The Justice B.N. Srikrishna Committee took about a year to submit a report on the basis of which data protection will be legislated. In the interim period, a nine-member bench of the Supreme Court passed a unanimous judgment that the right to privacy is a fundamental right. The Srikrishna Committee’s recommendations will have to be governed by the constitutional implications of that judgment.
The committee took confidential recommendations from stakeholders before it submitted a set of recommendations that run into 213 pages. It also drafted a legislation, Personal Data Protection Bill, 2018, which runs into 112 sections. Those recommendations and the draft law must both be consistent with the historic right to privacy judgment.
There is an urgent need for privacy legislation due to the increasing collection of data by both government and private operators. In particular, the increasing use of Aadhaar, including coercive usage, ties sensitive data together in one silo.
Even though the UIDAI insists that the Aadhaar database itself is secure, there have allegedly been multiple privacy breaches from different databases, including the databases of banks, telecom service providers and government institutions. Apart from this, there is a trend of surveillance by government security and intelligence agencies and, in the absence of legislation, this surveillance continues to occur in a legal vacuum without any safeguards.
There are enormous commercial implications surrounding data and its protection. Commercial interests need to be protected by the law, while at the same time ensuring that data collection and processing occur only with the informed consent of the individual (referred to as the “principal” in the report) whose data is being collected.
Legal experts, civil rights activists and other stakeholders are less than satisfied with the proposed draft legislation. In some areas, it does not go far enough in according protection to the data of the individual. There are also wide exceptions that allow the government to collect and process data without consent. The legislation does not seem to address issues such as surveillance and Aadhaar overreach in an adequate manner. Another area of concern is that feedback from stakeholders was confidential before the law was drafted, and there has been no space allotted for further feedback. This is unusual in that, in most cases, there is time for open feedback from everybody after a draft law is released.
The bill proposes a data protection authority and delegates significant power to the proposed authority and the central government to make rules and regulations that would have an impact on how the proposed protection framework works in practice. Section 107 of the draft bill gives the centre 30 rule-making powers, while Section 108 gives the authority 30 regulation-making powers.
The Personal Data Protection Bill, 2018 has ignored the Telecom Regulatory Authority of India’s (TRAI) recommendation that ownership of data must rest with the individual and that everybody else is a mere custodian of that data. Instead, who owns the data of individuals is a question not answered by the Srikrishna Committee. This is actually a contentious question in law, with some experts asserting that ownership is a narrower definition than a right. Ownership can be transferred upon some consideration but a right is inalienable. In any case, this issue has not been clarified.
Globally, the right to be forgotten refers to the right to erase data. The committee has said, “The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal where such disclosure – has served the purpose for which it was made or is no longer necessary; was made on the basis of consent … and such consent has since been withdrawn; was made contrary to the provisions of this Act or any other law made by Parliament or any State Legislature.”
This legalese implies that the data collector or processor will only be required to restrict, or stop sharing data rather than erase it. Global best practices such as the European Union’s General Data Protection Regulation (GDPR) allow retrospective erasure of data upon request.
The global norms for actions after a privacy breach are set higher than the recommendations by the committee. If data is breached, the breach is required to be reported to the affected persons immediately. But the committee recommends that such a breach must first be reported to the authority and it is the authority that will decide whether the person whose data has been breached should be informed or not: “Upon receipt of notification, the authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm.” This is contrary to all global norms. If the affected individual is not informed, it is impossible for the individual to take corrective action.
The committee also recommends that the individual will be made responsible for any consequences arising from the withdrawal of consent. “Where the data principal withdraws consent for the processing of any personal data necessary for the performance of a contract to which the data principal is a party, all legal consequences of the effects of such withdrawal shall be borne by the data principal,” the report says. This clause is open to wide misuse, simply by inserting the conditions of a contract in fine print and then invoking it if there is withdrawal of consent.
There will also be controversy over the recommendations on data localisation. Most countries – over 80 by one estimate – have data localisation laws in order to ensure jurisdiction over the data of citizens. The committee recommends that a copy of data on Indians be stored in India. But there’s a big loophole: “Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.” This implies that while a copy is stored in India, a copy of the data may also reside in another nation and thus, this opens the door to the possibility of both local and overseas surveillance. This apart, there may be concerns about security. It’s also an open question if India has sufficiently robust infrastructure and cloud capacity to comply with data localisation at this moment.
