The Good, Bad and Ugly on India's Template for How Your Data Will be Protected

While the draft bill lays the beginnings of a solid foundation, there are troubling landmines that must be defused and debated before it is sent to Parliament.

New Delhi: After nearly a month’s delay, the Justice Srikrishna committee on data protection submitted its report and a draft bill to the IT ministry on Friday.

The report is a sprawling, nearly 200-page document that highlights the committee’s thought process in drafting the data protection framework, the reasoning behind its decisions, the dilemmas that it struggled with and the academic and non-academic sources that it drew upon.

The draft bill – which lays down the rights of ‘data principals’ (Indian citizens), proposes the creation of a data authority to enforce the Act, and sets penalties for violations by ‘data fiduciaries’ (public and private sector entities that collect, process and store data) – is a template that could be modified depending on what further consultations or steps the Narendra Modi government intends on taking before introducing it in parliament.

At a press conference on Friday afternoon, IT and law minister Ravi Shankar Prasad indicated that it would go through inter-ministerial consultation before being sent for cabinet approval.

“There are more steps for further debate and stakeholder comments. The entire parliamentary process will be followed,” Prasad said, without giving details on whether it planned on introducing its draft bill by the winter session of parliament.

While the Justice Srikrishna committee has been criticised by activists and civil society stakeholders for its lack of transparency, on Friday the retired judge hit back, insisting that he was an “open, transparent man”.

“I’m an open, transparent man but that doesn’t mean I will keep the windows of my bathroom open while having a bath,” Srikrishna said.

To better understand the issues at stake, The Wire breaks down what’s significant, what’s weak and what’s potentially troubling.

Defining user data and user’s rights

The draft bill defines data in two different ways. The first is ‘personal data, which is “data about or relating to a natural person…”. An all-encompassing tag of sorts.

It also carves out a second and separate category for “sensitive personal data” which goes in-depth and covers everything from passwords to financial data. This includes: health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief.

The consent that ‘data fiduciaries’ must obtain for collection and processing of personal data say ‘informed’, ‘specific’, ‘clear’ and ‘capable of being withdrawn’.

For sensitive personal data, the consent standards are higher and more detailed. For instance, the data fiduciary should make sure that the individual is “given the choice” of separately consenting to the “use of different categories of sensitive personal data relevant to processing” and that they should understand that the processing of this data “may have significant consequences” for them.

The bill also goes onto list out a host of rights that individuals have with regard to their data. These include: the ‘right to confirmation’ (is a company or a government department using my data?), the ‘right to correction’ (correction, completion or updating of inaccurate personal data), the ‘right to portability’ (Can I force Zomato to give me my order history data and then give it to Swiggy?) and the ‘right to be forgotten’ (Can I ask Google to delete a search engine result that’s about me?)

The draft bill goes onto list out a host of rights that individuals have with regard to their data. Credit: Reuters

What’s good and bad: The expanded definition of sensitive personal data to include health, financial and sex-related information is important and is a welcome step.

However, as a few privacy commentators have pointed out, the bill doesn’t lay down the golden principle of allowing individuals to be true owners of their own data. There is no right to erasure, only a limited right to be forgotten that is saddled with a bureaucratic process (more on this below). And at the moment, there appears to be a confusing clause where liability for withdrawal of consent is placed on the individual in question.

Putting restrictions on ‘data fiduciaries’

If the user part of the bill is a little lacking, the bill’s focus appears to be in fixing stronger accountability on data fiduciaries, or companies and government departments that collect and handle your data, and how they must act.

Broadly speaking, the rules that these entities now have to follow or comply with are broken down into three categories.

There are theoretical safeguards: All data fiduciaries must design their systems with privacy in mind and ensure that appropriate security standards have been taken. If it’s found later that there was negligence at any step, the company can be punished.

There are also compliance requirements: All companies and government departments that handle data must notify the Data Protection Authority of India (DPA) of any breach of personal user data. As The Wire has pointed out, this has been sorely lacking within the India’s digital ecosystem and thus is a welcome move. The DPA will decide if the fiduciary is required to make this breach public and what the accompanying fines will be.

Additionally, all data fiduciaries will have to undertake annual data audits by an independent auditor. They will also have to appoint a ‘data protection officer’, who will be an employee within their own organisation, to ensure that all of their data processing activities are in compliance with the provisions of the bill.

Finally, there are data localisation requirements: the bill states that all data fiduciaries “shall ensure the storage, on a server or data centre located in India of at least one serving copy of personal data to which this Act applies”.

Put simply, private companies which deal with the personal data of Indian citizens will have to store a copy of that data in India. This will have significant consequences for Silicon Valley-based giants who store the data of their Indian users primarily in the United States, Europe or Singapore.

The bill goes onto to note that the Centre will notify further categories of personal data, called “critical personal data”, which can only be stored in India.

What’s good:The bill is quite strict on how companies and government will be treated if they are found to have committed offences under the Act (the two primary ones being obtaining/selling data contrary to the Act and the other being re-identification and processing of de-identified data).

While government departments and state governments have been let off lightly for leaking personal data in the past, the Srikrishna bill cracks the whip. It notes that if any offence is committed by a department of the central or a state government, the “head of the department or authority shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly”. This ensures that the blame isn’t passed off onto a lower-level government officer.

