Data Protection Framework – India

In July 2017 the Government of India formed a committee of experts to draft the country’s first Data Protection Framework. This committee was headed by Justice BN Srikrishna. Among its members were Aruna Sundararajan, Secretary, Department of Telecom, Ajay Bhushan CEO, Unique Identification Authority of India, Gulshan Rai, National Cyber Security Coordinator and Arghya Sengupta, Research Director, Vidhi Centre for Legal Policy. The last is a  think tank which was instrumental in drafting of the Aadhaar Act as well as the Bankruptcy Code. 
According to the government order, the terms of reference of the committee include, "To make specific suggestions for consideration of the Central Government on principles to be considered for data protection in India and suggest a draft data protection bill". The office memorandum also said that "The Government of India is cognizant of the growing importance of data protection in India. The need to ensure growth of the digital economy while keeping personal data of citizens secure and protected is of utmost importance."

Data Protection in India at present

At present in India, the law offers limited protection to individuals for their personal information. Transfer of personal data is governed by SPD (sensitive personal data) Rules. The SPD Rules were issued under Sec 43A of the Information Technology Act. Their key features are:
They hold a body corporate liable for compensation for any negligence in implementing and maintaining reasonable security practices and procedures while dealing with sensitive personal data or information.
SPD Rules define sensitive personal data and mandate the implementation of a policy for dealing with such data.
Various conditions such as consent requirement, lawful purpose, purpose limitation, subsequent withdrawal of consent, have been imposed on the body corporate collecting such information.
The SPD Rules require the prior consent of the provider of the information while disclosing sensitive personal data to a third party.
Transfer of sensitive personal data outside India is permitted on the condition that the same level of data protection is adhered to in the country, which is applicable to the body corporate under the SPD Rules.
The body corporate would further be deemed to have complied with reasonable security practices if it has complied with security standards and has comprehensive data security policies in place.

As volume of electronic data continues to grow exponentially the world over, it is pertinent to revisit existing data protection laws to make them comprehensive. The recommendations by the Srikrishna committee seem a thorough step in this direction.

Insights into the proposal

The right to privacy was recently recognised by Indian Judiciary as a fundamental right. According to the committee report, to enable this right, the state needs to build a data protection framework which, while protecting citizens from dangers to informational privacy originating from state and non-state actors, serves the common good. Among the objectives of this committee has been “to unlock the data economy, while keeping data of citizens secure and protected”.

The actors

The committee has recognised the individual sharing data as data principal and the entities with which she/he shares it as data fiduciaries.

Applicability of the framework

  • The law (if based on the framework in its current form) will have jurisdiction over the processing of personal data if such data has been: used, shared, disclosed, collected or otherwise processed in India
  • However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India.
  • Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India.

However, the data protection law may empower the Central Government to exempt such companies which only process the personal data of foreign nationals not present in India.

Personal and sensitive personal data

Significantly, the committee has clearly defined personal and sensitive personal data.
Personal data includes data where an individual is directly identifiable, such as names. It also includes data where an individual may be indirectly identifiable from indirect identifiers, such as date of birth, age, gender and pin code.

Sensitive personal data has been defined as the following for an individual:
  • Passwords
  • Financial data
  • Health data
  • Official identifiers which would include government issued identity cards
  • Sex life and sexual orientation
  • Biometric and genetic data
  • Transgender status or intersex status
  • Caste or tribe
  • Religious or political beliefs or affiliations

Consent for processing data

In addition, consent for processing individuals’ data has been defined as follows:
An expression of a person‘s autonomy or control, which has the consequence of allowing another person to legally disclaim liability for acts which have been consented to. This is enabled through notice — an affirmative obligation placed upon data fiduciaries to communicate the terms of consent.

The committee has also floated the idea of a ‘single consent dashboard’ for reducing “consent fatigue”, while acknowledging the challenges associated with it considering multiple fiduciaries seek consent for collection and use of individuals’ data.

