Guarding information & privacy : The Tribune India

Join Whatsapp Channel

Guarding information & privacy

JUSTICE Srikrishna Committee made public its final report and the draft of India’s first comprehensive data protection law last week.

Guarding information & privacy

The provision to keep data in India will be the subject of a fierce debate. Istock



Amba Kak

JUSTICE Srikrishna Committee  made public its final report and the draft of India’s first comprehensive data protection law last week. It is well acknowledged that the enactment of a baseline data protection law should be a national policy priority for India, and it is relieving to see an important step being taken towards enacting real privacy protections.

The legislation is ground breaking in several respects, codifying principles and enforcement mechanisms that are foundational to a robust data protection framework. If done right, this is a good opportunity for India to be seen as a model example in setting high standards for data protection. However, the draft still contains loopholes, many of which threaten to dislodge these very strong foundations such as broad exceptions for government use of data and data localisation requirements. As this Bill makes its way to law, an open and consultative process is essential. 

Top-level highlights include — strong obligations that apply to both private companies and the government, including limitations on purpose and collection, data security, documentation, and a general duty to process data in a way that’s ‘fair and reasonable’ and ‘respects the privacy’ of the person. This law applies to the data of Indian residents’ wherever it may be processed.

Individuals are provided comprehensive rights of correction, updation, and data portability. However, rights to deletion and to object to processing, which are guaranteed by other data protection laws around the world, including the EU’s GDPR, are notably missing. Users may have to pay for certain rights, which could entrench existing inequalities and create haves and have-nots for privacy.

Biometric data and the Aadhaar number are included in the definition of sensitive personal data which comes with stricter obligations. The Bill includes a generally inclusive and progressive list of sensitive personal data, including data related to religious or political belief, sexuality, transgender, and intersex status. Section 106 bars processing certain forms of biometric data as determined by the Central government, unless the processing is explicitly permitted by law. This provision could be used to curtail the lax limitations on the handling of Aadhaar data.

The creation of an independent Data Protection Authority with expansive powers, including investigatory, adjudicatory, and punitive powers, as well as a separate Adjudicating Officer to take complaints, impose penalties, and mete out compensation to individuals. However, the independence of the adjudicatory authority and appellate tribunal is severely lacking. The qualifications and nominations of those serving in these bodies are entirely prescribed by the government, as are the procedures of the bodies themselves. The system as it currently stands has far too much delegated authority to the Central government. 

For consent to be valid it must be free, informed, specific, clear, and capable of being withdrawn. This sets a high bar for companies seeking to validate their actions on the basis of consent. ‘Explicit consent’ is required for the processing of sensitive data.

The Bill allows for data processing for ‘reasonable purposes’. While similar in intent to the GDPR’s ‘legitimate interest’ ground, the Bill limits the potential for abuse by providing conditions on the basis of which data may be processed, as well as an illustrative list of categories that fulfil these conditions. This is an improvement on the GDPR standard which can ‘easily be abused by companies’ who may argue that ‘innovation’ itself is always a reasonable pursuit, even where it may put the privacy of users at risk.

Data processing for security, intelligence and law enforcement purposes must be ‘necessary and proportionate’, and must be authorised by a law passed by Parliament. While a quick reading of the Bill might look like there are exceptions for ‘security of state’ data processing and the potential for mass surveillance, Section 42.1 actually provides substantive protections. For the number of intelligence and security agencies that currently operate in a legal vacuum, the Bill would necessitate regulation, and one that meets the standards of ‘necessary and proportionate’. This standard is a critical part of international human rights law around surveillance, as well as the Puttaswamy judgment, and prevents the Bill from ushering in mass surveillance. Section 42.1, if enacted, will necessitate a public debate about the appropriate limits of Indian government surveillance — data processing for security, intelligence, and law-enforcement purposes cannot happen in the absence of such a debate and subsequent law.

Cross-border data transfer is made possible through a variety of means, but rejects consent alone as sufficient for transfer, and conditions transfers on having a high level of data protection in place.

There are some worrying provisions. A copy of all personal data is required to be stored in India. Data localisation is bad for business, users, and security. Notwithstanding the protections on processing in the interest of the security of the state, it’s hard to see that this provision is anything but a proxy for enabling surveillance.

A large swathe of government data processing activities for both sensitive and non-sensitive data, including for the provision of any service or benefit to a data principal, is exempt from the requirement of obtaining consent. Instead, the government needs to show that any processing of personal data is ‘necessary’ and processing of sensitive personal data is ‘strictly necessary’ for the exercise of any function of the State authorised by law for the provision of service or benefit. This means that the government must prove that processing data such as workplace, address, or phone number is ‘necessary’ and processing data such as passwords, financial data, and biometric data is ‘strictly necessary’ for any function that would provide a service or benefit. While these limits are welcome, it is not clear why the government cannot  give the opportunity to obtain consent, in situations where similar private services will have to. 

Data privacy expert

Top News

Arvind Kejriwal to be produced before Delhi court today as 6-day ED custody ends

Excise policy case: Delhi court extends ED custody of Chief Minister Arvind Kejriwal till April 1

In his submissions, Kejriwal said, ‘I am named by 4 witnesse...

Delhi High Court dismisses PIL to remove Arvind Kejriwal from CM post after arrest

Delhi High Court dismisses PIL to remove Arvind Kejriwal from CM post after arrest

The bench refuses to comment on merits of the issue, saying ...

‘Unwarranted, unacceptable’: India on US remarks on Delhi CM Arvind Kejriwal’s arrest

‘Unwarranted, unacceptable’: India on US remarks on Delhi CM Arvind Kejriwal’s arrest

MEA spokesperson says India is proud of its independent and ...

Bullying Congress culture, no wonder being rejected: PM Modi, backs senior lawyers who flagged attempts to undermine public trust in judiciary

Bullying Congress culture, no wonder being rejected: PM Modi

Backs senior lawyers who flagged attempts to undermine publi...

Gujarat court sentences former IPS officer Sanjiv Bhatt to 20 years in jail in 1996 drug case

Gujarat court sentences former IPS officer Sanjiv Bhatt to 20 years in jail in 1996 drug case

Bhatt, who was sacked from the force in 2015, is already beh...


Cities

View All