Friday’s Srikrishna data protection report emphasises individuals’ constitutional rights over their data, unlike the recent set of TRAI recommendations that focused on individual data ownership.
While both include individual consent of what companies and governments do with one’s data, Srikrishna’s recommendations go further in legally limiting what these entities do with that data regardless of consent.
Central to the Srikrishna report is that data is protected when the data fiduciary (entities that collect and process individuals’ data) is obligated to limit their data collection to specific and lawful purposes. The TRAI paper, released almost three weeks ago, very briefly mentions these concepts of “purpose limitation” and “collection minimisation,” but largely left legislations about company and government responsibility to the committee.
Also, unlike the TRAI suggestions, the Srikrishna report mentions that entities must maintain quality and security of the data.
Despite the conceptual difference between ownership and rights, some specific recommendations do align. The two agree on what is considered personal data (essentially data that identifies the individual) and sensitive personal data (a specific list of categories such as passwords, finances, health information).
Both documents give users the right to port their data to other services (data portability) and to delete data about one’s self (right to be forgotten), but the Srikrishna committee goes further to give the individual the right to correct data about one’s self.
The Srikrishna report also covers the subject of children’s data, barring any profiling, tracking, monitoring, or other data processes that could cause harm to anyone under 18-years-old.
While both specified conditions for notifications in the event of a data breach, the TRAI recommendations included the concept of a common platform for disclosing data security breaches.
The TRAI report made specific directives to device manufacturers, including allowing the user to delete a pre-installed application and disclosing terms and conditions before the sale of the device, which were not discussed in the Srikrishna report. Also, the TRAI’s discussion of a data sandbox, or a testing environment that anonymises data to experiment for new products, was not in the Srikrishna report.
The TRAI did not make concrete recommendations on exceptions to the law and the flow of data across borders — two of the most heavily-discussed concepts of the Srikrishna draft. The TRAI paper did state, however, that the country’s data protection framework should apply equally to government and private entities.
Some questioned the TRAI’s inclination to influence the Srikrishna committee during the latter’s drafting of the data protection law, highlighting the Authority’s restricted jurisdiction. While the Authority is only mandated to regulate TSPs, it made many recommendations in this report for “all entities” rather than only telecom service providers.