Recognising the importance of data protection and keeping personal data of citizens secure and protected, Ministry of Electronics and Information Technology (MeitY), Government of India has, on 31st July 2017, constituted a Committee of Experts under the Chairmanship of Justice B N Srikrishna, Former Judge, Supreme Court of India and comprising of members from Government, Academia and Industry to study and identify key data protection issues and recommend methods for addressing them. The committee will also suggest a draft Data Protection Bill. Protection of Data is expected to provide big boost to Digital economy of the country.
Given the vast amount of personal data being collected by private companies and state agencies, and their flow across national jurisdictions, the absence of a data protection legal framework in India has been a cause for deep concern.
The need for legislation was also underlined last year with the landmark judgment in Justice K.S Puttaswamy v. Union of India that held the right to privacy to be a fundamental right. Against this backdrop, the draft legislation on data protection submitted by a committee of experts chaired by Justice B.N. Srikrishna after year-long public consultations provides a sound foundation on which to speedily build India’s legal framework.
What is Data protection?
Data protection is the process of protecting data and involves the relationship between the collection and dissemination of data and technology, the public perception and expectation of privacy and the political and legal underpinnings surrounding that data.
It aims to strike a balance between individual privacy rights while still allowing data to be used for various purposes.
What is Personal Data?
Personal data is any information relating to an individual, whether it relates to individual’s private, professional, or public life. In the online environment, where vast amounts of personal data are shared and transferred around the globe instantaneously, it is increasingly difficult for people to maintain control of their personal information. This is where data protection comes in.
Data protection refers to the practices, safeguards, and binding rules put in place to protect your personal information and ensure that you remain in control of it. In short, you should be able to decide whether or not you want to share some information, who has access to it, for how long, for what reason, and be able to modify some of this information, and more.
What is The Right to be Forgotten?
As per the BN Srikrishna Committee report on data privacy: The right to be forgotten refers to the ability of individuals to limit, delink, delete or correct the disclosure of personal information on the internet that is misleading, embarrassing, irrelevant or anachronistic.
Data principals-The Person whose information is collected.
Data fiduciaries-The Firms/state institution which process the data
Recommendations of the Justice B.N.Srikrishna Committee on Data Protection
Principles :The Committee suggested that a framework to protect data in the country should be based on seven principles:
- Law should be flexible to take into account changing technologies,
- Law must apply to both government and sector entities,
- Consent should be genuine, informed, and meaningful,
- Processing of data should be minimal and only for the purpose for which it is sought,
- Entities controlling the data should be accountable for any data processing,
- Enforcement of the data protection framework should be by a high-powered statutory authority, and
- Penalties should be adequate to discourage any wrongful acts.
1. Fiduciary relationship:
The Committee observed that the regulatory framework has to balance the interests of the individual with regard to his personal data and the interests of the entity such as a service provider who has access to this data.
It noted that the relationship between the individual and the service provider must be viewed as a fiduciary relationship. This is due to the dependence of the individual on the service provider to obtain a service.
Therefore, the service provider processing the data is under an obligation to deal fairly with the individual’s personal data, and use it for the authorized purposes only.
2. Obligations of fiduciaries:
To prevent abuse of power by service providers, the law should establish their basic obligations, including:
- The obligation to process data fairly and reasonably, and
- The obligation to give notice to the individual at the time of collecting data to various points in the interim.
3. Definition of Personal data:
- It defined personal data to include data from which an individual may be identified or identifiable, either directly or indirectly.
- The Committee sought to distinguish personal data protection from the protection of sensitive personal data, since its processing could result in greater harm to the individual.
- Sensitive data is related to intimate matters where there is a higher expectation of privacy (e.g., caste, religion, and sexual orientation of the individual).
The Committee noted that consent must be treated as a pre-condition for processing personal data. Such consent should be informed or meaningful.
Further, for certain vulnerable groups, such as children, and for sensitive personal data, a data protection law must sufficiently protect their interests, while considering their vulnerability, and exposure to risks online.
Further, sensitive personal information should require explicit consent of the individual.
5. Non-consensual processing:
The Committee noted that it is not possible to obtain consent of the individual in all circumstances. Therefore, separate grounds may be established for processing data without consent.
The Committee identified four bases for non-consensual processing:
- Where processing is relevant for the state to discharge its welfare functions,
- To comply with the law or with court orders in India,
- When necessitated by the requirement to act promptly (to save a life, for instance), and
- In employment contracts, in limited situations (such, as where giving the consent requires an unreasonable effort for the employer)
6. Participation rights:
The rights of the individual are based on the principles of autonomy, self-determination, transparency and accountability to give individuals control over their data.
