Data Privacy: Srikrishna Committee Report: RSTV – The Big Picture

Rajya Sabha TV programs like ‘The Big Picture’, ‘In Depth’ and ‘India’s World’ are informative programs that are important for UPSC preparation. In this article, you can read about the ‘The Big Picture’ episode on the Srikrishna Committee Report for the IAS exam.

Participants:

Anchor: Frank Rausan Pereira
Speakers: Justice B N Srikrishna (Retd.), Chairman, Committee on Data Privacy; Karnika Seth, Cyber Law Expert; Srijan Pal Singh, IT Expert; N.K. Goyal, Chairman, Telecom Equipment Manufacturers Association

Why in the news?

  • Recently, a high-level panel on data protection framework submitted its report to the government, suggesting steps for safeguarding personal information, defining obligations of data processors as also rights of individuals, and mooting penalties for violation.
  • Headed by Justice B N Srikrishna, the panel handed the report to IT Minister Ravi Shankar Prasad, wrapping up nearly one year of deliberations that touched upon sensitive and controversial issues. Justice Srikrishna said privacy has become a burning issue and therefore, every effort has to be made to protect data at any cost.
  • He added that report straddles three aspects – citizens, the state and the industry. He stated that this report is the first step and as technology changes, it may become necessary to fine tune the law keeping with the changes. On this edition of ‘The Big Picture’ we analyse data privacy and the suggestions of the Srikrishna Committee Report.

Analysis by the Experts:

What are the salient features of the Justice Srikrishna Committee Report?

  • The committee recommends that processing (collection, recording, analysis, disclosure, etc.) of personal data should be done only for “clear, specific and lawful” purposes. Only that data which is necessary for such processing is to be collected from anyone.
  • It recommends the processing of Personal Data for “Functions of the State”.

This particular recommendation has been widely debated as one of the more problematic suggestions of the committee. It suggests that your personal data may be processed by the government if this is considered necessary for any function of Parliament or State Legislature. This includes provision of services, issuing of licenses, etc. Prima face, this appears to be vague and could lead to misuse.

  • Right to be Forgotten: The committee further recommends giving “data principals” (persons whose personal data is being processed) the ‘right to be forgotten’. This means that these people would be able to restrict or prevent any display of their personal data once the purpose of disclosing the data has ended, or when the data principal withdraws consent from disclosure of their personal data. When we look at an international perspective, we find that in the EU, this has been used by people to get records of themselves on news websites that show them in poor light, taken down after the matter is no longer a matter of public interest. This right is one of several given to data principals, including the right to confirm what information is being held or disclosed about them, and to get this corrected if necessary.
  • Data Localisation: Copy of all personal data to be stored in India. Critical personal data can only be stored in Indian servers.  It further suggests that cross-border transfers of data are subject to model contract clauses.
  • Processing of Sensitive Personal Data would require Explicit Consent: The Committee recommends that “sensitive” personal data (such as passwords, financial data, sexual orientation, biometric data, religion or caste) should not be processed unless someone gives explicit consent. To illustrate this with an example, if one has disclosed one’s sexual orientation in a survey where you were told it would be used to assess the numbers of people with such orientation in a particular place, your name and orientation cannot then be sent to an advertising agency to send you targeted ads, as this is different from the purpose you had agreed on.
  • Data Protection Authority: The Committee has recommended setting up a Data Protection Authority which is supposed to “protect the interests of data principals”, prevent misuse of personal data and ensure compliance with the safeguards and obligations under the data protection framework by corporations, governments or anyone else processing personal data (known as “data fiduciaries”). There are certain obligations on data fiduciaries as well. These obligations on data fiduciaries include conducting audits and ensuring they have a data protection officer and grievance redressal mechanism – the Data Protection Authority will need to publish Codes of Practice on all these points. The Data Protection Authority shall have the power to inquire into any violations of the data protection regime, and can take action against any data fiduciaries responsible for the same.
  • The report further recommends ammendments to the Aadhar Act. The Committee has suggested recommendations to the Aadhaar Act 2016- this would be done in an effort to ensure autonomy of the UIDAI and “bolster data protection”. These recommendations include the offline verification of Aadhaar numbers and new civil and criminal penalties; the ability to file complaints will remain with the UIDAI alone.
  • RTI Act Amendments:  The Committee recommends the amendment of section 8(1)(j) of the RTI Act that pertains to the disclosure of personal information in the larger public interest. The old provision of the RTI Act, section 8(1)(j) said that there would be no obligation to reveal personal information which was not related to “public activity or interest”, or would be an invasion of privacy. The new 8(1)(j) appears to be a balancing act between the public interest in accessing the information on one hand, and the harm that could be caused to the data principal on the other.

Specific Points Discussed on the Srikrishna Committee Report by the Experts:  
Srijan Pal Singh, IT Expert shared his thoughts on the Report.

