Over the last year or so, concerns over data security and privacy have heightened in India. It’s a crucial question for a country that lacks a comprehensive privacy law as well as a proper data protection policy. With the implementation of the stringent General Data Protection Regulation (GDPR) in Europe from May this year, the importance of data protection has become an imperative for India, given that India is increasingly looking towards Europe to do business.
In this light, the recommendations of the Justice B.N. Sri Krishna Committee on data protection come at an important juncture. The committee, which has been deliberating over the issue of data privacy and protection for over a year, came out with a set of recommendations that have the potential to establish the foundation of a GDPR-like data privacy and protection policy in India.
“In the backdrop of Aadhaar, DNA profiling, the two roadmaps for artificial intelligence, the TRAI’s recommendations on privacy, data ownership in the telecom sector, the India Health Stack as well as international developments such as the CLOUD Act, the e-evidence directive and GDPR, the Bill and report are important developments in signalling to national and global communities India’s position on privacy and how it intends to go forward from the Puttaswamy Judgement (on data privacy),” says Elonnai Hickok, COO with the Centre for Internet and Society (CIS).
The main recommendations of the panel include the explicit consent of an individual for the use of private data, the setting up of a regulator and, most crucially, giving Indian citizens the right to be forgotten or giving one the right to go completely off the radar.
Obviously, the implications of the recommendations would run across all who deal with public data and change the rules of the game. “The recommendations may have a significant impact on the functioning of businesses and government bodies (like Aadhaar) on the processing of personal data or personally identifiable information (PII) of individuals, considering that it gives a broad coverage for both public and private entities, including cross border processing of data and also enforces requirements of lawful processing,” says Prashant Gupta, partner, Grant Thornton India LLP.
According to legal expert and privacy activist Usha Ramanathan, though the Bill and the panel report explicitly talk about personal data and privacy of data, the focus is on the business of data. More specifically: “It is about doing business using data rather than just data protection,” she says. This has become more important with the debates regarding the use of the Aadhaar number for various government and private services such as getting a mobile connection where the private company is given access to a person’s biometric data.
Still, the committee clearly defines boundaries about data collection and use and states that individual data can be used only after the ‘data principle” or the person whose data is being used, gives an ‘explicit consent’ for the use of that data. It also states that once the primary purpose of that data is completed, the party using the data has to remove or erase it. However, the roadmap to doing these has not been clearly defined.
“The Committee has put in place clear limits on what data can be collected, how it can be used and how long it may be stored,” says Amba Kak, policy advisor, Mozilla. “These rules borrow heavily from the European GDPR, and that makes sense, given that years of thought and consultation have gone into distilling these foundational principles.”
Most importantly, she says, “The Bill also makes improvements on the GDPR. It allows for data processing for ‘reasonable purposes’. While similar in intent to the GDPR’s ‘legitimate interest’ ground, the Bill provides specific conditions on the basis of which data may be processed, as well as an illustrative list of categories. We think this is an improvement on the GDPR standard, which can ‘easily be abused by companies’ who may argue that ‘innovation’ itself is always a reasonable pursuit, even when it may put the privacy of users at risk.”
One key recommendation of the panel is localisation of data. It suggests that all data belonging to Indian individuals has to reside on Indian servers and in India. At present, a majority of our data resides in servers in other countries, which makes it vulnerable to access by authorities of other countries and unscrupulous elements. But by having the data reside it India, it will be accessible to the Indian government and authorities, which may go against the overall principles of privacy, especially as the panel gives a broad permission for the government use of all data. Also, this could impact business in India and the potential for India to enter into agreements under the CLOUD Act.
“The focus is data localisation because the government wants to have control over the data. Even if the data is held abroad, the government wants a copy to be in Indian servers,” says Ramanathan. “If the home ministry can access everything, the purpose of privacy is lost. The Bill gives the government the right to override the clauses and access data, which nullifies the entire exercise.”
In a first, the committee headed by Justice Sri Krishna (above) hopes to give India proper data security laws.
Nasscom and the Data Security Council of India (DSCI) were quick to retort on this. In a statement they said: “Mandating localisation of all personal data is likely to become a trade barrier in key markets. Startups from India going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets.”
Interestingly, this is not the first committee to make recommendations on data privacy. In 2012, the A.P. Shah Committee also gave its recommendations when the UID debate was at its height. However, while it spoke about data protection, the privacy argument was rather weak at that time.
Some experts feel that the proposal to establish an independent Data Protection Authority would add another layer of bureaucracy even if it brings in a dedicated body to look at data privacy and protection. Also, there is still ambiguity about its scope and functions. Analysts say the independence of the adjudicatory authority and appellate tribunal responsible for legal proceedings related to data protection violations is severely lacking. The qualifications and nominations of those serving in these bodies are entirely prescribed by the government, as are the procedures of the bodies themselves. The current system delegates far too much authority to the central government. So it remains to be seen if the new regulator can address these issues.
One of the key suggestions is the right of Indian citizens to be forgotten, which essentially means that a data principle can withdraw or erase personal data. While this is a welcome step towards protecting personal data, it is a gargantuan task. First, India has no privacy law and no sense of privacy as citizens routinely open their hearts on social media. Second, there are multiple citizens’ IDs including Aadhaar, PAN card, Passport, Driver’s license and Voter ID card. To erase data from all these sources will not be easy.
“The right to be forgotten is a radical recommendation,” says IT expert and former HP marketing head, Lloyd Mathias. “Across Europe it is a fundamental right. While the principle is fantastic, how it will be implemented? It would be difficult with the presence of multiple ID documents and the lack of a proper privacy framework.”
Then there will be things like data quality provision, which requires data fiduciaries to ensure that data is not misunderstood and that fact is separated from personal opinion. This assessment will be an implementation nightmare.
As of now, the committee has touched most sensitive points of data protection and privacy but has not defined the roadmap for achieving many of them. There are also ambiguities in how data will be used by the government, how citizens will protect their data and who will bear the cost of this. The government will now have to clear the cloud and define these in the final Bill so that India too can have a legislation that is comparable with Europe’s GDPR, which has set standards across the world.