Key Recommendations Of Srikrishna Panel Report On Data Protection
Jurisdiction And Applicability
The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India. However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India. Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India. However, the data protection law may empower the Central Government to exempt such companies which only process the personal data of foreign nationals not present in India.
The law will not have retrospective application and it will come into force in a structured and phased manner. Processing that is ongoing after the coming into force of the law would be covered. Timelines should be set out for notifications of different parts of the law to facilitate compliance.
1. The definition of personal data will be based on identifiability. The Data Protection Authority may issue guidance explaining the standards in the definition as applied to different categories of personal data in various contexts.
2. The law will cover processing of personal data by both public and private entities.
3. Standards for anonymisation and de-identification (including pseudonymisation) may be laid down by the DPA. However, de-identified data will continue to be within the purview of this law. Anonymised data that meets the standards laid down by the DPA would be exempt from the law.
4. Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual. However, the DPA will be given the residuary power to notify further categories in accordance with the criteria set by law.
5. Consent will be a lawful basis for processing of personal data. However, the law will adopt a modified consent framework which will apply a product liability regime to consent thereby making the data fiduciary liable for harms caused to the data principal.
6. For consent to be valid it should be free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, consent will have to be explicit.
7. A data principal below the age of eighteen years will be considered a child. Data fiduciaries have a general obligation to ensure that processing is undertaken keeping the best interests of the child in mind. Further, data fiduciaries capable of causing significant harm to children will be identified as guardian data fiduciaries. All data fiduciaries (including guardian data fiduciaries) shall adopt appropriate age verification mechanism and obtain parental consent. Furthermore, guardian data fiduciaries, specifically, shall be barred from certain practices. Guardian data fiduciaries exclusively offering counselling services or other similar services will not be required to take parental consent.
8. The principle of granting protection to community data has been recognised by the Committee. This should be facilitated through a suitable law which is recommended to be enacted by the Government of India in the future.
Obligations Of Data Fiduciaries
1. The relationship between the “data subject” and the “data controller” is to be reformulated as a fiduciary relationship between the “data principal” and the “data fiduciary”.
2. All processing of personal data by data fiduciaries must be fair and reasonable.
3. The principles of collection and purpose limitation will apply on all data fiduciaries unless specifically exempted.
4. Processing of personal data using big data analytics where the purpose of the processing is not known at the time of its collection and cannot be reasonably communicated to the data principal can be undertaken only with explicit consent.
5. A principle of transparency is incumbent on data fiduciaries from the time the data is collected to various points in the interim. Most prominently, a data fiduciary is obliged to provide notice to the data principal no later than at the time of the collection of her personal data.
6. There shall be obligations of data quality and storage limitation on data fiduciaries. However, the responsibility to ensure that the personal data provided is accurate will rest on the data principal.
7. There will be a provision of personal data breach notification to the DPA and in certain circumstances, to the data principal.
8. Data security obligations will be applicable.
Data Principal Rights
1. The right to confirmation, access and correction should be included in the data protection law.
2. The right to data portability, subject to limited exceptions, should be included in the law.
3. The right to object to processing; right to object to direct marketing, right to object to decisions based on solely automated processing, and the right to restrict processing need not be provided in the law for the reasons set out in the report.
4. The right to be forgotten may be adopted, with the Adjudication Wing of the DPA determining its applicability on the basis of the five-point criteria as follows:
- The sensitivity of the personal data sought to be restricted;
- The scale of disclosure or degree of accessibility sought to be restricted;
- The role of the data principal in public life (whether the data principal is publicly recognisable or whether they serve in public office);
- The relevance of the personal data to the public (whether the passage of time or change in circumstances has modified such relevance for the public); and
- The nature of the disclosure and the activities of the data fiduciary (whether the fiduciary is a credible source or whether the disclosure is a matter of public record; further, the right should focus on restricting accessibility and not content creation).