He believes that it is a welcome move that India has embarked on this journey of putting data privacy at the center of our discussion. There are four important world zones in terms of internet users- 1) the USA (which is largely a free-market zone) 2) Europe ( which has the General Data Protection Regulation (GDPR), making it a very citizen friendly zone), 3) China (which is a very Government friendly zone and 4) India (which is trying to find a middle-ground in all of these three different stakeholders, i.e. the citizens, the state and the industry.  

There are some very good features in the bill wherein it mentions about Child Protection. Further, the entire role of a data fiduciary which is a data collector and the penalties which can be imposed in case this data is processed is a very good salient feature in terms of where the data would be residing. Thus, the committee says that at least one copy of the data should be in Indian territory.

These are very good features in terms of long term safety as well. There are further aspects which needs more thought and deliberation, including what would the role of the Government be. This is because the recommendations talk about the fact that the Government can process the data without the consent of the individual for cases where ‘benefit has to be delivered’ which is a vague term. What is ‘benefit to be delivered’? Further, how long can the Government hold data? There is no sunset clause currently in terms of how long can the Government hold data. Another very important concern which needs to be addressed as we go further would be that of social media. This is because India is the largest social media base now- thus how do we handle the issues of data privacy related to social media?

There is a difference between the data that we choose to upload on social media sites and that which the Government has. Isn’t it not important to make a clear distinction between the two?

To upload dining table pictures on Instagram is a choice of an individual and to hold an individual against that choice is something which the Government cannot do. Something which occurred in the GDPR was the ‘Right to be Forgotten’. Individuals should also have an option to delete his/her data or whatever part of data that he/she wants to. The recommendations of the report is a slightly watered down version of the GDPR which raises concerns from a social media angle. Because the ‘Right to Forget’ according to the recommendations entail that one can restrict the usage of data, but not necessarily delete the data. Thus, social media should be given a clear, ‘Right to be Forgotten’ clause or a bill where data can be erased permanently on the request of the user. The same would apply in case someone is deceased. This area is still vague and needs work.

N.K. Goyal, Chairman, Telecom Equipment Manufacturers Association, added on to this by saying that the Indian laws in the future need to be more strict and comparable to the laws currently in Europe.  He further raises the important point that when citizens part with information online, such as those that facilitate banking transactions and purchasing commodities from e-commerce websites, and in case fraud takes place, then what one does is raise complaints against the government, and on the other side when the government wants to lay down certain rules and regulations, then one raises the issue of strict laws being imposed on them.

What about the issue of strict laws and how does that come in the way of an individual’s privacy?

Laws have to be tight and not necessarily strict in that sense. But, how do we implement laws becomes a very critical aspect. This is because the recommendations talk about a Data Protection Authority, where all complaints relating to data privacy will go and the authority will then determine whether the complaint is valid or not- this would mean that there would be a long drawn out process.  We are already seeing pendency in our legal system, and with this we would be adding one more layer to it. Thus, what we need is not just strict laws, but laws which are time-bound and laws which are efficient to implement are more important. We should also be cautious of not tightening the screws so much that the whole machine stops functioning.

Thus, while the need to do Data Privacy is obvious, we should not go back to a license issue where we start giving licenses for every social media venture which is being setup. It is important to remember that social media also drives a lot of our start-ups based on e-Commerce. Thus, we must be careful to not make the laws too strict.

We must appreciate that we have an alpha version of the bill which will now evolve with time. It would also be welcome if a provision be included in this bill that it is updated every year.

Karnika Seth, Cyber Law Expert weighed in with her arguments here on her thoughts of The Personal Data Protection Bill, 2018

She believes that this is a welcome move by the Government. The provisions of the bill with respect to the ‘data fiduciaries’, gives some empowerment to the user who his parting with his/her data.

She believes, however, that there is a bit of caution that we would have to follow. We should encourage start-ups; but, the bill has the intent to curbing or restricting the misuse of data.
This is a point that we need to be very careful on.  There are certain principles/rules which are laid down in the bill. These rules need to be followed and implemented in the spirit by which this bill has been proposed. We should be careful also of any kind of misinterpretation.

There are also certain terms which we need to understand. For example, “Who is a significant fiduciary?”, “What are the reasonable causes under which processing can take place?”
The Data Protection Authority has been given a wide ambit of power to decide on this. Therefore, as a matter of caution, we need to keep a very clear demarcation of where we are heading in terms of making those principles and laws to fill up these gaps.  

Are there some best practices which we can implement here as well as far as Data Laws across the world are concerned?

Srijan Pal Singh, IT Expert, weighed in with his arguments to this question.

Europeans laws are very strict when it comes to companies, and gradually we need to move towards the entire ecosystem being more citizen-friendly. Ultimately, the most important stakeholder in this entire bill is the citizen. The Indian companies, especially the start-ups have evolved in an ecosystem where the data privacy laws were not there, but gradually, over the next 3-4 years, we should make The EU General Data Protection Regulation (GDPR), as our benchmark to achieve. The GDPR mandates a fine of 10 million Euros, which is roughly about 70 Crores, while the Indian law right now is about 5 Crores. Thus, there is a 14x gap between the two. Whereas, the companies that are suffering are the same big multinationals of the world.
Thus, in India, we are treating them far more friendlier than what Europe is treating them. Thus, going ahead in time, India would evolve a citizen-centric GDPR like bill.

