The Justice BN Srikrishna committee has submitted its report on data protection to IT Minister Ravi Shankar Prasad. Titled, “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians”, the report was submitted during a press event at the IT Ministry, along with a draft Data Protection Bill.
After months of speculation about its release and a string of delays, the report will now be reviewed by Prasad and forwarded to Prime Minister Narendra Modi.
Highlights From the Report and Bill
The ten-member committee was tasked with studying and identifying key data protection issues and recommend methods for addressing them. Here are the some of the highlights from the report and Bill:
Restrictions on Processing and Collection of Personal Data
The committee recommends that processing (collection, recording, analysis, disclosure, etc) of personal data should be done only for “clear, specific and lawful” purposes. Only that data which is necessary for such processing is to be collected from anyone.
Processing of Personal Data for “Functions of the State”
One of the more problematic suggestions of the committee is that they suggest that your personal data may be processed by the government if this is considered necessary for any function of Parliament or State Legislature. This includes provision of services, issuing of licenses, etc. On the face of it, this looks extremely vague and could lead to misuse.
Right to be Forgotten
The committee recommends giving “data principals” (persons whose personal data is being processed) the ‘right to be forgotten’.
This means they will be able to restrict or prevent any display of their personal data once the purpose of disclosing the data has ended, or when the data principal withdraws consent from disclosure of their personal data. In the EU, this has been used by people to get unflattering records of them on news websites taken down after the matter is no longer a matter of public interest.
This right is one of several given to data principals, including the right to confirm what information is being held or disclosed about them, and to get this corrected if necessary.
Personal data will need to be stored on servers located within India, and transfers outside the country will need to be subject to safeguards. Critical personal data, however, will only be processed in India.
Processing of Sensitive Personal Data to Require Explicit Consent
The Committee recommends that “sensitive” personal data (such as passwords, financial data, sexual orientation, biometric data, religion or caste) should not be processed unless someone gives explicit consent – which factors in the purpose of processing.
So, if you have disclosed your sexual orientation in a survey where you were told it would be used to assess the numbers of people with such orientation in a particular place, your name and orientation cannot then be sent to an advertising agency to send you targeted ads, as this is different from the purpose you had agreed on.
Data Protection Authority
The Committee has recommended setting up a Data Protection Authority which is supposed to “protect the interests of data principals”, prevent misuse of personal data and ensure compliance with the safeguards and obligations under the data protection framework by corporations, governments or anyone else processing personal data (known as “data fiduciaries”). The obligations on data fiduciaries include conducting audits and ensuring they have a data protection officer and grievance redressal mechanism – the Authority will need to publish Codes of Practice on all these points.
The Authority shall have the power to inquire into any violations of the data protection regime, and can take action against any data fiduciaries responsible for the same.
Aadhaar Act Amendments
The Committee has suggested recommendations to the Aadhaar Act 2016 to ensure autonomy of the UIDAI and “bolster data protection”. These include offline verification of Aadhaar numbers and new civil and criminal penalties – though the ability to file complaints will remain with the UIDAI alone.
RTI Act Amendments
The Committee recommends the amendment amend section 8(1)(j) of the RTI Act that pertains to the disclosure of personal information in the larger public interest. The old 8(1)(j) said there would be no obligation to reveal personal information which was not related to “public activity or interest”, or would be an invasion of privacy. The new 8(1)(j) looks at a balancing act between the public interest in accessing the information on one hand, and the harm that could be caused to the data principal on the other.
Will the Data Protection Bill be Introduced in Parliament?
Prior to the release of the report, there was speculation that the draft Data Protection Bill – the implementation of the recommendations – would be introduced by the Central Government in the current session of Parliament. However, comments by IT Minister Ravi Shankar Prasad at the time of the launch indicate that it will be some time before it becomes actual law.
“Being a very monumental law, I’d like to have the widest parliamentary consultation possible,” Prasad had said at the time, adding that the Bill would go through multiple stages before reaching Parliament.
While this seems to indicate there will be proper scrutiny of the eventual law, the committee, however, has been plagued with controversies since its inception – over its seeming lack of transparency in its functioning, the lack of civil society representation in the committee, and the lack of a proper public consultation process.
On 24 July, The Quint had reported on the manner in which the Ministry of Electronics and Information Technology had repeatedly rejected RTI queries for information on the meetings of the committee. According to details that have emerged from the RTI responses, the committee met seven times between September 2017 and May 2018.