On 27th of July, a committee of experts led by Justice B N Srikrishna submitted recommendations on a data protection law for India, along with a draft bill.
This committee was set up nearly a year ago, when the Supreme Court was hearing arguments about whether the right to privacy is a fundamental right. In August 2017, the Supreme Court issued a landmark judgment which upheld this right. The Court also recommended that the government put in place adequate laws to ensure that people can exercise this right.
In November 2017, the committee published a detailed white paper explaining its views on what the data protection law should look like – a comprehensive law, that applies across industries, to both the private sector and the government.
The committee called for public comments and held four public consultations to discuss issues highlighted in the white paper. Several organisations and individuals have submitted comments; however, these comments have not been published by the committee. The committee has now submitted and published its report and the bill drafted as a part of this process.
What kind of data are protected?
The committee has recommended that the law have a wide scope of application. The bill applies in relation to the use of two primary types of information – personal data and sensitive personal data.
Personal data is any data about or relating to a natural person who can be directly or indirectly identified by such data. This ‘identifiability’ could be with respect to any characteristic, trait, attribute or other feature of the identity of a person, or any combination of such features and other information. The law doesn’t apply to anonymised data i.e. data that has been modified such that it no longer identifies a person, so long as the anonymisation is irreversible.
The second category of data is ‘sensitive personal data’, a subset of personal data which calls for a higher standard of processing. This includes information like passwords, financial data, health data, biometric data, sexual orientation, official identifiers, sex life, genetic data, transgender status, intersex status, caste or tribe, and religious and political affiliations/beliefs.
If your personal data is collected, disclosed, shared or processed in India, you – a data principal – should be protected under the law. If you are an Indian company, citizen, or person/body of persons incorporated or created under Indian law, and process personal data, the law will be applicable to you – a data fiduciary. This also extends to the Indian government. If you are in India, and your personal data is processed by any person outside India, the law should be applicable to such processing as well.
How is this data protected?
As a rule, personal data can only be processed if your consent has been obtained. You must be given notice of details such as the kind of data collected, what it will be used for, how long it will be stored, whether the data will be shared/transferred to others. Your consent must be given freely, and you should be able to withdraw this consent. In cases where sensitive personal data, or personal data of children is being processed, the requirements for consent are higher.
This data can only be used for a lawful, specific purpose. Only limited data that is necessary for this purpose must be collected, and this data must only be stored for as much time as is necessary for such purpose. The data fiduciary must also ensure that the personal data they process is accurate and complete – this is particularly important in situations where the personal data is used to make decisions about an individual.
This means for example, that companies cannot collect data that is not required for the service they are providing. They also cannot deny service, if you refuse to give consent for collection of data that is not required for the service.
In addition, data fiduciaries have certain general obligations – for instance, they must maintain minimum security standards, incorporate privacy measures into the design of their technology / practices, be transparent about their data practice, and notify the authorities of any data breach.
How can individuals exercise their rights?
The bill provides three primary means by which you can exercise your rights. First, there is a set of ‘data principal rights’, second, a grievance redressal mechanism, and third like with many other laws, there is an enforcement mechanism, which provides for penalties, compensation and criminal offences.
The data principal rights include the right to confirm that a data fiduciary has your personal data, to access, and correct / update your data. It also includes the right to data portability – allowing you to transfer data between service providers, and to restrict continuing disclosure of your personal data in certain cases, i.e. the right to be forgotten.
Data fiduciaries must maintain grievance redressal mechanisms for complaints about violations. Where this doesn’t work, a complaint can be made to the adjudicating officer appointed under the data protection authority to be established under the bill.
The committee’s report and draft bill are a significant step towards an effective data protection regime in India. The report, in fact, is more elaborate than the bill and provides insight into what the data protection law could/should be.
However, even with the expansive individual rights discussed here, many issues have already been raised in the two days since the bill has been published.
For instance, the situations in which personal data can be processed either by private actors or the government without obtaining an individual’s consent.
These involve legitimate considerations such as the need for data in a medical emergency. But some other exceptions appear to be too broad on first impression. For example, consent is not required in some cases where an employer is processing employee data, and in many situations where the government is processing personal data. The data protection authority may also identify ‘reasonable purposes’ for which data can be processed without consent.
There are also broad exemptions from most of the law for government processing of data for security of the state and law enforcement.
It appears that between the exceptions granted to the government, and the power given to the data protection authority, there is a possibility that protection granted under the bill will be diluted, or in some cases difficult for individuals to access.
In addition, the bill also proposes some amendments to the Right to Information Act, 2005 that may provide cause for concern.
The report and the bill will now need to be submitted by the Ministry, to the Cabinet, and then to Parliament. There have already been several calls for public consultations to be held on the bill through this process, including by a member of the committee itself. A strong data protection law is necessary to protect the right to privacy as recognised by the Supreme Court. It will be important to ensure that concerns already expressed, as well as any issues that come up with more detailed examination of the report and the bill are taken into consideration at each of these stages.
(The writer is programme manager at Centre for Communication Governance, National Law University, Delhi. Views expressed are personal.)