Finding a balance between the rights-based model of privacy and protecting the individual from State interference, listing out seven principles of a good data protection law, and setting up of a data protection authority, these are some of the key findings of a white paper published by a committee of experts on data protection on Monday. The Justice BN Srikrishna Committee, set up by the Ministry of Electronics & Information Technology on July 31, tasked with writing a draft data protection law, published a white paper on data protection framework in India, asking for stakeholders’ feedback by December 31.
The seven key principles mentioned on which such a framework could be based upon in the country include: technology agnostic law; be applicable to the private sector and the government, maybe with different obligations though; informed and meaningful consent; minimal and necessary data processing; data controller must be accountable for any processing; establishing a high-powered statutory authority for enforcement, supported by a decentralised enforcement mechanism; and penalties for wrongful data processing to ensure deterrence.
The nearly 250-page report published by the nine-member committee has compared data protection laws and regulations from a number of countries, specially focusing on the regulatory framework in the European Union and in the United States, as two ends of the spectrum and seeks to find the Indian framework somewhere in between.
The EU’s rights-based model may be excessively stringent, it says, “imposing many obligations on the organisations processing data”. On the other end, the US model seeks to protecting the individual “from excessive State regulation”, but recognises the value of data to encourage innovation”. Though, the US model might be “inadequate in key respects”.
Taking India’s potential to “lead the world into a digital economy” the white paper suggest the data protection framework must not stifle innovation. In addition, it feels the framework must be considerate of the country’s need for “empowerment based on data-driven access to services and benefits for the common man”.
It envisions three main objectives of a data protection authority: monitor, investigate and enforce the laws; set the standards; and generate awareness in an increasingly digitised society.
The paper traces the judicial and legislative steps towards data protection and privacy in India. It touches on many domain-specific privacy laws for information, but in the context of data protection it focuses on two laws that provide the current contours for data protection.
The Aadhaar Act of 2016 is discussed in some detail. It states the “collection, storage and use of personal data is a precondition for the receipt of a subsidy, benefit or service” under the Aadhaar Act. It specifically says that though obtaining an Aadhaar number is not mandatory, except for certain benefits, subsidies and services funded from the Consolidated Fund of India, “in practice” getting an Aadhaar number “is becoming mandatory for availing most services through a range of cognate laws.”
Even though the government is obligated to adopt adequate security safeguards, “no database is 100 per cent secure,” the white paper states. It refers to the criticisms of Aadhaar, including “though seemingly voluntary, possession of Aadhaar has become mandatory in practice, and has been viewed by many as coercive collection of personal data by the State”. The committee feels that in view of all these issues the “interplay between any proposed data protection framework and the existing Aadhaar framework will have to be analysed”.
The other data protection law it looks at is the Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011, or the SPDI Rules. The main flaw of the SPDI Rules is that it solely looks at the private sector, leaving the government out of its ambit. “When it comes to sharing information with Government agencies, then the consent of the provider is not required and such information can be shared for purposes such as verification of identity, prevention, detection and investigation including of cyber incidents, prosecution, and punishment of offences.” It adds the rules are restricted to sensitive personal data, including attributes like “sexual orientation, medical records and history, biometric information”, and not larger personal data.