Obligations of data fiduciaries too have been spelt out, some of them being:

  • The principles of collection and purpose limitation will apply on all data fiduciaries unless specifically exempted.
  • Processing of personal data using big data analytics where the purpose of the processing is not known at the time of its collection and cannot be reasonably communicated to the data principal can be undertaken only with explicit consent.*
  • A principle of transparency is incumbent on data fiduciaries from the time the data is collected to various points in the interim. Most prominently, a data fiduciary is obliged to provide notice to the data principal no later than at the time of the collection of her personal data.
  • Provision of personal data breach notification to the DPA (Data Protection Authority) and in certain circumstances, to the data principal.**
* Combined with the next bullet, it seems to suggest that for processing data in the future (which a fiduciary may not entirely be able to scope at the time of collection of data), the fiduciary needs to get the principal’s consent in advance. This may lead to consent statements the principal may not be able to relate to entirely.

** The last one is going to be a new obligation on fiduciaries. While large scale breaches by global organisations are declared to regulators and media, the legal obligation to do so is new to India. The latter part of this point also suggests that fiduciaries will be obliged to declare this to each impacted principal.

Movement of data outside India

The movement of data outside India has caught the most attention based on media reports since the committee released its report. The summary of the committee’s recommendations towards this matter are as follows:
  • Cross border data transfers of personal data, other than critical personal data, will be through model contract clauses containing key obligations with the transferor being liable for harms caused to the principal due to any violations committed by the transferee.
  • Intra-group schemes will be applicable for cross-border transfers within group entities.
  • The Central Government may have the option to green-light transfers to certain jurisdictions in consultation with the DPA.
  • Personal data determined to be critical will be subject to the requirement to process only in India (there will be a prohibition against cross border transfer for such data). The Central Government should determine categories of sensitive personal data which are critical to the nation having regard to strategic interests and enforcement.*
  • Personal data relating to health will however be permitted to be transferred for reasons of prompt action or emergency. Other such personal data may additionally be transferred on the basis of Central Government approval.
  • Other types of personal data (non-critical) will be subject to the requirement to store at least one serving copy in India.
* To the point above, the committee has added the following caveat – Transfers of critical personal data may also be permitted to those countries which have been green-lighted under the adequacy assessment for the purpose of cross-border transfers of personal data generally. However, the Central Government should only permit such transfers of critical personal data where necessary and provided that it does not hamper enforcement. It is also up to the government to define what qualifies as critical personal data.

The regulator – Data Protection Authority

The data protection law will set up a DPA which will be an independent regulatory body responsible for the enforcement and effective implementation of the law. The DPA is proposed to have the following responsibilities:
  • monitoring and enforcement
  • legal affairs, policy and standard setting
  • research and awareness
  • inquiry, grievance handling and adjudication
  • Registration with the DPA
  • Data Protection Impact Assessments
  • Recordkeeping
  • Data audits
  • Appointment of Data Protection Officer*
The DPA is also proposed to be vested with the power to categorise certain fiduciaries as significant data fiduciaries based on their ability to cause greater harm to data principals as a consequence of their data processing activities. This categorisation is to be based on an assessment of volume of the personal data being processed, nature of personal data, type of processing activity undertaken, turnover of the data fiduciary, the risk of harm, and the type of technology used to undertake processing. Significant data fiduciaries will have to undertake obligations such as:

* This is a significant since it means holding an individual with a specific set of data protection-related responsibilities within the fiduciary accountable.

Data protection laws elsewhere

To view the committee’s proposal in the right context it is pertinent to highlight major data protection laws elsewhere. According to the report, broadly, three data protection approaches exist in the world today.

USA does not have an overarching data protection framework. Right to privacy is recognised by the judiciary. Certain legislation, the Privacy Act, 1974, the Electronic Communications Privacy Act, 1986 and the Right to Financial Privacy Act, 1978 protect citizens against the federal government. With regard to private sector, there are sector-specific laws which have tailored rules for specific types of personal data. Data protection is thus an obligation primarily on the state and certain categories of data handlers who process data that are considered worthy of public law protection.

