(Source: BloombergQuint)

Srikrishna Committee: The Good And The Not-So-Good In The Data Protection Committee’s Report

‘The report is like buying new shoes. It’s tight in the beginning but it will become comfortable over a period of time.’

That’s how former Supreme Court judge Justice BN Srikrishna described his committee’s proposals regarding a new data protection law for India. Chaired by Justice Srikrishna, the expert committee has made a whole host of suggestions to ensure data privacy. Set up in July last year, the committee's mandate was to propose principles for a data protection law in India.

Experts BloombergQuint spoke with lauded the committee’s recommendations on some grounds but also pointed out proposals that could, well, lead to long-term shoe bites.

The Good

1. Changes To The Language Of Privacy

Europe’s recently implemented General Data Protection Regulation refers to individuals whose data is collected as ‘data subjects’ and those who collect the data as ‘data controllers’. Justice Srikrishna’s committee has changed this language to ‘data principals’ and ‘data fiduciaries,’ saying an individual is the focal factor in the digital economy. Rahul Matthan, technology partner at law firm Trilegal called it a beautiful construct.

They have changed the language of privacy. The language used elsewhere makes you feel like data subjects are not important and controllers are masters. By terming it as data principals and data fiduciaries, they have articulated a framework where the principal is the focus of the narrative and the fiduciaries have to deal with the data in a manner that’s in the best interest of individuals.
Rahul Matthan, Partner, Trilegal

2. Approach On Surveillance

The committee has recognised that though security of the state is a ground for partial exemption from the data protection law, it must come with certain safeguards to prevent abuse.

“From the perspective of maintaining the sanctity of the data protection framework, the existing methods of non-consensual interception and access to personal data in law have to be taken into account and safeguards against misuse scrutinised.”

The design of the current legal framework in India is responsible for according a wide remit to intelligence and law enforcement agencies. At the same time, it lacks sufficient legal and procedural safeguards to protect individual civil liberties, the report has stated. And so, the committee has proposed that a law be made that provides for both parliamentary oversight as well as judicial approval of all requests for non-consensual access to personal data.

The committee has gone to the extent of saying that there should be parliamentary oversight and prior judicial approval when surveillance is carried out for intelligence gathering purposes, Smriti Parsheera, a technology policy consultant at National Institute of Public Finance and Policy pointed out.

They’ve also said enforcement agencies need to carry out surveillance in a fair and reasonable manner after permission is sought, the security of the data must be maintained and there should be accountability. This is a step up from what happens currently but it is not enough. 
Smriti Parsheera, Consultant, NIPFP

3. Data Portability Framework

The committee has proposed several rights for data principals, namely right to confirmation, access, correction, data portability, right to be forgotten etc.

Data portability across silos is the strongest representation of the rights of users and it will be incredibly powerful, Matthan said. He pointed out some practical uses of this right- let’s say, someone wants to avail a loan from an NBFC but the bank wants the person to take the loan from them, perhaps even at a higher interest rate. The bank, in this situation, could make it difficult for the person to get the transaction history and submit to the NBFC. Here’s where this right will help. This concept can be leveraged in the insurance and mutual fund space as well. Or, for instance, telecom data - history of bills, top ups etc- is a good indicator for banks to ascertain the earning potential while considering a loan application. Equally, in the healthcare sector, patients will be able to port health records from one hospital to another.

Many countries have the concept of data portability but practically it proves to be very difficult because it’s not given in a usable format. What the Srikrishna committee has said that it should be made available in a user-friendly, machine-readable format.  
Rahul Matthan, Partner, Trilegal

To address concerns of costs, the committee has proposed that fiduciaries may be allowed to charge a reasonable fee to effectuate this right.

The Not-So Good

The data protection committee’s report is a good start but some proposals must be reconsidered, experts said.

1. Report And Bill: Conflicts

There are several proposals that the committee has dealt with in the report, but they’ve not made their way into the Personal Data Protection Bill also proposed by them, Raman Chima, an advocate and global policy director at internet advocacy firm Access Now told BloombergQuint. For instance, while they have talked about surveillance reforms in the report, the Bill doesn’t have any provisions on it, he added.

They should’ve proposed to amend the Telegraph Act and the Information Technology Act under which interception takes place, Parsheera concurred.

They have provided a Schedule in the Bill to amend the Right to Information Act. Schedules amending the surveillance laws should have been provided as well. 
Smriti Parsheera, Consultant, NIPFP

The next step, before the Bill goes to the parliament, would be to at least map what is in the report into the law although there is need for building many other protections. , she added.

Similarly, the report has proposed several amendments to the Aadhaar Act but they aren’t included in the Bill, Chima said.

