Srikrishna On Data Protection: Need to Examine Both Bill & Report
On 27 July, the Ministry of Electronics and Information Technology accepted the finalised result of the deliberations of an expert committee on data protection chaired by retired Supreme Court Justice BN Srikrishna. The end products of the year of work done by this expert committee were two documents: a draft bill on personal data protection and the full report of the expert committee along with several annexed recommendations (with the total document running into just over 200 pages).
Any bill, or other legislative recommendations, should ideally go through pre-legislative consultation as per the 2015 Pre-legislative Consultation Policy, followed by Union Cabinet review before being submitted to Parliament. Parliament itself has several ways to further study and deliberate on the Bill, including institutions such as departmental standing committees and select committee (specially set up to study a specific bill or subject by any one house of Parliament), though the record of allowing for committee review of legislation over the term of the present NDA government has been noted to be poor.
At the outset itself however, the Srikrishna Committee's end product is worth deeper review beyond the immediate press headlines or the forecasting of what the Union Government may finally send to Parliament. Both documents are worth detailed review, particularly given that there are things written in the report which have not been included in the draft data protection bill.
Most expert committee reports of course contain broader explanatory text and background research which would not be included in a draft bill. And the Srikrishna Committee report does weigh a bit towards the verbose end of the scale.
It includes considerable reference to international law reviews and journals as well as citations to publications and draft opinions from the Article 29 Working Group in Europe – a collective of Europe's different national data protection authorities that operated informally prior to the coming into force of the recent European Union General Data Protection Regulation.
Choosing To Not Look At the Past
The committee report is interesting in what it does and does not include.
The expert committee appears to make no mention of the history and previous work of earlier attempts to create privacy and data protection frameworks in India. There appears to be no formal referencing to the recommendations issued in 2012 by the Justice AP Shah chaired expert committee on privacy to the erstwhile Planning Commission, nor any mention of the 2010 approach paper on a privacy law for India published by the Department of Personnel and Training or the draft Privacy Bill developed by them interdepartmentally across 2011-15 for the Union Government.
In effect, the Srikrishna Committee appeared to take the Latin maxim of tabula rasa – ie "blank slate" – quite seriously, and appeared to not want to refer to previous efforts. Interestingly, the expert report also makes no mention of the different private members bills on privacy filed across 2009 to present by Members of Parliament on their own initiative, nor does it expressly study or deliberate on the recommendations issued earlier this month by the TRAI on privacy, security, and ownership of data in the telecom sector.
Structure of Data Protection
The bulk of the Srikrishna Committee report is on specifying the extent of a legal framework for data protection in India, how it can be claimed, a regulatory structure in the form of a Data Protection Authority, and the several exceptions it suggests to these rules in certain cases.
The initial text of the report spends some time in trying to indicate that it wants to move beyond the existing international terminology in data protection law, and why it hence chooses to use the terms “data principals” and “data fiduciaries” instead of the usual “data subjects” and “data controllers”, respectively.
The education, policy setting, investigation, enforcement, and adjudication functions for data protection are nearly all provided to one single national regulatory agency, which the Srikrishna Committee chose to name as the Data Protection Authority of India. Established by the Central Government, the DPA would be managed by a Chairperson and six members, selected by a committee composed of the Chief Justice or another Supreme Court Justice nominated by him, the Cabinet Secretary, and one "expert of repute" appointed by the judicial member of the committee in consultation with the Cabinet Secretary.
Interestingly, the expert committee says that this is the best practice followed by other regulators and cites to the different statutes that respectively establish the CCI, SEBI, TRAI, and IRDA – even though the language on selection of regulator members varies significantly across these different acts. Who actually does the everyday work of any regulator is important.
The expert committee report speaks to different wings and types of staff that they envisage for the proposed DPA, but the draft bill only refers to its commissioners and the appointment of "adjudicating officers"– which the report speaks of with respect to an Adjudication Wing of the DPA. By way of contrast, the Competition Commission of India includes a statutory mandate to create a Directorate General of Investigations in order to create a higher degree of separation between the final decision-finalisation level of the regulator and its everyday staff.
There is no requirement in either the report or the draft bill of judicial members. Besides that potentially being in violation of existing Indian case law from the High Courts and Supreme Courts on the functioning of tribunals, a lacuna of that form would also likely in conflict with the Puttaswamy ruling, particularly since Justice Rohinton Nariman's opinion in that judgment indicated that making decisions on intrusion into privacy is one that involves a judicial role.
It appears that the Srikrishna Committee believes that the Central Government should be allowed to decide the appellate tribunal process completely, partly because it might decide to fold it into an existing regulator. In doing so, it might have been trying to follow the controversial decision taken in the Finance Act of 2017 to merge several appellate tribunals, and may have envisaged that any appeals from a DPA should go to the Telecom Dispute and Settlement Appellate Tribunal (TDSAT) rather than spell out a clear appellate structure itself.
Understanding The Committee's Decisions And Legislative Priorities
As has been explained by Vrinda Bhandari in a previous piece here on The Quint, the draft bill does not propose any specific measures to more directly consolidate or update Indian law regarding surveillance and communications interception by law enforcement and intelligence organisations. The expert committee report is interesting in this regard, because it acknowledges that post the Puttaswamy ruling, many existing practices and legal measures regarding surveillance in India may not match the constitutional tests outlined by the Supreme Court to protect the fundamental right to privacy.
The expert committee even lists the Telegraph Act, Telegraph Rules, Information Technology Act, and several criminal procedure related statutes as likely needed changes. But it not only does not include amendments or other proposed legal measures to override these earlier laws in the draft Data Protection Act, it does not even develop any broad legislative language on this besides saying that perhaps district judges should be given the job of deciding interception requires and that consolidated reports on such surveillance and interception actions should be provided to Parliament.
That is striking, given that it did spend time proposing amendments to the Aadhaar Act and further prioritised amendments to the Right to Information Act.
The expert committee report did chose to provide detailed recommendations on Aadhaar. Its section on Aadhaar acknowledges that several existing provisions of the Aadhaar Act required fixes and reform, ranging from legal recognition of virtual tokenised IDs in place of Aadhaar numbers to drastically reducing the legality of online authentication of Aadhaar by private players and others.
The expert committee has produced a an appendix with detailed language for amendments to the Aadhaar Act. But interestingly, it does not include this in the draft bill itself, though it does include a schedule to the draft bill with specific language on proposed amendments to Section 8(i)(j) of the Right to Information Act.
In effect, it appears that the Srikrishna Committee did not see making these amendments to Aadhaar - one of the largest sensitive datasets in the country and the likely the largest government "data fiduciary" – as much of a compelling objective on their end even in comparison to outlining amendments to the RTI Act.
(Raman Jit Singh Chima is Policy Director at Access Now, an international digital rights advocacy and policy group, and a co-founder of the Internet Freedom Foundation. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)