Srikrishna Panel Recommends Setting Up Data Privacy Authority

Let me begin at the very beginning by pointing out that the Justice BN Srikrishna Committee headed by former Supreme Court Judge BN Srikrishna which was set up primarily to draft a data protection and privacy Bill, in a white paper on November 27, 2017 suggested the setting up of a data protection authority, data audit, registration of data collectors, enacting provisions for protecting children’s personal information, defining penalties and compensation in case of a data breach. This setting up of a high powered panel by the government is considered imperative as it comes amid concerns over personal information being compromised with the increasing use of biometric identifier Aadhaar in an array of services which ranges from filing tax returns to availing government doles. This high powered panel comprises of a 10-member committee to recommend a framework that would be for securing personal data in the increasingly digitized economy as also address privacy concerns and build safeguards against data breaches.

Needless to say, the Srikrishna panel which is a committee of experts draws its members from government, academia and industry. The panel apart from Justice BN Srikrishna as Chairman also includes Aruna Sundararajan who is Secretary in the Department of Telecom; Ajay Bhushan Pandey who is CEO of Unique Identification Authority of India; Ajay Kumar who is Additional Secretary of IT Ministry; Gulshan Rai who is National Cyber Security Coordinator and Rajat Moona who is Director of IIT Raipur. It has studied and identified ways by which there can be better protection of key data and recommend methods to address these so that no key data is lost. It has suggested a draft data protection Bill.

While craving for the exclusive indulgence of my esteemed readers, let me inform them that an office memorandum issued by the Ministry of Electronics and IT said: 'The government is cognizant of the growing importance of data protection in India. The need to ensure growth of the digital economy while keeping personal data of citizens secure and protected is of utmost importance.' The Srikrishna panel made specific suggestions to the government on principles to be considered for data protection in India. Now the ball is in the court of the government.

For my esteemed readers exclusive indulgence, let me also inform them that the constitution of the panel is significant from many angles given the off-take of digital transactions in the country as also the mounting concerns over the safety and protection of personal data. It is indisputable that there are Information Technology (IT) provisions which deal with cyber crime and data protection, but the spike in cashless transactions in the country post demonetization coupled with an increasing number of business going online have necessitated the dire need for fresh look at the existing laws. What is of paramount concern is that very serious questions have also been raised over data security and privacy safeguards after some websites of the Central and State Governments were found to be wantonly displaying personal details and Aadhaar number of beneficiaries. This should never have happened at the first place because it is a gross violation of the right to privacy of every citizen whose details are made public!

As it turned out, the Justice BN Srikrishna Committee which studied the privacy and data protection laws of many countries, including the US, Singapore, Australia and the European Union, has released an over 200-page document. It has invited comments from the public on various issues pertaining to the definition of personal data and proposed penalties for misuse of data. It is widely anticipated that some valuable suggestions from the public would also be incorporated in the Srikrishna panel report.

Interestingly enough, the comments and feedback from the public have been invited on various issues till December 31 thus sending a clear signal that the government is unlikely to table a data protection Bill in the upcoming winter session of Parliament. It may be recalled here that the Srikrishna Committee was set up on July 31 following a government decision to make Aadhaar compulsory for all its services. The government gave the panel three months to suggest a draft Bill.

To put things in perspective, it would be pertinent to discuss the highlights of the recommendations of an approach paper which was published by Financial Sector Legislative Reforms Commission that was headed by Justice BN Srikrishna. They are as follows: -

1. Key regulators like SEBI, IRDA, PFRDA and FMC should be merged.

2. A unified financial regulatory agency other than banking sector regulator RBI.

3. FSAT to hear appeals against all financial regulatory services.

4. Setting up of Financial Redressal Agency (FRA) which addresses consumer complaints across the financial system.

5. Establishing of an independent debt management office.

To be sure, the paper read that, 'Despite an obligation to adopt adequate security safeguards, no database is 100 percent secure. In light of this, the interplay between any proposed data protection framework and the existing Aadhaar framework will have to be analysed.' It is worth mentioning here that the Unique Identification Authority of India (UIDAI) has issued a 12-digit unique identification number called Aadhaar to over 1 billion people after collecting their personal and biometric data. The Aadhaar number is now used by both the government and private entities for the purpose of authentication and financial transactions.

It is most concerning to note that though the UIDAI has various in-built data protection mechanisms, it is not bound to inform an individual in cases of misuse or theft of his or her data. It was also added in the paper that, 'The law may require that individuals be notified of data breaches where there is a likelihood that they will suffer privacy harm as a result of data breaches…fixing too short a time period for individual notifications may be too onerous on smaller organisations and entities. This may prove to be counter-productive as well as an organisation may not have the necessary information about the breach and its likely consequences.'

Be it noted, the Srikrishna Committee, which has met thrice since its formation, is of the opinion that both the government and the private entities be brought under the ambit of the proposed law. Right now, we see that only the private or corporate entities are governed by the Reasonable Security Practices and Sensitive Personal Data or Information Rules under the Information Technology Act. Of course, both government and private must be brought under the ambit of the proposed law.

In hindsight, the Srikrishna Committee appears to be traversing a middle path between the EU privacy law where protection of personal data is equated with protecting the fundamental right to privacy, and the US law which focuses on protecting the individual from excessive state regulation. The Committee has divided the white paper into three substantive parts, including scope and exemptions; grounds for processing, obligation on entities and individual rights; and regulation and enforcement. The Committee is of the view that certain exemptions should be granted by law for collecting information for investigating a crime, apprehension or prosecution of offenders, and maintaining national security and public order. But the paper stated that, 'An effective review mechanism must be devised.'