Do we need Data Security Standards?

N.K. Goyal, Chairman, Telecom Equipment Manufacturers Association weighed in with his arguments to this question.

Because of the European laws, Facebook lost 20%. At one point in time, Facebook was also a start-up. This bill will now pass many stages, it has entered the realm of public debate now, it will also pass through various committees of Parliament. It is hoped that this bill will be refined, and that one would get a fine print of the bill later on.

The bill proposes 4 rights, that every citizen would have over his/her data. These include:
1. The right to confirmation and access
2. The right to correction
3. The right to data portability
4. The right to be forgotten

What does this mean, and where does this put an individual as far as Data Protection is concerned?

Karnika Seth, Cyber Law Expert, responded to this question.

These rights basically mean that whenever data is collected from a user, the user must know and he/she must give an explicit consent for the collection of that data. Further, what that data is going to be used for has to be clearly explained to the user in the “Terms of Use”.  This is especially the case in terms of sensitive personal data, whether it is:

  1. Financial Records of the individual concerned, or
  2. Anything to do with his/her religious or political beliefs, etc.

Thus, for all these things, the individual concerned would have to give consent to it before it is being collected from them. Further, what is the purpose of collection has to be disclosed. Who is it going to be disclosed to? Any third party or parties are going to be having this data, and if so, for what purpose? A person also has the right to be forgotten. Thus, if he/she doesn’t want a particular data on the social media site, he can request so and if there are legitimate grounds for asking the same, then that can be erased. Thus, these are certain rights which have been given and the right to update any kind of detail- for example, personal information of a user in case that there is inaccurate data, is also given to an individual. It is in this sense that it is actually empowering a user that he/she can write to the data fiduciary and ask for any of these rights to be exercised. If a fiduciary doesn’t respond to the request, then there are penalties for that to the tune of 10 Lakhs, 15 Lakhs, and so on. These penalties can also be enforced in case there is a sense of non-cooperation as well by the data fiduciary as far as implementing the provisions of the law are concerned. Thus, there is empowerment as far as the citizens are concerned.

Do you believe that there are adequate checks and balances as far as this bill is concerned?
Srijan Pal Singh, IT Expert weighed in with his arguments here.

We need to be honest about the fact that we have just embarked upon this journey. No product, no bill, and no service is perfect on its first iteration. This is no exception. But it is a great effort in the right direction. There are checks and balances. It is hoped that in the future, the checks and balances and even the penalties would go higher. For example, for a company like Google, a 5 Crore penalty is virtually nothing. “Erasure” is a concept which the bill does not talk about. It just talks about not using the data- thus, one can curtal the usage of the data, but this is not the same as erasure. Thus, ‘erasure’ of data becomes an aspect which we need to work on. We need a proper structure towards the authority that is going to manage all this as this would be a nightmare of a process.

What would be the composition of the authority? etc. One must note that if data is breached, the moment it is breached an until the point till when the breach is corrected, it can be a life-changing situation for an individual. Thus, how does one minimise the time for which one is exposed to a breach of data? All these things need to be clarified. At the end of the day, it is important to be optimistic. We have more users of the internet as the whole of Europe put together.

Following this, Karnika Seth, Cyber Law Expert added that:

  • A lot of aspects from the EU General Data Protection Regulation (GDPR) have already been incorporated in the bill.
  • For example, the aspect of penalties, or even the set of model clauses that would be conforming in case there is a cross-border transfer of data. Significantly, this is a remarkable achievement as far as the GDPR is concerned, and therefore this has inspired our own Personal Data Protection Bill. Sensitive personal information would have to be localized on our servers here in India, and only the non-sensitive information would be allowed to flow outside, and that too, with a mirror image copy on the Indian servers.
  • Thus, from a law and legal enforcement aspect, this development is going to be a boon because a lot of evidence which we need as far as criminal matters are concerned, either gets erased or is deemed to not be available because the mutual legal assistance treaty (MLAT) system which we currently follow, is a very long process, and in most cases, there is either non-availability of data or a long term is taken so the data gets erased.
  • Thus, the bill will also help in getting effective law enforcement remedies through the availability of data from the service providers.

Concluding Remarks:

The bill has also suggested certain changes in the Aadhar Act and in the Right to Information Act. Finally, the world is changing and Data Privacy is now a global topic, given the U.S. elections and the aftermath of it. What we need to be careful with is how do we build the institutions which are going to be needed to back this system? Would the Aadhar be able to incorporate and assimilate and live up to the spirit and the word of this bill is the question which needs to be asked. There would be a huge startup ecosystem boom that is waiting to happen in the area of compliance management. There would be a huge industry that is going to take root towards ensuring that companies in India are compliant with this bill. The same happened in Europe and the same is expected to happen in India.

Read more Gist of Rajya Sabha TV to help you ace current affairs in the IAS exam.

Also see: