Saying that citizens must come at the top, the Srikrishna Committee Friday submitted the draft of a data protection Bill containing sweeping recommendations, including amendments to at least 50 laws such as Aadhaar and RTI, setting up a regulator and imposing strict terms for storage.
The draft comes after a year of deliberations by the panel headed by former Supreme Court judge, Justice B N Srikrishna, and at a time when a Constitution Bench of the apex court has reserved its judgment on a clutch of petitions challenging the validity of the Aadhaar unique ID system.
The draft sets the stage for a Data Protection Act, which the government will begin working on while keeping the committee’s recommendations as a basis, Union Minister of Law & Justice and Electronics & Information Technology Ravi Shankar Prasad said. Pointing out that the report will go through the process of inter-ministerial consultations as well as Cabinet and parliamentary approval, Prasad said: “It is a monumental law and we would like to have widest parliamentary consultation…We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation.”
Speaking to reporters after submitting the report, Justice Srikrishna said there were three aspects to the committee’s report. “Citizens must come at the top. The interest of the citizen must be protected at any cost. Simultaneously, the state has some responsibilities and finally the protection cannot be at the cost of trade and industry,” he said.
“This framework is similar to buying new shoes. At first, it will be tight but will become comfortable later,” he said.
Among various measures, the 10-member committee, which was constituted on July 31 last year, has suggested moves to safeguard personally sensitive information, make provisions for localised storage of data and ensure consent for processing of data.
The committee’s report states that the Aadhaar Act “needs to be amended significantly to bolster privacy protections and ensure autonomy of the UIDAI” — Unique Identification Authority of India, the nodal authority for the Aadhaar project. It lists the impact of the proposed data protection framework on allied laws, including the Aadhaar Act and the RTI Act, which require or authorise processing for personal data for different objectives.
Under the proposed law, a Data Protection Authority (DPA) is envisaged as an independent regulatory body that will be responsible for the enforcement and effective implementation of the law. “Broadly, the DPA shall perform the following primary functions: (i) monitoring and enforcement; (ii) legal affairs, policy and standard setting; (iii) research and awareness; (iv) inquiry, grievance handling and adjudication,” the report noted.
The committee has recommended two broad sets of amendments to the Aadhaar Act that aim to bolster the right to privacy of individuals and to ensure the autonomy of the UIDAI. In total, the committee has suggested 16 amendments to the Aadhaar Act.
However, since the Supreme Court is yet to pronounce its judgment in the Aadhaar case, the report states that no comments have been made on the merits or demerits of the arguments centered around Aadhaar and the possibility that creating a database of residents would be “antithetical” to a “well-functioning data protection regime”.
In its analysis of the issues pertaining to the autonomy of the UIDAI, the committee noted that the Aadhaar Act is silent on the powers of the UIDAI to take enforcement action against errant companies in its ecosystem.
“This includes companies wrongly insisting on Aadhaar numbers, those using Aadhaar numbers for unauthorised purposes and those leaking Aadhaar numbers, all of which have seen several instances in the recent past. Each of these can affect informational privacy and requires urgent redressal,” the report said. UIDAI CEO Ajay Bhushan Pandey was a member of the committee.
Similarly, the report has also recommended amendments to the RTI Act, pointing out that disclosure of information from public authorities “may lead to private harm being caused”. “It is thus important to recognise, in this context, there is a conflict of fundamental rights, between transparency and privacy…The fact that neither the right to privacy nor the right to information is absolute and will have to be balanced against each other in some circumstances has been recognised by the Supreme Court,” the report said.
Section 8(1)(j) of the RTI Act, which the report has highlighted, exempts the public information officer from disclosing any information which relates to personal information, which has no relationship to any public activity or interest, or which would cause unwarranted invasion of privacy of the individual.
The committee has recommended an amendment to this section and said that clarity is needed on when the section will be activated to harmonise the standard of privacy employed with the general data protection statute.
Besides, the committee said it has identified 50 statutes and regulations that have a potential overlap with the data protection framework and that the ministries concerned should ensure appropriate consultations to make the necessary complementary amendments.
On the issue of data localisation, the report has identified circumstances under which data has to be mandatorily stored in India and cases where it can be stored with mirroring provisions. Recognising the benefits of cross-border data flow and its importance to the digital economy, the committee said that there should be a mandate to store and process personal data in India in certain categories that are critical to the nation’s interests.
It says the central government should determine the categories of personal data for exclusive storage in India “not just with regard to enforcement but also strategic interests of the State”. However, it has also laid down exceptions with regard to personal data relating to health, which can be permitted for overseas transfer for reasons of prompt action or emergency.
The draft Bill also lays down penalties for failure by data fiducaiaries to comply with the provisions of the law to a maximum of Rs 15 crore or 4 per cent of a company’s global turnover in the preceding financial year. The penalties paid by violating entities in this case will be deposited to a Data Protection Fund, which will, among other purposes, finance the functioning of the Data Protection Authority.
Hours before the final report was submitted to the government, the industry’s only representative on the panel, Rama Vedashree, head of Data Security Council of India, sent a dissent note to the committee, in which she has disagreed with three provisions of the Bill.
The first pertains to restrictions on cross-border flow of personal data. “This approach is not only regressive but against the fundamental tenets of our liberal economy,” Vedashree noted.
Secondly, Vedashree expressed her disagreement on categorisation of financial data and password as sensitive personal data, and thirdly noted her reservations on the inclusion of provisions in the bill treating violations as criminal offences. “The inclusion of criminal offences along with the fines and compensation is excessive and would impact the enforcement mechanism greatly,” she said.
The requirement to store one live, serving copy of personal data in India has been opposed by IIM Indore Director Professor Rishikesha T Krishnan, who said that it was against the basic philosophy of the Internet and imposes additional costs on data fiduciaries without a proportional benefit in advancing the cause of data protection.
Krishnan also said the observations and recommendations regarding the Aadhaar Act were outside the scope of the committee’s work.
Welcoming the Srikrishna committee’s recommendation, Commvault area Vice-President of India and SAARC region, Ramesh Mamgain said, “The report released by Justice BN Srikrishna-led committee for the data protection law is a welcome step. The committee’s recommendation for setting up a Data Protection Authority (DPA) which will be responsible for monitoring, enforcement, standard setting, awareness creation and grievance handling is a reflection of a comprehensive approach towards data management in India.”
Mamgain further said, “With several instances of data leaks on both individual as well as organisational level that have taken place in the past had created an alarming situation across the country. With the regulation taking form, citizens of the country can now be assured of the safety of their sensitive data. Similar to European Union’s GDPR, the Data Protection Law in India is a much-needed regulation which will institutionalise processes for organisations across all sectors to better manage both primary and secondary.”