Srikrishna Committee Report: A New Understanding of Right to Privacy and Information

The Srikrishna Committee, tasked with formulating a data protection law for India, submitted its final report along with the Data Protection Bill, 2018, yesterday. The report has come eight months after the Committee had released a white paper inviting comments from the public. Apart from recommending amendments to the existing laws, the Committee has also recommended setting up a new regulatory body to deal with data privacy called the Data Protection Authority (DPA). However, the Committee did not recommend repealing or limiting Aadhaar despite it representing a major privacy concern for citizens.

Read More: Srikrishna Committee Releases White Paper on Data Protection, Raises Pertinent Questions 

Jurisdiction and Applicability

The Committee recommended that Indian law should have jurisdiction over all the personal data being processed in India. As far as its applicability to fiduciaries operating outside India, the law will apply only to those doing business in India, or who have collected a significant amount of personal data which could be used to harm either the State or the citizens. Regarding data collected and processed by Indian entities, the law will apply irrespective of whether the processing occurs in India. The Committee also recommended that companies located in India that process the personal data of foreigners may be exempted from the law. The law, however, will not have retrospective application.

Processing

The law will apply to both the private as well as the public sectors as far as processing is concerned. The Committee has adopted identifiability of individuals as the guiding factor to determine what constitutes personal data. The DPA will issue guidelines concerning personal data, anonymisation of data and de-identification of data. The law will not apply to anonymised data which meets the standards prescribed by the DPA.

The Committee also recommended that consent will be the basis on which data processing can take place. Interestingly, the committee has also recommended that a modified consent framework will be adopted. This means that privacy policies in the nature of contracts will be treated as objects and not a series of terms. Thus, in the absence of an individual's full knowledge, liability can be imposed in the same way as if a faulty product – such as a car – was delivered to the individual. The Committee has also recommended that where consent is sought, it should be free and informed, and at the same time, capable of being revoked. In the case of sensitive personal data, the consent required must be explicit. Thus, this is a welcome departure from the general practice that defines consumer relationships in cyberspace.

The Committee recommended importing the law of majority to the extent that a data principal below the age of eighteen will be considered a child. Data fiduciaries dealing with the personal data of children will be deemed guardian data fiduciaries. All data fiduciaries should adopt appropriate age-verification; in the case of children, parental consent will be required. However, the guardian data fiduciaries offering counselling or other similar services will be exempt from acquiring parental consent.

The Committee also recognised the principle of protecting community data. However, they recommended that the law protecting community data should be enacted at a later date, and have not addressed it in the Personal Data Protection Bill, 2018.

Obligations of Data Fiduciaries

The Committee recommended reforming the relationship between the individuals and the tech entities from 'data subjects' and 'data controllers' to 'data principals' and 'data fiduciaries'. All the data collected will be limited to the data required for stated purposes. In the event that data is being processed for a purpose not known at present, it can only be done so with explicit consent. Any notice concerning the data being collected will have to be provided at the time it is being collected. The data fiduciary is obliged to maintain the data quality and storage, however the data principals are obliged to provide accurate data. In circumstances where there is a data breach, the DPA will have to be notified by the data fiduciary; only in certain circumstances data principals will be notified. The Committee decided upon this after observing that publicity of data breaches can have negative consequences on the data fiduciary's ability to do business – the public loses faith.

Data Principal Rights

The data principals will have the right to confirm, access and correct the data held by the data fiduciaries. The Committee also recognised that the right to data portability – shifting from one fiduciary to another – should also be recognised, but to a limited extent. The Committee however, did not deem the right to object to; direct marketing and decisions based on solely automated processing, and the right to restrict processing to be protected under the Bill.

Read More: The Government's Cambridge Analytica Project Faces a Petition in the Supreme Court 

The Committee did, however, include the right to be forgotten subject to conditions and the discretion of the DPA. The DPA would have to balance the right to freedom of speech and expression as well of the right to information on one hand, and the privacy concerns of the individuals on the other, in determining whether the right to be forgotten can be exercised. 

Transfer of Personal Data Outside India

Barring critical personal data, all cross-border transfers will be through model contract clauses. The clauses will impose liability on the transferor for any harm that may be caused to the principal due to the transferor violating the terms. The Union Government will have the discretion to allow transfers to certain jurisdictions after consulting with the DPA. All personal data that is determined to be critical will not be allowed to be transferred outside India. The Union Government will be the authority to determine what constitutes critical personal data – the criteria is that the data can have strategic implications.

Personal data regarding health will only be transferred in an emergency, whereas the government may approve the transfer of other data in addition. The non-critical data may be transferred to other jurisdictions provided that a copy is stored in India.