Broadly, the committee has recommended two amendments to the Aadhaar Act:

  • It has noted that the Aadhaar Act is silent on the powers of the Aadhaar authority UIDAI to take enforcement action against errant companies. It has proposed reconceptualising the UIDAI into a regulatory role that can ensure consumer protection and enforcement action against violations, with appeals to an appropriate judicial forum.
  • Second, requesting entities must be classified into two kinds to regulate access to personal data on the basis of necessity — those who can request for authentication and those who are limited to verifying the identity of individuals offline. Authentication can be done by entities who perform a public function. Those who don’t perform a public function can only do an offline verification of Aadhaar numbers with the consent of the holder to verify her identity.

The conflict doesn’t end with the absence of provisions on Aadhaar in the Bill, Vrinda Bhandari, a Supreme Court advocate pointed out.

The Bill has defined data fiduciary as someone who “determines the purpose and means of processing of personal data.” There’s also a concept of significant data fiduciary and the Data Protection Authority, proposed to be set up under the Bill, will need to notify such entities based on volume of personal data processed by such entity, sensitivity of personal data processed, risk of harm resulting from any processing etc, she explained.

By this measure, UIDAI will qualify as a significant data fiduciary, which means it would come under the purview of the Data Protection Authority proposed to be set up under the Bill. But, as part of proposals on the Aadhaar Act, the committee has said UIDAI should be given more powers. So, under the Aadhaar Act, UIDAI would be a regulator and under the Bill, a data fiduciary.” 
Vrinda Bhandari, Advocate, Supreme Court

Both these cannot co-exist, she added.

2. Data Localisation: Huge Cost, Unclear Purpose

The committee has proposed strict standards for cross-border transfer of data and storage.

  • Critical personal data, to be notified by the government, must be stored and processed at a data centre located in India.
  • Personal data can be transferred outside India but will need to comply with conditions of security, purpose limitation, storage limitation, data principals’ rights as laid down under the Indian law.
  • Every data fiduciary will need to store at least one serving copy of personal data on a server or data centre located in India.

Currently, the government has to use the mutual legal assistance treaty to obtain information for domestic enforcement, but it’s deeply flawed and overly time-consuming, the report has stated. And hence the proposal to store a copy of the data locally.

Matthan said he didn’t think the solution was to build these walls. This will be incredibly complicated and expensive for companies, he added.

A lot of start-ups just use cloud platforms. They don’t care whether it’s an Indian or international cloud. Cloud storage is the cheapest because it can be stored anywhere. You’re forcing start-ups to now choose more expensive options. The big corporations who want access to the market may be able to do this, but smaller businesses will find this very cumbersome. 
Rahul Matthan, Partner, Trilegal

The cost of localisation will always be higher compared to allowing the data to flow anywhere, he added. The committee could’ve incorporated provisions to say that every entity that is processing data of Indians must have an office in India and a person must be available to share the data asked for as and when the enforcement agencies require, Matthan suggested.

This is potentially laying the framework for mass surveillance, Bhandari pointed out. Further, setting up and running data centres has a huge environment cost attached to it, she added.

3. Redressal Mechanisms

Data can then be collected only after obtaining the data principal’s consent, the committee has proposed. But it hasn’t stopped at that.

The committee has added product liability in the consent forms, meaning data fiduciaries will be liable, as if the consent form were a product. If data principals are harmed as a result of processing of data, fiduciaries will be penalised for it. But if consent, once given, is withdrawn, it will have legal consequences for data principals.

“As consent has to be specific to be valid, it would now also be possible to withdraw it specifically from a contract. Insofar as such a withdrawal would prevent the performance of a specific clause in a contract, the data principal would be able to choose to face the specific consequences that flow therefrom...”
Srikrishna Committe Report

Consent is undeniably at the heart of the privacy debate but when you start attaching liability to the consent framework, it will throw up some challenges. How do you put a number to lack of informed consent or attribute legal consequences to the withdrawal of consent?, Parsheera asked.

The second issue relates to the proposal on the Data Protection Authority, Bhandari said. She explained that the proposal is to have one national authority and there’s no concept of regional authorities. A national level authority won’t be able to cope with the volume of complaints that’ll come to it.

Countries like Canada, Australia and Germany have data regulators at both the federal and state level, Chima added. Will the DPA have regional offices, benches, how will they be staffed? Why is there no enabling framework for states to have their own DPAs- all this is unclear, he added. The other important element that’s missing relates to representative capacity, Chima pointed out.

Can a pro bono lawyer or NGO file a complaint with the DPA on behalf of a poor, disadvantaged person? There should’ve been an enabling provision to represent people who don’t have the means and access, like it happens for Public Interest Litigation
Raman Chima, Advocate & Global Policy Director, Access Now

Individuals, specially in the smaller towns, don’t have access to the regulators and so you need someone who can represent their interests, he added.