What cannot be missed out is that the panel recommended strict penalties to be imposed on data controllers in cases of violation. The approach paper observed that, 'A civil penalty of a specific amount may be imposed on the data controller for each day such violation continues, which may or may not be subject to an upper limit. An upper limit may be a fixed amount or may be linked to a variable parameter, such as a percentage of the annual turnover of the defaulting data controller.'

Before winding up, let me dwell on the views of the Srikrishna Committee on key points. To put it succinctly: Finding a balance between the rights-based model of privacy and protecting the individual from State interference, listing out seven principles of a good data protection law, and setting up of a data protection authority are some of the key findings of a white paper published by a Committee of experts on data protection. The seven key principles mentioned on which such a framework could be based upon in the country include: technology agnostic law; be applicable to the private sector and the government, maybe with different obligations though; informed and meaningful consent; minimal and necessary data processing; data controller must be accountable for any processing; establishing a high-powered statutory authority for enforcement, supported by a decentralized enforcement mechanism; and penalties for wrongful data processing to ensure deterrence. The key points are as follows: -

1. An individual should first approach the data controller for any data breach, then the authority.

2. Authority may conduct investigations; collect data; adjudicate disputes; monitor cross-border data transfer.

3. Foreign entity that offers goods or services in the country may be covered under the law.

4. Authority may be given the power to impose civil penalties, order defaulter to pay compensation.

5. Proposed law may not be extended to include data relating to companies and other juristic entities.

6. Data from which an individual is identified or reasonably identifiable may be considered personal data.

7. Health, genetic, religious beliefs, financial, sexual orientation be treated as sensitive personal data.

8. Exemption may be provided for data processed for journalistic/artistic, literary, academic, research purposes.

9. Law may provide exemptions for data collected for investigation of a crime, and to maintain national security.

10. A variable age limit can be drawn (not necessarily 18) below which parental consent is to be mandatory.

All said and done, the data protection law is being keenly watched for its implications on both Indian as well as global technology giants. It is heartening to note that this is the first time that India has started meticulous work on a specific data protection law, which is expected to look at aspects such as data sovereignty, data retention and responsibilities of government companies as well as individuals while handling third-party data. Equally important is the fact that the Srikrishna Committee on data protection is close to releasing a white paper which will include a questionnaire for stakeholders on issues such as Aadhaar, data collection by corporate and consent of consumers, according to multiple people in the know. The white paper is likely to be made public in the next few days. The real idea behind the paper is to get comments on a variety of issues before the government starts the process of drafting legislation for data protection. It must be strictly ensured that right to privacy is respected which just recently in KS Puttaswamy case was held by the Supreme Court by a unanimous verdict of 9-0 was held to be a fundamental right and people’s personal information is not leaked to anyone under any circumstances

Taking India’s potential to 'lead the world into a digital economy' the white paper suggested that the data protection framework must not stifle innovation. Furthermore, it feels the framework must be considerate of the country’s need for 'empowerment based on data-driven access to services and benefits for the common man'. It also envisions three main objectives of a data protection authority: monitor, investigate and enforce the laws; set the standards; and generate awareness in an increasingly digitized society.

Truly speaking, the paper traces the judicial and legislative steps towards data protection and privacy in India. It also touches on many domain-specific privacy laws for information, but in the context of data protection it focuses on two laws that provide the current contours for data protection. One hopes that the Srikrishna panel will further improve on its shortcomings by including the invaluable suggestions received from the people by December 31 which is the last date for receiving the feedback.

To be fair, Srikrishna panel suggests a Data Protection Authority to draw up guidelines for each organization – like a Whatsapp or a Google – to follow, and a Data protection Officer in each organization whose job is to ensure the guidelines are followed; if, for instance, the Authority says most apps don’t need access to your phone records, it will need to ensure this is being followed. The Authority could also conduct Data Protection Impact studies and assign Trust Scores to each app/organization which would be of great help to users. There could be, perhaps, even be a Consent Dashboard, where users can see where their data is being used … Though it sounds easy to say all data must be protected, as Srikrishna brings out, this is a complex, and constantly evolving task – and no matter how many rules are laid out, decades of legal challenges/suits that follow will also play a key role in deciding how this finally pans out!

It merits no reiteration that Srikrishna panel must put a strong check on people’s data being leaked most casually by different companies, etc. Almost every app you download wants access to your phone calls, directories and calendar which should be not allowed unless you are willing to do so. Since data protection is different for each type of data, Srikrishna starts off with the very basic user-content being essential – as Aadhaar is mandated by the law, the consent here applies to allowing government departments to make your details public. A serious check must be imposed on most such apps who, of course, get user consent forms and, in any case, users have no option but to accept them in order to be able to download the app – the Srikrishna panel very rightly suggests a short and simple form to avoid ‘consent fatigue’. Also when that data is sold to someone, or processed by anyone say, a Google to get consumer insights, consumers must have the right to ask for their data not to be included unless permitted or for them not to be targeted by advertisers/marketers based on this information. Let’s hope that Srikrishna panel after receiving the views of people will incorporate all such suggestions and make sure that people’s privacy is not violated under any circumstances by anyone including the government of the day! Only then will it serve its true purpose for which it as set up!