The Committee of Experts under the chairmanship of Justice B N Srikrishna has submitted its proposed law on data protection, along with a 213-page report to the Ministry of Electronics and Information Technology. Guided by the principles laid down by the Supreme Court in Justice K S Puttaswamy (retd.) and Anr. vs Union Of India And Ors, the framework seeks to empower individuals to protect their personal data. In the past few decades, data protection has emerged as a hotbed of legislative action globally, with the European Union having implemented its General Data Protection Regulation recently. As of now, there is no statutory framework that holistically protects informational privacy of individuals in India. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 were a small but significant step in this direction. However, these Rules are selectively applicable to certain body corporates and suffer from poor implementation. The proposed data protection law, after taking into account the existing gaps in the current framework and global best practices, creates a novel framework tailored to India’s constitutional, economic, and socio-political realities.
The crux of the proposed legislation is this – personal data of individuals (data principals) can be processed (i.e. collected, used, stored, disclosed to third parties, etc.) by entities (data fiduciaries) only if the individual has given her free, informed and specific consent. Such consent is capable of being withdrawn. Personal data may also be processed under certain specific circumstances such as state function, emergent health and safety situations, compliance with a judicial order etc. However, in each case, data fiduciaries, be it the government or private entities, will be required to strictly comply with principles such as collection limitation, purpose limitation, security safeguards, and measures of transparency and accountability that are laid down in the law. Additionally, the law provides heightened safeguards for processing of sensitive personal data, such as financial data, health data, sex life and sexual orientation, caste or tribe, official identifiers such as Aadhaar, religious and political beliefs or affiliations, etc.
The proposed law will be applicable to both private and public entities. Additionally, the central and state governments, departments, regulators and other authorities which perform a public function are squarely covered by the proposed law. Moreover, ‘significant data fiduciaries’, i.e. data fiduciaries that undertake large-scale processing of personal data (such as statutory regulators, government departments, multi-national corporations) will be tasked with heightened data protection obligations such as regular audits, data protection impact assessments etc. Individuals, on the other hand, will be empowered with the right to access their personal data, data portability and the right to be forgotten, to name a few.
The proposed law contains exemptions for processing of personal data for certain purposes, such as journalistic activities, law enforcement, security of state, etc. An important concern raised by citizens and stakeholders relates to the security of state exemption. It has been pointed out that the exemption may be too broad and may not effectively address the issue of surveillance and systematic access to citizens’ data by the state. The exemption is based on the principles laid down in Puttaswamy which held that to allow a restriction on privacy, three requirements ought to be fulfilled: first, the restriction must be by law; second, it must promote a legitimate state interest of which national security is an example; and third, it must be necessary and proportionate. The proposed data protection law ensures that state surveillance agencies attempting to access personal data or sensitive personal data without the authorisation of law will not be able to avail of this exemption. Additionally, the committee report has recognised the scattered oversight mechanisms laid down in statutes such as the Telegraph Act of 1885 and is of the opinion that mere executive review will not suffice. Instead, it recommends that an authorising law should be expeditiously brought in and should provide for a system of parliamentary oversight and judicial approvals for surveillance. The data protection laws in other jurisdictions, such as the US, UK, Germany and South Africa also do not prescribe such oversight in data protection legislation. Surveillance in these countries is regulated by separate and specific legislation on the subject matter. Further, it recommends that ex-ante and post facto reporting and transparency requirements should be incorporated in such a law.
Many of the recommendations made by the committee throw up important questions of acceptability and feasibility for the industry, stakeholders and allied sectors. For instance, the stance on cross-border flow of personal data, heightened organisational measures on data fiduciaries, and individual participation rights has sparked a debate on compliance burdens on data fiduciaries and perceived impediments to a free and fair digital economy. The committee has set the ball rolling on several issues concerning the protection of personal data by setting out a proposed law. It is expected that through further consultations and dialogue, citizens and stakeholders will build on this foundation by giving suggestions to strengthen the legal framework and ensure that an effective data protection regime is set up in India.