Setting the stage for India’s Data Protection Regime – Only half the battle won!

By Rishika Taneja

The committee of experts appointed by the government under the leadership of Justice B. N. Srikrishna in its report has set the foundation for the data protection architecture of the second largest market of internet users in the world! This committee was appointed by the government in the wake of the challenges faced by the Aadhaar program in the Supreme Court. The committee has now submitted a draft bill establishing an omnibus privacy and data protection framework.

The draft bill seeks to define the fundamental contours of the relationships between users and companies/Government entities which whom they share their data – namely data principals and data fiduciaries/data processors respectively; and places an overarching obligation on all data fiduciaries to follow a ‘fair and reasonable’ manner in which personal data may be processed. The committee has also recommended consequential amendments to a number of other enactments including the Information Technology Act and the Right to Information Act.

While this draft bill is a notable step in India’s pursuit of a free and fair digital economy, certain provisions while advancing the interest of data protection might have an adverse impact on businesses.

It undeniably empowers citizens against private parties by premising itself on a consent-based framework insisting on the requirement of “explicit consent” for sensitive personal data, however, it also empowers the State against the citizens through broad exemptions in the State’s use of data. These include the processing of personal data and sensitive personal data of the data principal for “any function of the Parliament or State Legislature” or as “authorised by law for the provision of any service or benefit to the data principal”. Additionally, the Government authorities are also exempt from securing consent while issuing certifications, permits or licenses by the State.

The Committee’s justification for variable standards prescribed for States vis-à-vis private actors is premised on the fact that for “genuine consent” to be operationalised in such circumstances, “collective interests stand to suffer”. The reasoning in the report buttressing this provision does not justifiably support why such collective interest may be paralysed only in the event of provision of services by the State whereas private entities must necessarily follow the consent driven approach despite competing in the same market as the State.

In its justification, the Committee observed that the interaction between the state and the citizen is incomparable to that of a consumer entering into a contract with a service provider where “the option available to a consumer in refusing an onerous contract and choosing another service provider is not available to a person seeking a welfare benefit from the state”. This should not imply ceding consent but perhaps putting in place additional safeguards beyond consent.

Presently, there is a general law that applies to the collection of personal data for the purpose of intelligence gathering and surveillance. The committee also highlighted the several deficiencies in the interception framework under the Telegraph Act and Rules especially the oversight mechanism. The draft bill however curiously refrains from addressing these issues while the report has cited surveillance laws adopted in the US, Germany and South Africa to guide the thinking of the government on this issue. This is a significant gap in the privacy framework advocated by the committee given the fact that surveillance is perhaps the most potent threat to privacy from the state.

The bill envisages the concept of data localisation whereby data-processing entities namely data fiduciaries, are mandated to store at least one copy of all personal data being processed on a server within the territory of India. Certain categories of data which are to be specified by the government as critical personal data are also to be stored in India alone, even though the Bill provides no clarity or illustrative examples of what may classify as critical, thereby giving broad powers to the central government.

The Committee’s report justifies data localisation by stating that “a policy of storage and processing of personal data within the territorial jurisdiction of a country is advocated to ensure effective enforcement and to secure the critical interests of the nation-state.” However, this concept refutes the very tenets of a liberal economy and a seamless worldwide internet thereby creating potential barriers to trade by imposing additional costs and burden on data fiduciaries to set up data centers in India without any proportional benefit. The committee has cited a lack of evidence of the prohibitive costs of imposing such requirements. This reasoning, however, belies policy prudence which would require a more in-depth study of the impact of these restrictions on market efficiency and innovation.

Notwithstanding the shortcomings of the instant report and bill submitted by the Srikrishna Committee, it marks a watershed moment in the domain of data protection in India. The Bill contains some noteworthy provisions which the Committee has rightly recognised and inserted. For instance, the recognition of the privacy principles of collection and purpose limitation serving as strong data protection obligations in consonance with EU’s General Data Protection Regulation; the privacy-by-design concept; tall requirements for defining consent; broader definitions including a comprehensive list of what is encompassed under Sensitive Personal Data, including religious and political beliefs and transgender status; horizontal application to both government and private actors; steep penalties for violations.

While the judgment in the case of Justice KS Puttaswamy v Union of India reaffirming the status of privacy as a fundamental right was indeed a big win for the country, many battles are still being fought!

Rishika Taneja is an advocate having studied the BCL at the University of Oxford as a Salve Scholar and the co-author of the book ‘Privacy Law: Principles, Injunctions, and Compensation’, Eastern Book Company cited by the Supreme Court in KS Puttaswamy v Union of India.