The European Union recently enacted General Data Protection Regulation, which is comprehensive legal framework that deals with all kinds of processing of personal data while delineating rights and obligations of parties in detail. It is both technology and sector-agnostic and lays down the fundamental norms to protect the privacy of Europeans, in all its facets. GDPR is driven by the need to uphold individual dignity. Central to dignity is the privacy of the individual by which the individual herself determines how her personal data is to be collected, shared or used with anyone, public or private. The state is viewed as having a responsibility to protect such individual interest.

China has approached the issue of data protection primarily from the perspective of averting national security risks. Its cybersecurity law, which came into effect in 2017, contains top-level principles for handling personal data. A follow-up standard (akin to a regulation) issued earlier this year adopts a consent-based framework with strict controls on cross-border sharing of personal data.

From bill to law

The Srikrishna Committee has done a thorough job of drafting the bill. It is now up to the Union government and both houses of Parliament to debate this significant bill and formalise it into law on priority.

References

http://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf

https://economictimes.indiatimes.com/news/politics-and-nation/justice-bn-srikrishna-to-head-committee-for-data-protection-framework/articleshow/59866006.cms

https://indianexpress.com/article/technology/tech-news-technology/personal-data-protection-bill-2018-justice-srikrishna-data-protection-report-submitted-to-meity-5279972/

https://www.livemint.com/Opinion/AoKiTcZacKTyF3TcoepWuL/Opinion--The-Srikrishna-committee-exceeds-its-brief-on-data.html

https://www.business-standard.com/article/opinion/srikrishna-panel-report-on-data-localisation-why-corporate-india-is-upset-118080500573_1.html

https://indianexpress.com/article/india/data-protection-bill-justice-srikrishna-5292477/

https://economictimes.indiatimes.com/tech/internet/the-7-pillars-of-data-protection-law-according-to-srikrishna-committee/articleshow/61829256.cms

Comments

Post a Comment

Popular posts from this blog

My Memories of the Emergency Originally written: 25-Jun-15 Updated: 25-Jun-24 Looking back over the last few decades, there are a few significant political developments in India which are hard to erase from my memory – the Lok Sabha election results of 1977 and 1989, the Babri Masjid demolition, the Kargil War, and of course, the election result of 2014. But perhaps the most unforgettable of the memories – and also the oldest – is of the Emergency. So, on the 40 th  anniversary of the unprecedented savagery of Indian democracy, I’m noting down my memories as a child. Emergency was declared during school summer holidays in Delhi. I was 8 years old and indifferent towards politics. As young children, my sister and I did know Indira Gandhi was the Prime Minister and that my father used to write against her.  Some weeks, or perhaps days before the declaration of Emergency, Indira’s speech was being telecast on TV. My sister and I just happened to tell my father,  K ...
Read more
Social impacts of technological advancements, and what governments could do about them Technology has transformed our lives irreversibly. Be it trains, automobiles, aeroplanes, computers and so much more, for much of the world’s population surviving without technology is literally unimaginable. The last few decades have made transformative technology available to large percentages of populations across the world. What were fascinating concepts a few decades ago have been commercialised and are available today, not necessarily expensively. Much as technologies that surround us amaze and delight us, creating desires and demands where none may have existed some years ago, several comforts offered by technology come at prices we are paying and will pay more individually and collectively as societies and nations. Ordering books online reduces the need for bookshops and their sales people, even as it creates a few new professions. Driverless car technology, once it becomes more rob...
Read more
Do We Need Aarogya Setu? As COVID-19 pandemic has swept the globe over the last few months, governments across the world have had to absorb a flood of information from a 360° window, probably 24 hours a day, and have taken series of decisions to protect their nations’ populations from the dreaded infection. Among the many progressively enforced measures have been restrictions on travel, socialising, commuting, maintaining personal hygiene, and finally lockdowns in many countries. India was the first country to impose a nationwide lockdown, which has been extended twice, with some relaxation in rules being introduced in the second and third lockdowns. Even before the pandemic hit India, Government of India (GoI) has been severely attacked across the political spectrum and beyond for having let the economy go into a tailspin. Irrespective of whether the attacks were exaggerated or accurate, everyone will agree that the lockdown has dealt a body blow to the economy, even as one ne...
Read more