Allied Laws

The Committee has recommended that their Bill should have an overriding effect over other legislations that may conflict with its contents. The Bill that the Committee has drafted will replace section 43A of the Information Technology Act, 2000, as well as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. For this reason, the Committee recommended repealing both of these legislations. 

The Committee has also recommended amending section 8(1)(j) of the Right to Information Act, 2005 so as to harmonise the right to privacy and the right to information. The Committee also identified 50 legislations which could come into conflict with the data protection framework. They have recommended amending these as well. They have also specifically mentioned amending the Aadhaar Act to improve data protection.

Non-Consensual Grounds for Processing

The Committee highlighted five grounds on which personal data may be processed non-consensually. The first ground is for the State to discharge its functions. The Committee, in this case, recommended that the definition of State should be that which is found in Article 12. However, due to a plethora of case laws, this definition has been widened over the years. On the other hand, if the processing is not in furtherance of welfare functions, it will not fall under this category.

Read More: We’re Stuck With It, Even Though It Is Collapsing All Around Us: Usha Ramanathan 

The second ground is where it arises out of complying with an order of a court or a tribunal or is mandated by law. This would be limited to Indian courts, tribunals and laws. Obligations arising out of contracts, foreign law, or foreign courts would not be applicable. 

The third ground is 'prompt action'. It refers to a situation where the individual is not capable of giving consent, and the data must be processed to meet an emergency situation. The Committee cautioned that this ground should be interpreted in the strictest terms and used sparingly.

The fourth ground is employment. The Committee stated that this ground will only be available in terms of an employee's previous attendance record, antecedents, etc. In such circumstances, an employer has a right to know something about his employee to be able to take an informed decision.

The fifth ground is 'reasonable purpose'. This ground can be invoked where a circumstance arises which does not fall under the other grounds and is in the interest of society. The circumstances that fall under this ground will be determined by the DPA.

Exemptions

The Committee listed seven grounds on which compliance with the privacy law can be exempted. The first is 'security of State'. The Committee chose the phrase 'security of State' over 'national security' as the latter is vague and has not been adequately defined in jurisprudence, whereas the former has. The phrase 'security of State' is also narrower in its scope, as it entails only those aspects which threaten the existence of the State. The Committee also recommended that the government should bring in a law providing oversight of the intelligence agencies.

Read More: Draft Indian Privacy Code Reminiscent of the Aadhaar Hearings 

The second exemption is prevention, detection, investigation and prosecution of contraventions of law. The Committee recommended empowering the law enforcement agencies to invoke this exemption. The Committee also recognised protecting revenue as a valid ground for invoking this exemption.

The third exemption is disclosure for the purpose of legal proceedings. Where there is a need to enforce a legal right or claim, seeking relief, defending a charge, opposing a claim or for obtaining legal advice, this exemption can be invoked. However, even if invoked, all other general obligations will continue to operate.

The fourth exemption is research activities. This exemption will be allowed by the DPA only to the extent that the object of the research can be achieved. Anything outside the object of research will not be exempt.

The fifth exemption is for personal or domestic purposes. This will again depend on the purpose for which the data is to be used. The Committee recommended that this should be provided as a blanket exemption.

The sixth exemption is journalistic activities. The Committee has been cautious on this exemption regarding what constitutes 'journalistic activities'. They have also recommended that ethical and professional standards be written into the law so as to balance the right to know with the right to privacy.

The final exemption is manual processing by small entities. The Committee was of the view that manual and non-automated processing of data, which is unlikely to cause significant harm, should be exempt as compliance may turn out to be too heavy a burden.

Enforcement

To enforce the new law, the Committee recommended setting up a new regulatory authority, the Data Protection Authority (DPA). The DPA will perform four functions: monitoring and enforcement; legal affairs, policy and setting standards; research and awareness; inquiry, grievance handling and adjudication. 

The DPA will be empowered to categorise certain fiduciaries as 'significant data fiduciaries' based on their ability to cause harm to the data principals – e.g. the Facebook-Cambridge Analytica situation. These significant data fiduciaries will have to: register themselves with the DPA; conduct Data Protection Impact Assessments; keep records; undergo Data Audits; and appoint Data Protection Officers (DPO). The DPA can extend these requirements to other data fiduciaries as well.

The Committee also recommended that the Union Government shall create separate appellate tribunals to hear and dispose any appeals to the DPA's orders. Any appeals from the appellate tribunals will lie with the Supreme Court.

The penalties that the Committee recommended would be to a fixed upper limit or a percentage of the data fiduciary's total worldwide annual turnover of the preceding financial year, whichever is higher. The offences should be limited to: intentional or reckless behaviour; and known damage caused to the data principals.