5. The right to be forgotten shall not be available when the Adjudication Wing of the DPA determines upon conducting the balancing test that the interest of the data principal in limiting the disclosure of her personal data does not override the right to freedom of speech and expression as well as the right to information of any other citizen.
6. Time-period for implementing such rights by a data fiduciary, as applicable, shall be specified by the DPA.
Transfer Of Personal Data Outside India
1. Cross border data transfers of personal data, other than critical personal data, will be through model contract clauses containing key obligations with the transferor being liable for harms caused to the principal due to any violations committed by the transferee.
2. Intra-group schemes will be applicable for cross-border transfers within group entities.
3. The Central Government may have the option to green-light transfers to certain jurisdictions in consultation with the DPA.
4. Personal data determined to be critical will be subject to the requirement to process only in India (there will be a prohibition against cross border transfer for such data). The Central Government should determine categories of sensitive personal data which are critical to the nation having regard to strategic interests and enforcement requirements.
5. Personal data relating to health will however be permitted to be transferred for reasons of prompt action or emergency. Other such personal data may additionally be transferred on the basis of Central Government approval.
6. Other types of personal data (non-critical) will be subject to the requirement to store at least one serving copy in India.
1. Various allied laws are relevant in the context of data protection because they either require or authorise the processing of personal data for different objectives.
2. All relevant laws will have to be applied along with the data protection law, as the latter will be the minimum threshold of safeguards for all data processing in the country. In the event of any inconsistency between data protection law and extant legislation, the former will have overriding effect.
3. The proposed data protection framework replaces Section 43A of the IT Act and the SPD Rules issued under that provision. Consequently, these must be repealed together with consequent minor amendments.
4. The RTI Act prescribes a standard for privacy protection in laying out an exemption to transparency requirements under Section 8(1)(j). This needs to be amended to clarify when it will be activated and to harmonise the standard of privacy employed with the general data protection statute.
5. The Committee has identified a list of 50 statutes and regulations which have a potential overlap with the data protection framework. Concerned ministries may take note of this and ensure appropriate consultation to make complementary amendments where necessary.
6. The Aadhaar Act needs to be amended to bolster data protection. Suggested amendments for due consideration are contained in the Appendix to this Report.
Non-Consensual Grounds of Processing
Functions of the State: Welfare functions of the state will be recognised as a separate ground for processing. Processing activities carried out by the State under law will be covered under this ground, ensuring that it is in furtherance of public interest and governance. However, only bodies covered under Article 12 of the Constitution may rely on this ground. Processing towards activities that may not be considered part of a welfare functions would, however, not to be permitted. Thus, the availability of this ground is restricted to certain entities and certain functions to avoid vagueness in the law.
Compliance with Law or Order of Court or Tribunal: Compliance with law or order of court or tribunal will be recognised as a separate ground for processing to avoid inconsistency with obligations under other laws, regulations and judicial orders. The word ‘law’ shall be construed to mean laws, ordinances, orders, bye-law, rules, regulations and notifications that have statutory authority. Order of court or tribunal would be restricted to Indian courts and tribunals. Obligations imposed by contract, foreign law and foreign judicial orders shall not be permitted to be processed under this ground.
Prompt Action: Prompt action will be recognised as a separate ground for processing. It should receive a strict interpretation and only be applied in critical situations where the individual is incapable of providing consent and the processing is necessary to meet emergency situations.
Employment: Employment will be recognised as a separate ground for processing. This ground should be invoked only where processing under consent would involve disproportionate effort or where the employment relation makes consent inappropriate, and will permit processing even where employment-related activities are not authorised under any of the other grounds of processing such as compliance with law.
Reasonable Purpose: Reasonable purpose is a residuary ground for processing activities which are not covered by other grounds like consent, compliance with law, prompt action and public function but are still useful to society. The ambit of the provision would be limited to those purposes which are whitelisted by the DPA to guide data fiduciaries.