The Committee categorized these rights in three categories:
- The right to access, confirmation and correction of data,
- The right to object to data processing, automated decision-making, direct marketing and the right to data portability, and
- The right to be forgotten.
7. Enforcement models:
The Committee also recommended setting up a regulator to enforce the regulatory framework.
- The Authority will have the power to inquire into any violations of the data protection regime, and can take action against any data fiduciary responsible for the same.
- The Authority may also categorize certain fiduciaries as significant data fiduciaries based on their ability to cause greater harm to individuals.
- Such fiduciaries will be required to undertake additional obligations.
8. Amendments to Other Laws:
- The Committee noted that various allied laws are relevant in the context of data protection because they either require or authorize the processing of personal data. These laws include the Information Technology Act, 2000, and the Census Act, 1948.
- It stated that the Bill provides minimum data protection standards for all data processing in the country. In the event of inconsistency, the standards set in the data privacy law will apply to the processing of data.
- The Committee also recommended amendments to the Aadhaar Act, 2016 to bolster its data protection framework.
THE DRAFT PERSONAL DATA PROTECTION BILL, 2018
1. Rights of the individual:
The Bill sets out certain rights of the individual. These include:
- Right to obtain confirmation from the fiduciary on whether its personal data has been processed,
- Right to seek correction of inaccurate, incomplete, or out-of-date personal data, and
- Right to have personal data transferred to any other data fiduciary in certain circumstances.
2. Obligations of the data fiduciary:
The Bill sets out obligations of the entity who has access to the personal data (data fiduciary). These include:
- Implementation of policies with regard to processing of data,
- Maintaining transparency with regard to its practices on processing data,
- Implementing security safeguards (such, as encryption of data), and
- Instituting grievance redressal mechanisms to address complaints of individuals.
3. Data Protection Authority:
The Bill provides for the establishment of a Data Protection Authority. The Authority is empowered to:
- Take steps to protect interests of individuals,
- Prevent misuse of personal data, and
- Ensure compliance with the Bill.
- It will consist of a chairperson and six members, with knowledge of at least 10 years in the field of data protection and information technology.
- Orders of the Authority can be appealed to an Appellate Tribunal established by the central government and appeals from the Tribunal will go to the Supreme Court.
4. Grounds for processing personal data:
The Bill allows processing of data by fiduciaries if consent is provided. However, in certain circumstances, processing of data may be permitted without consent of the individual. These grounds include:
- if necessary for any function of Parliament or state legislature, or if required by the state for providing benefits to the individual,
- if required under law or for the compliance of any court judgement,
- to respond to a medical emergency, threat to public health or breakdown of public order, or,
- for reasonable purposes specified by the Authority, related to activities such as fraud detection, debt recovery, and whistle blowing.
5. Grounds for processing sensitive personal data:
Processing of sensitive personal data is allowed on certain grounds, including:
- based on explicit consent of the individual,
- if necessary for any function of Parliament or state legislature, or, if required by the state for providing benefits to the individual, or
- if required under law or for the compliance of any court judgement.
- Sensitive personal data includes passwords, financial data, biometric data, genetic data, caste, religious or political beliefs, or any other category of data specified by the Authority. Additionally, fiduciaries are required to institute appropriate mechanisms for age verification and parental consent when processing sensitive personal data of children
6. Transfer of data outside India:
Personal data (except sensitive personal data) may be transferred outside India under certain conditions. These include:
- Where the central government has prescribed that transfers to a particular country are permissible, or
- Where the Authority approves the transfer in a situation of necessity.
The Bill provides exemptions from compliance with its provisions, for certain reasons including:
- State security,
- Prevention, investigation, or prosecution of any offence, or
- Personal, domestic, or journalistic purposes.
8. Offences and Penalties:
Under the Bill, the Authority may levy penalties for various offences by the fiduciary including
- Failure to perform its duties,
- Data processing in violation of the Bill, and
- Failure to comply with directions issued by the Authority.
- For example, under the Bill, the fiduciary is required to notify the Authority of any personal data breach which is likely to cause harm to the individual. Failure to promptly notify the Authority can attract a penalty of the higher of Rs 5 crore or 2% of the worldwide turnover of the fiduciary.
9. Amendments to other laws:
The Bill makes consequential amendments to the Information Technology Act, 2000. It also amends the Right to Information Act, 2005, and to permit non-disclosure of personal information where harm to the individual outweighs public good.