. Recommendations to the Aadhaar Act aim to make the UIDAI (Unique Identification Authority of India) more autonomous for better data protection. Key recommendations include the introduction of offline verification of Aadhaar numbers and new civil and criminal penalties on violators. However, the complaints could be filed by UIDAI only. With regards to the RTI act, the committee proposes that section 8(1)(j), which requires individuals to reveal personal information related to public interest, should be amended to account for the harm caused to the individual in case the data is accessed for personal interest. If the assessment reveals that harm caused to the individual is greater than the public interest, then the individual cannot be pushed to reveal the personal data.
While the committee’s effort to propose a comprehensive legislation for data privacy is commendable, some of its recommendations have already drawn criticism. One main criticism is that the proposals are at times vague at defining key terms like critical personal data. The composition of the governance structure of DPA has also raised concerns regarding its independence. Some commentators think that the penalty enforced on companies in case of violations is too lenient. Also, the “right to be forgotten” allows an individual to ask the companies to stop further use of his/her data instead of deleting it, which is a common practice in the EU. The stipulation for companies to have at least one copy of any data stored locally means that many companies would need to invest heavily in storage servers inside India. This need effectively acts as a barrier to entry for small firms which cannot afford to spend on local servers and would rather store data on servers abroad at a much cheaper price.
All these criticisms suggest that the Srikrishna Commission Report require further tuning. Ravi Shankar Prasad, union minister for electronics and IT, law and justice, said that the government would thoroughly go through the proposed legislation but will also “apply its mind” and take all stakeholders’ considerations into account. The minister reassured that “the entire Parliamentary process will be followed”. Ravi Prasad’s comments indicate that there is still quite some time before the law is formally adopted. Before that happens, let us hope that through further consultations and reviews, the final bill adopted is one that addresses most of the criticisms. But for now let us give credit where it is due: the Justice Srikrishna Committee has provided a comprehensive framework to ensure the protection of data privacy as a fundamental right guaranteed by India’s constitution.