After several months of deliberation, the Justice B.N. Srikrishna Committee on Friday finally submitted its report on the data protection law to the ministry of electronics and IT. The committee’s recommendations and the draft personal data protection bill were also made public.
Though the draft bill addresses various issues plaguing the data ecosystem in India and clearly articulates the rights of individuals, it falls short on key principles that are at the core of a robust data protection framework.
In its broad structure and key provisions, the bill seems to follow the model of the European Union’s General Data Protection Regulation (GDPR) and, on a number of significant provisions, the draft bill takes on strong privacy preserving positions.
The draft bill has included well recognised privacy principles on how a notice should be sent to individuals before data is collected. It says that for the consent to be valid it must be free, informed, specific, clear and capable of being withdrawn, besides prescribing explicit consent for sensitive personal data. Purpose limitation and collection limitation also feature prominently in the draft bill. Similarly, some of the key rights of individuals, such as the right to confirmation and access, right to correction and right to data portability, are part of the bill and would go a long way in providing individuals with control of their data. Finally, the creation of a data protection authority is sorely needed, and hopefully, it will lead to a strong, independent and specialised regulator.
These positive developments are, however, significantly compromised by provisions which dilute the privacy protections under the draft bill. Like the GDPR, this bill also does not restrict itself to having consent as the sole ground for processing.
While there can be other limited grounds for processing, the most disappointing feature of this draft bill is the carte blanche it gives to the state to process personal data without obtaining consent. Under Section 13, personal data of individuals can be processed “for the exercise of any function of the state". This can be done without the consent of the individual as long as it is to provide a service or benefit to the individual.
This is especially problematic for two reasons. First, in the age of electronic and data-driven governance, the state collects a humongous amount of personal data. This provision effectively means that for most interactions between the state and the citizen, there is no requirement for the state to obtain consent of citizens to process their data. Second, this runs directly counter to the articulation of informed consent as central to informational privacy in the Puttaswamy judgment from last year. Similarly, other grounds of processing, such as ‘purpose related to employment’, are poorly worded and provide employers an unhealthy degree of discretion on how they can deal with their employees’ data. One key subject missing from the draft bill is the reform of surveillance laws. There is very little legislative and judicial oversight on surveillance activities carried out in India. With the data protection authority being set up to exercise judicial functions as well, this was an ideal opportunity to bring the oversight of surveillance and interception activities under the data protection authority.
Aside from individual rights, the law is also likely to give data processing businesses a lot of pain. The provisions on the need to include privacy by design principles in processing and security safeguards, while expensive for businesses, are necessary. It is also encouraging to see that the most onerous obligations, such as data protection impact assessments, data audits and the need to have data protection officers, are only applicable to businesses that pose a greater threat to privacy.
However, the provision that will hurt businesses is the need to maintain a copy of all personal data collected on a server or data centre located in India. This has been introduced to deal with problems with data requests faced by investigative agencies, when they require data hosted outside India. However, the proper response to this problem is to work with other countries on reforming the mutual legal assistance treaties. Requiring all businesses to store data within India, without any reform of surveillance governance, will pose even bigger privacy issues in the future.
Amber Sinha is a lawyer and works at the Centre for Internet and Society