The penal provisions appear to have been directly copied from the European Union’s GDPR and follow a similar two-stage escalation of penalty. Lesser violations could involve a fine or a maximum penalty of 2 per cent of global turnover of the preceding year (whichever is higher) while graver violations invite a fine or a maximum penalty of 4 per cent of global turnover. The bill has recommended Rs 50 million or 2 per cent (whichever is higher), and Rs 150 million or 4 per cent respectively for lesser and graver contraventions.
Biometric data and the Aadhaar number are now to be included in the definition of sensitive personal data, which comes with stricter obligations. Section 106 bars processing certain forms of biometric data as determined by the central government, unless the processing is explicitly permitted by law. This provision could be used to curtail the lax limitations on the handling of Aadhaar data.
The bill has an inclusive and progressive list of sensitive personal data, including data related to religious or political belief, sexuality status, etc. However, location data, which is easily available for any cellphone user, for example, remains outside the ambit of sensitive data and is open to misuse.
But the bill allows for data processing for “reasonable purposes”, and there are very wide exceptions that allow for non-consensual collection and processing of data, including such processing by both government and private employers. Many government data processing activities for both sensitive and non-sensitive data, including for the provision of any service or benefit to a data principal, are being kept exempt from the requirement of obtaining consent.
Perhaps the most worrying clauses are under Section 13, which allows the state to process personal data without obtaining consent “for the exercise of any function of the state”. This is much too broad and it would essentially allow the state to ignore the consent of the individual. Similarly, other grounds of processing, such as “purpose related to employment”, are poorly worded and broad, and these would provide employers with far too much discretion in dealing with employees’ data.
Indeed, the government just needs to claim that any processing of personal data is “necessary” and processing of sensitive personal data is “strictly necessary” for the exercise of “any function of the State authorised by law for the provision of service or benefit”. This means that the government must prove that processing data such as workplace, address, or phone number is “necessary”, and processing sensitive data such as passwords, financial data and biometric data is “strictly necessary” for any function that would provide a service or benefit. It is not clear why consent cannot be taken for any such processing.
The coercive use of Aadhaar could easily continue by using the exceptions given above. Even though the recommendations of the committee indicate the need for wide-ranging amendments to the Aadhaar Act, 2016, the text of the Data Protection Bill merely offers minimal protection for “Aadhaar numbers” and not for the data gathered under Aadhaar. Wide exceptions from consent are, therefore, facilitated by Sections 19 and 20.
The RTI Act may need some changes to align with the new law and the Supreme Court judgment. The RTI Act has sections under which disclosure may be refused to safeguard privacy; however, this is overridden by public interest. This recognises that the right to privacy cannot be abused to undermine the public’s right to information. In a separate schedule, the bill suggests an amendment to the RTI Act and this will need careful study to determine whether it serves the purpose of protection of personal data without diluting the power of the RTI Act.
One key subject that is missing from the bill is the reform of surveillance laws. There is very little legislative and judicial oversight on surveillance activities carried out in India. Given that the data protection authority is to exercise judicial functions as well, this was an ideal opportunity to bring the oversight of surveillance and interception activities under the data protection authority.
Despite being weaker than desirable, the law does offer some protection for individual rights from careless data processing or from rapacious businesses looking to exploit data without consent. The provisions on the need to include privacy by design principles in processing and security safeguards, while expensive for businesses, are necessary, and follow the same guiding principles as the GDPR. It is also encouraging to see that onerous obligations such as data protection impact assessments, data audits and the need to have data protection officers are being made applicable to businesses that may pose a threat to privacy.
Unfortunately, the draft is not with retrospective effect – it does not offer the possibility of delinking Aadhaar via the right to forget mechanism from information (bank accounts, insurance, medical records, phone numbers) that was linked to the Aadhaar number during a prior period. Nor does it allow for a reform of the surveillance process. It also leaves a major loophole wherein the state can continue to collect and process data without consent, by “exercising a function of the state”. The impact on the RTI Act is difficult to determine without a careful reading of the proposed amendments – but it could impact the transparency that the RTI Act was designed to bring about. A public feedback mechanism before the bill is presented to Parliament will determine whether redrafting is required for addressing these conserns.