Security of the State: The data protection law will enable an exemption to the processing of personal or sensitive personal data if it is necessary in the interest of the security of the state. Any restriction must be proportionate and narrowly tailored to the stated purpose. The Central Government should expeditiously bring in a law for the oversight of intelligence gathering activities.
Prevention, Detection, Investigation and Prosecution of Contraventions of Law: The data protection law should provide an exemption for prevention, detection, investigation and prosecution of contraventions of law (including protection of revenue). In order to invoke the exemption, the law enforcement agencies must be authorised by law.
Disclosure for the Purpose of Legal Proceedings: The disclosure of personal data necessary for enforcing a legal right or claim, for seeking any relief, defending any charge, opposing any claim or for obtaining legal advice from an advocate in an impending legal proceeding would be exempt from the application of the data protection law. General obligations of security and fair and reasonable processing will continue to apply.
Research Activities: The research exemption is not envisaged as a blanket exemption. Only those obligations that are necessary to achieve the object of the research will be exempted by the DPA. This assessment is contextual and dependent on the nature of the research.
Personal or Domestic Purposes: A narrowly tailored exemption for purely personal or domestic processing of data should be incorporated in the data protection law. It would provide a blanket exemption from the application of the data protection law.
Journalistic Activities: To strike a balance between freedom of expression and right to informational privacy, the data protection law would need to signal what the term “journalistic purposes” signifies, and how ethical standards for such activities would need to be set. Where these conditions are met, an exemption should be provided.
Manual Processing by Small Entities: Since the risk of privacy harms being caused are higher when personal data is processed through automated means, an exemption will be made in the data protection law for manual processing by data fiduciaries that are unlikely to cause significant harm and would suffer the heaviest relative burdens from certain obligations under this law.
1. The data protection law will set up a DPA which will be an independent regulatory body responsible for the enforcement and effective implementation of the law. Broadly, the DPA shall perform the following primary functions: (i) monitoring and enforcement; (ii) legal affairs, policy and standard setting; (iii) research and awareness; (iv) inquiry, grievance handling and adjudication.
2. The DPA is vested with the power to categorise certain fiduciaries as significant data fiduciaries based on their ability to cause greater harm to data principals as a consequence of their data processing activities. This categorisation will be based on an assessment of volume of the personal data being processed, nature of personal data, type of processing activity undertaken, turnover of the data fiduciary, the risk of harm, and the type of technology used to undertake processing.
3. Significant data fiduciaries will have to undertake obligations such as:
(i) Registration with the DPA;
(ii) Data Protection Impact Assessments;
(iv) Data audits; and
(v) Appointment of DPO. The DPA can require that any other data fiduciaries may have to undertake these obligations as well.
4. The following enforcement tools shall be made available to the DPA:
- Issuance of directions
- Power to call for information
- Publication of guidance
- Issuance of public statement
- Codes of Practice
- Conducting inquiry
- Injunctive Relief
- Inter-sectoral coordination
5. Pursuant to its powers of inquiry, the DPA has wide-ranging powers including issuing warnings, reprimands, ordering data fiduciaries to cease and desist, modify or temporarily suspend businesses or activities of data fiduciaries who are found to be in contravention of the law etc.
6. The DPA‘s Adjudication Wing shall be responsible for adjudication of complaints between data principals and data fiduciaries.
7. The Central Government shall establish an appellate tribunal or grant powers to an existing appellate tribunal to hear and dispose of any appeal against an order of the DPA. Appeals against orders of the appellate tribunal will be to the Supreme Court of India.
8. Penalties may be imposed on data fiduciaries and compensation may be awarded to data principals for violations of the data protection law. The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the preceding financial year, whichever is higher. Offences created under the law should be limited to any intentional or reckless behaviour, or to damage caused with knowledge to the data principals in question.
Soon after the report was presented to the government Justice Srikrishna spoke to BloombergQuint to explain his committee’s approach to key issues.