What’s ugly: The pro-state or pro-government argument for data localisation is that storing data within a country’s borders prevents it from being spied upon by foreign nations. However, the Justice Srikrishna committee hasn’t gone that far – all it asks is that companies store a copy of Indian citizen data within India. This means the data can still go back to US or China.

As some privacy experts have noted, this doesn’t appear to be aimed at at protecting Indian data from foreign eyes. It instead looks more like an attempt at making sure the Indian government will be able to access the data of Indian citizens more easily, without having to wrestle Silicon Valley-based companies and the US government for it. When you combine this with the fact that there is nothing in the draft bill on reforming India’s mass surveillance apparatus, it becomes concerning.

Additionally, the bill also lays out that the data protection authority will decide if data breaches will be disclosed to the users that have been affected. As The Wire has reported, Indian companies and government agencies are more than happy to be quiet about their lax security standards. Affected users should have a legal right to know if their data has been compromised, as they have in the United States.

The Data Protection Authority of India

To enforce all of the above, the Centre, by way of a notification, will set up the Data Protection Authority of India, a body that will have meaningful power to monitor and enforce the provisions of the data protection bill. It will also fill some of the more meaningful gaps between the bill’s vision and actual regulation.

The authority will have a chairperson and six members, the former of which will be appointed by the Centre on the reccomendation of a panel headed by the Chief Justice of India.

It will, quite simply, have the power to issue directions, call for information, launch inquiries, levy penalities and in extreme cases even “temporarily suspend” or discontinue the business activity of a data fiduciary or data processor.

The penalties that can be levied are divided into two major categories:

1) If a data fiduciary doesnt follow through on compliance requiremnts, it can be fined up to Rs 5 crore or 2% of its worldwide turnover, whichever is higher.

2) If it doesn’t comply with the standards for processing personal or personal sensitive data it can be fined up to Rs 15 crore or 5% of its total worldwide turnover, whichever is higher.

Then there are a host of other penalties for more minor violations such as refusing to comply with a individual’s request (Rs 5 lakh maximum).

The bad: As with most seemingly autonomous regulatory institutions, the fact is that the data protection authority could be captured by the government (central appointments with 5-year-terms). The bill calls for a separate appellate tribunal to be set up that will hear appeals made against DPA orders. The head and members of this tribunal, as is the norm, will be subject to rules of qualifications, term of office and renewal by the Centre.

On Aadhaar and state surveillance

On these two subjects, there has been a certain amount of trepidation from privacy activists and a section of civil society stakeholders.

For instance, Section 13 of the proposed data protection law clearly notes that personal data be may be processed if needed for the “provision of any service or benefit to the data principal from the state”, which covers Aadhaar numbers. This essentially means that consent is not required in these cases.

Section 19 does the same for sensitive personal data which appears to cover Aadhaar authentication (biometric data processing).

Processing of sensitive personal data for certain functions of the State. —

Sensitive personal data may be processed if such processing is strictly necessary for:

(a) any function of Parliament or any State Legislature.

(b) the exercise of any function of the State authorised by law forthe provision of any
service or benefit to the data principal. (Section 19)

However, as at least one privacy expert pointed out, the European Union’s privacy regulations (the GDPR) also allow for derogation of national identification numbers.

It is unclear to what extent these consent exemption clauses protects the Aadhaar programme, which is currently under Supreme Court judicial review.

On the other hand, in the report that the Srikrishna committee produced (the 200-page document), it makes multiple observations on Aadhaar, the UIDAI ecosystem and its security problems. It acknowledges that the UIDAI has struggled to take enforcement action against “errant companies in the Aadhaar ecosystem”, but chalks it up to the a lack of proper enforcement powers.

To this end, the committee suggests two proposed amendments to the Aadhaar Act, which, incidentally, don’t find a place in the draft bill. The first is to give more teeth to UIDAI by allowing it to “impose civil penalties on various entities” and “issue directions as well as cease and desist orders to state and private contractors”. These entities and contractors, as The Wire has reported, have significantly damaged the trust around the Aadhaar ecosystem.

Secondly, the Srikrishna committee recommends splitting the process of Aadhaar authentication into two: the first would still retain how it was meant to be done, but would be restricted only to entities that “perform a public function”. Other entities who still require some form of identification would use a new system of verifying the “identity of individuals offline”.

On mass surveillance

What has sparked some concern amongst privacy scholars and activists is the number of exemptions the proposed bill offers to processing of data without consent. Of particular concern are the exemptions offered to the state, which are allowed if authorised by a separate law enacted through Parliament.

While some of consent exemptions are benign — such as for “journalistic” or “research and archiving” purposes — others deal with what the committee believes are legitimate state needs including “security of the state” and “prevention, detection, investigation and prosecution of contraventions of law”.

The Srikrishna committee report, however, is likely the toughest any government-backed document has been about state surveillance. It notes that the Centre must “carefully scrutinise the question of oversight of intelligence gathering” and “expeditiously bring in a law to this effect”.

“The design of the current legal framework in India is responsible for according a wide remit to intelligence and law enforcement agencies. At the same time, it lacks sufficient legal and procedural safeguards to protect individual civil liberties. Much intelligence-gathering does not happen under the remit of the law, there is little meaningful oversight that is outside the executive, and there is a vacuum in checks and balances to prevent the untrammeled rise of a surveillance society,” the report notes.