The Srikrishna Committee report on data protection (2018) is based on the fundamental belief that a legal framework for the protection of personal data is imperative for empowerment, progress and innovation in the 21st century.
In the words of Justice Chandrachud in Justice KS Puttaswamy (Retd.) vs Union of India (2017), the “(f)ormulation of a regime for data protection is a complex exercise which needs to be undertaken by the State after a careful balancing of the requirements of privacy coupled with other values which the protection of data sub-serves together with the legitimate concerns of the State.”
As per the directions of the five-judge bench in Justice KS Puttaswamy (Retd.) vs Union of India (2017), the Justice Srikrishna Committee was set up in October 2017. Its mandate included making specific suggestions for consideration of the central government on principles to be considered for data protection in India and suggesting a draft bill. In July 2018, a draft Personal Data Protection Bill was presented by the Committee to the Ministry of Electronics and Information Technology.
The Personal Data Protection Bill, 2019 was introduced in December 2019 in the Lok Sabha by the Minister of Electronics and Information Technology. Following this, a Joint Parliamentary Committee (JPC) was set up to look into the Bill. The Committee sought comments from the public in general and experts/stakeholders/organizations, in particular, on the Personal Data Protection Bill, 2019 through a press communique dated February 4, 2019.
Here are the key highlights from our submission to the JPC:
On the treatment of non-personal data (Section 91)
As per Section 91, the Central Government may direct any data fiduciary or data processor to provide access to non-personal data (“NPD”). In the current context, access to non-personal data may be needed for a range of state functions and not just for “better targeting of services” or “formulation of evidence-based policies”. For example, smart traffic management by traffic authorities will benefit immensely from access to non-personal data sets on traffic flows that are currently with private platforms such as Google and Uber. The current wording of 91(2) is too narrow and does not account for such instances,and we recommend that the scope of public interest claims in data be broadened. We do hope that the imminent report of the Committee of Experts deliberating norms for data governance will pave the way for specific legislation that while enabling the state to issue directions to data fiduciaries/processors to mandatorily share non-personal data sets for legitimate public policy functions, also balances other competing claims in relation to such non-personal datasets.
On acknowledging de-anonymisation as an offence of re-identification (Sections 82, 3 and 25)
Section 82 must also acknowledge intentional reidentification through processing of anonymised data as an offence. A definition of “deanonymisation” should be added to Section 3.The obligations for reporting of personal data breaches under Section 25 should also explicitly cover instances of unintentional reidentification or deanonymisation of deidentified/anonymised data that is in the control of any third party.
On qualified exemptions for research, archiving or statistical purposes (Section 38)
Section 38 permits the Authority to exempt personal data processing for research, archiving or statistical purposes from ‘any application of any of the provisions of this Act’, subject to regulations. It is suggested that the scope of this exemption be narrowed so that even in the case of personal data processing for research, there are certain foundational sets of rights and obligations of the data principals and data fiduciaries, respectively, that cannot be derogated from.
Consent Managers (Sections 3 and 23)
The relationship between a consent manager and a data principal relies upon the consent manager’s acting in the best interests of the data principal. It is therefore important for the broad contours of this relationship to be specified in law, in consonance with the principles laid down in the Srikrishna Committee Report. In this respect, it is necessary to define a consent manager and delineate its scope of work, functions, interface etc. It is suggested that a consent manager be defined in the Bill in the definitional clause or Section 3 and its powers to collect, store and use personal data of data principals be narrowed in Section 23, so that consent managers are permitted to process personal data only for the purpose of discharging their specific function of mediating consent.
Levying fees on processing requests pertaining to data rights (Section 21)
The exercise of data rights should not be curtailed on the grounds of burdensome fees charged by data fiduciaries, except in rare instances for reasons to be given in writing. We recommend that the power of data fiduciaries to levy fees as permitted in Section 21 be limited to instances where the request from a data principal is unreasonably and unduly burdensome for the data fiduciary to comply with.
Exemptions to State agencies (Section 35, 36 and 86)
The deletion of Section 35 is recommended for it would be "open to the authorities to be arbitrary and whimsical" without the application of the Data Protection law on their actions. Section 36 is correspondingly modified to incorporate higher standards for executive exemptions. It is recommended that Section 86 be deleted. Standalone, and read in combination with Section 35, the scope of the directions that may be issued under Section 86 suffers from ambiguity due to overbreadth.
Grounds for data processing without consent (Sections 12, 13 and 14)
It is recommended that Section 12 be amended such as to remove non-consensual data collection from the pale of exclusively executive action. Non-consensual personal data processing by State agencies must be proportionate to a legitimate aim pursued under the law. Employers are not merely data fiduciaries, they have a greater degree of control over their employees than data fiduciaries. It is recommended that Section 13 be changed to include additional safeguards and to balance the rights over personal data owed to an employee vis a vis their employer.
Employees are too often subject to monitoring and surveillance at their workplaces. Such practices are inimical to the dignity and humanity of workers. It is thus, recommended, that a provision be added in the Code of Ethics in Section 50 towards this end. Section 14(1) needs to be amended for clarity. Further, the list of reasonable purposes in Section 14(2) should be deleted. It is especially noted that “(g) processing of publicly available personal data” creates ambiguities such as a lack of clarity as to the meaning of "publicly available". Equally, it is noted that the "(f) operation of search engines" brings in ambiguity about what "operation" entails, which may have significant impacts on rights of data principals. These two categories have been included without any reasoning or rational nexus being provided for such inclusion. Given that this provision provides a carte blanche for processing of personal data without consent, these purposes cannot be included in such a provision.
Selection Committee for the Data Protection Authority (Section 42)
We recommend that Section 42 be modified in order to reinstate the selection committee as envisaged under the Justice Srikrishna Committee Report (2018), and subsequently provided for in the 2018 PDP Bill. The inclusion of a member of the judiciary ensures the independence of the selection committee,and this is bolstered by the inclusion of an expert of repute. The inclusion of an expert of repute also ensures that the selection committee is well-equipped to take into account technical considerations while appointing members of the Authority.
On transparent functioning of the Data Protection Authority (Section 49)
The Authority is a body tasked with the extremely important function of creating and ensuring an ecosystem of responsible data handling. Therefore, we suggest modifying Section 49 in order to impose a transparency obligation on the Authority, modelled around the transparency provisions in the establishing legislation of two other sectoral regulators, namely, the Telecom Regulatory Authority of India and the Airports Economic Regulatory Authority of India.
Voluntary verification of identity enabled by social media intermediaries (Sections 26 and 28)
It is recommended that defining social media intermediaries on the basis of terms such as “users” and “online interaction” should be avoided under this statute. Not only are the terms difficult to define, qualifying social media intermediaries by a threshold of minimum users emerges from an impartial understanding of the origins of disinformation. Therefore, we recommend the deletion of 26(4) and its explanation defining social media intermediaries.The Bill treats this category of social media intermediaries exactly like significant data fiduciaries, except for the additional requirement to enable voluntary verification of notified social media intermediaries or class of social media intermediaries. Such a verification provision does not materially affect personal data protection rights, and should therefore be avoided in this Bill. A requirement for data fiduciaries to enable voluntary verification of identity is better placed in a content regulation law, and not a personal data protection law. Therefore, Section 28 (3) and (4) are deleted.
Bar on processing certain forms of biometric data (Section 92)
This provision has been rephrased for greater clarity. We recommend that the provision read: “No data fiduciary shall process biometric data unless such biometric data has been notified by the Central Government, and is processed in accordance with the law.”
The full submission can be found here.