Let me begin at the very beginning by pointing out that the Justice BN Srikrishna Committee headed by former Supreme Court Judge BN Srikrishna which was set up primarily to draft a data protection and privacy Bill, in a white paper on November 27, 2017 suggested the setting up of a data protection authority, data audit, registration of data collectors, enacting provisions for protecting children’s personal information, defining penalties and compensation in case of a data breach. This setting up of a high powered panel by the government is considered imperative as it comes amid concerns over personal information being compromised with the increasing use of biometric identifier Aadhaar in an array of services which ranges from filing tax returns to availing government doles. This high powered panel comprises of a 10-member committee to recommend a framework that would be for securing personal data in the increasingly digitized economy as also address privacy concerns and build safeguards against data breaches.
As it turned out, the Justice BN Srikrishna Committee which studied the privacy and data protection laws of many countries, including the US, Singapore, Australia and the European Union, has released an over 200-page document. It has invited comments from the public on various issues pertaining to the definition of personal data and proposed penalties for misuse of data. It is widely anticipated that some valuable suggestions from the public would also be incorporated in the Srikrishna panel report.
1. Key regulators like SEBI, IRDA, PFRDA and FMC should be merged.
2. A unified financial regulatory agency other than banking sector regulator RBI.
3. FSAT to hear appeals against all financial regulatory services.
4. Setting up of Financial Redressal Agency (FRA) which addresses consumer complaints across the financial system.
5. Establishing of an independent debt management office.
1. An individual should first approach the data controller for any data breach, then the authority.
2. Authority may conduct investigations; collect data; adjudicate disputes; monitor cross-border data transfer.
3. Foreign entity that offers goods or services in the country may be covered under the law.
4. Authority may be given the power to impose civil penalties, order defaulter to pay compensation.
5. Proposed law may not be extended to include data relating to companies and other juristic entities.
6. Data from which an individual is identified or reasonably identifiable may be considered personal data.
7. Health, genetic, religious beliefs, financial, sexual orientation be treated as sensitive personal data.
8. Exemption may be provided for data processed for journalistic/artistic, literary, academic, research purposes.
9. Law may provide exemptions for data collected for investigation of a crime, and to maintain national security.
10. A variable age limit can be drawn (not necessarily 18) below which parental consent is to be mandatory.
All said and done, the data protection law is being keenly watched for its implications on both Indian as well as global technology giants. It is heartening to note that this is the first time that India has started meticulous work on a specific data protection law, which is expected to look at aspects such as data sovereignty, data retention and responsibilities of government companies as well as individuals while handling third-party data. Equally important is the fact that the Srikrishna Committee on data protection is close to releasing a white paper which will include a questionnaire for stakeholders on issues such as Aadhaar, data collection by corporate and consent of consumers, according to multiple people in the know. The white paper is likely to be made public in the next few days. The real idea behind the paper is to get comments on a variety of issues before the government starts the process of drafting legislation for data protection. It must be strictly ensured that right to privacy is respected which just recently in KS Puttaswamy case was held by the Supreme Court by a unanimous verdict of 9-0 was held to be a fundamental right and people’s personal information is not leaked to anyone under any circumstances
Taking India’s potential to “lead the world into a digital economy” the white paper suggested that the data protection framework must not stifle innovation. Furthermore, it feels the framework must be considerate of the country’s need for “empowerment based on data-driven access to services and benefits for the common man”. It also envisions three main objectives of a data protection authority: monitor, investigate and enforce the laws; set the standards; and generate awareness in an increasingly digitized society.
Truly speaking, the paper traces the judicial and legislative steps towards data protection and privacy in India. It also touches on many domain-specific privacy laws for information, but in the context of data protection it focuses on two laws that provide the current contours for data protection. One hopes that the Srikrishna panel will further improve on its shortcomings by including the invaluable suggestions received from the people by which is the last date for receiving the feedback.
To be fair, Srikrishna panel suggests a Data Protection Authority to draw up guidelines for each organization – like a Whatsapp or a Google – to follow, and a Data protection Officer in each organization whose job is to ensure the guidelines are followed; if, for instance, the Authority says most apps don’t need access to your phone records, it will need to ensure this is being followed. The Authority could also conduct Data Protection Impact studies and assign Trust Scores to each app/organization which would be of great help to users. There could be, perhaps, even be a Consent Dashboard, where users can see where their data is being used … Though it sounds easy to say all data must be protected, as Srikrishna brings out, this is a complex, and constantly evolving task – and no matter how many rules are laid out, decades of legal challenges/suits that follow will also play a key role in deciding how this finally pans out!
It merits no reiteration that Srikrishna panel must put a strong check on people’s data being leaked most casually by different companies, etc. Almost every app you download wants access to your phone calls, directories and calendar which should be not allowed unless you are willing to do so. Since data protection is different for each type of data, Srikrishna starts off with the very basic user-content being essential – as Aadhaar is mandated by the law, the consent here applies to allowing government departments to make your details public. A serious check must be imposed on most such apps who, of course, get user consent forms and, in any case, users have no option but to accept them in order to be able to download the app – the Srikrishna panel very rightly suggests a short and simple form to avoid ‘consent fatigue’. Also when that data is sold to someone, or processed by anyone say, a Google to get consumer insights, consumers must have the right to ask for their data not to be included unless permitted or for them not to be targeted by advertisers/marketers based on this information. Let’s hope that Srikrishna panel after receiving the views of people will incorporate all such suggestions and make sure that people’s privacy is not violated under any circumstances by anyone including the government of the day! Only then will it serve its true purpose for which it as set up!
Sanjeev Sirohi, Advocate,
s/o Col BPS Sirohi,
A 82, Defence Enclave,
Sardhana Road, Kankerkhera,
Meerut – 250001, Uttar Pradesh.