The Srikrishna Committee’s report on data privacy and protection has stirred up a hornet’s nest instead of providing a reliable road map. This is a landmark report in many ways, given its multiple but critical touchpoints: a nascent but growing digital economy, the unmapped and uneasy relation between citizens (the committee calls them “data principals") and data managers (“data fiduciaries"), the state’s contentious role, the legal dilemma of trying to constrain globally mobile data within local legislative jurisdictions, among many others.
The data protection report presumably incorporates stakeholder feedback on a draft white paper released some months ago. Yet it falls short of expectations and meanders into areas which are beyond its scope. On many counts, the report also seems to have abandoned the white paper’s even-handed approach and acquired a bias: It recommends heavy penalties for private sector’s breach of data privacy laws but adopts a lenient stand regarding the state’s infractions.
But more curious is the committee’s self-appointed role as promoter of the digital economy and its assumption of responsibility for fostering growth in the industry. An imagined role for a task outside its jurisdiction thus exerts uneven influence on the report’s recommendations; consequently, this asymmetry gets further accentuated in the draft Bill. This critical structural flaw in the report’s recommendations and draft Bill seems to spring from either a misreading of the terms of reference (ToR) or dependence on text external to the ToR.
The ToR released by the ministry of electronics and information technology is unambiguous in outlining the committee’s scope of work: a) to study various issues relating to data protection in India; b) to make specific suggestions for consideration of the central government on principles to be considered for data protection in India and suggest a draft data protection Bill. It’s also quite precise in its text while appointing the committee: “It has thus been decided to constitute a committee of experts…to identify key data protection issues in India and recommend methods of addressing them."
However, the report uses another quote—“to unlock the data economy, while keeping data of citizens secure and protected"—to justify its seasoning of data protection laws with the task of nurturing growth in the digital economy. This is most odd, because the phrase does not exist in the ministry of electronics and information technology’s office memorandum appointing the committee, though it does appear in other government communication about the committee and how critical data privacy is for the digital economy’s sustainable growth.
This then raises questions about jurisdiction: should the committee design its work on the basis of what government communicates to the public or stick to its specific ToR? This is important because, as the Srikrishna Committee’s report shows, any framework based on the twin pillars of a perceived objective (unlocking data economy) and a real purpose (data protection) can result in a questionable foundation.
What’s worse is that, by default, this duality has gone on to inform the report’s overall tenor. One of the examples relate to the rules on data localization where there is a demonstrable lowering of concerns about the state’s capacity for committing excesses. The white paper had stated: “While a data localisation mandate may be effective in reducing foreign surveillance as data will be stored locally, such a mandate may increase the risk of local surveillance by law enforcement agencies."
The final report does mention these concerns but creates a back door through the instrumentality of national security.
The imbalances are also reflected in the committee’s composition: Out of 10 members, only three are from the non-government sector; if we also leave aside the committee chairman, a retired Supreme Court judge, the remaining six members are from the government. A committee on protecting data privacy should have included representatives from at least a couple of industry segments that deal in large volumes of citizens’ data, such as financial services or telecom or, perhaps, even healthcare. Not surprisingly then, the two dissent notes appended to the report are from two non-government members.
The task of promoting or developing a particular segment is best left to an autonomous body. In India, that responsibility is discharged mostly by segment regulators, such as the Insurance Regulatory and Development Authority or the Pension Funds Regulatory and Development Authority, the operative word in both titles being “development". Even the preamble to the Securities and Exchange Board of India Act states “...to protect the interests of investors in securities and to promote the development of, and to regulate the securities market …". The Srikrishna Committee recommends the formation of a Digital Protection Authority; the development of the digital economy and furthering its growth should thus be this body’s responsibility, in addition to other regulatory duties.
Finally, having adopted promotion of the digital economy as the centrepiece of its thesis, the report goes on to provide contradictory signals on growth. This is especially evident on the suggestions for data localization, which is likely to increase costs for a wide variety of digital fiduciaries and could invite retaliatory action from markets which outsource data processing to India.
Rajrishi Singhal is former editor of a leading business newspaper. His Twitter handle is @rajrishisinghal.
Comments are welcome at firstname.lastname@example.org.