The Devil in the Details

The proposed Personal Data Protection Bill puts the individual at its centre, as it should. But look deeper, and flaws reveal themselves.

A week ago, the Justice Srikrishna Committee released a draft Personal Data Protection Bill and a Report to go with it. This is another step in the progress that has been made in the past year to create a data protection framework for India. It started with the Supreme Court judgement that recognised privacy as a fundamental right. This was followed by the constitution of the Justice Srikrishna Committee, the  release of a White Paper, and public consultations on the recommendations made under it.

The Bill and the Report, which had been expected for the better part of six months, have already attracted a flurry of critical commentary. While there are elements of these documents which are welcome, there are also serious concerns that require further attention.

One of the positive aspects of the proposed law is its attention to detail. It is comprehensive and ticks most of the boxes that a data protection law ought to have. It vests individuals with certain rights with respect to their personal data, imposes obligations on entities that collect and process such data, and envisages a regulatory infrastructure that is supposed to facilitate the ecosystem within which data is collected, processed, and transferred. The Bill is also applicable to State entities, which is an upgrade over the status quo.

The shift in the terminology for the main actors is also a welcome measure. Conventional data protection frameworks classify individuals as data subjects and the entities handling their data as data controllers. The Bill flips this relationship around by recognising the former as data principals and the latter as data fiduciaries. This semantic departure from conventional terminology signals that an individual is at the centre of the proposed law. This could have significant ramifications later when questions arise around the interpretation of the law.

These elements of the Bill, which are positive on paper, must be seen in the context of the fine print that is the actual language of the provisions itself. What we see here is sobering, justifying some of the criticisms that have been levelled against the Report and the Bill.

One of the biggest criticisms is the lack of adequate safeguards around State surveillance. In particular, the Bill itself makes no mention of any form of judicial or legislative oversight over surveillance that is carried out in the interests of the security of the State. The Report elaborates more on this, stressing that any surveillance must be necessary and proportionate, and be subject to adequate safeguards. While it looks at the use of judicial and legislative oversight in other jurisdictions to argue that they are not necessarily effective, it nevertheless accepts that they are better than giving the Executive a free rein when it comes to surveillance. Unfortunately, the Report follows this acceptance by palming off the responsibility to the Legislature to create a separate law that will take on board the Committee’s thoughts on the matter. This is, as has been discussed elsewhere, a missed opportunity to circumscribe the bounds within which the State can conduct surveillance.

The other significant criticism of the Bill is its stand on data localisation. The Bill requires data fiduciaries that transfer data outside India to maintain a copy of it on a server located on Indian territory. This might still be a reasonable request, so long as it does not impede free trade by tying anchors to the flow of data between boundaries. The Bill introduces much opacity by mandating that “critical personal data” be stored exclusively in India. What constitutes critical personal data is not clarified in the Bill, but the Report sets out a vague, wanting scope of this term — it covers any data that is critical to Indian national interest and may range from health data, to transportation, to including “…all kinds of data necessary for the wheels of the economy and the nation-state to keep turning…” In fact, it reserves the right of the Union Government to notify certain categories of personal data as critical personal data and bar any transfer of such data outside India. Leaving a term as operative and game-changing as ‘critical personal data’ ambiguous is regressive, and paves the way for unintended consequences for the very Indian economy it seeks to protect.

Even if a particular cross-border data transfer passes the data localisation restrictions, it will have to comply with additional conditions. These range from forcing data fiduciaries to adopt standard contractual clauses to vesting the Union Government with the power to notify transfers to certain territories as being permissible. It is disheartening that these obligations are in addition to the consent from the data principal, which begs the question of just how much autonomy an individual actually enjoys under this framework.

Yet another shortcoming of the Bill is the way in which it sets a lower threshold of accountability when State agencies are acting as data fiduciaries in certain scenarios. For example, a processing that is necessary for the any function of the Parliament or any State Legislature needs no consent from an individual. Similarly, any function of the State that involves providing a service or benefit, or the issuance of a certificate, license, or permit also does not require consent. These standards of necessary and strictly necessary as they appear in the proposed law whittle down the level of responsibility that a State agency must have when it is processing the personal data of individuals.

Finally, the near unanimous hope until now was that the Srikrishna Committee would propose a co-regulatory model of regulating data protection, because it is the neatest when seeking to regulate an ever changing field like technology. In a co-regulatory model, the law sets out the basic framework of rights and obligations, leaving data fiduciaries, industry bodies and sectoral regulators to frame specific standards of security. We were disappointed to note that the tone of the Bill makes it tough for co-regulation to exist. For instance, the Bill requires the Data Protection Authority to prescribe codes of conduct for every data fiduciary to whom the law will apply. Granular compliances like these must be developed by entities and industry bodies. Once they are mandated by a general law such as the Bill, not only do they become a compliance hassle, but also discourage business’ freedom to navigate the new mammoth regulation.

While the Bill has raised a lot of questions and has initiated a few problematic sector specific policies (like the draft national e-commerce policy), the silver lining is that it has revived debate on the topics of privacy and data protection. Given the variety of stakeholders whom this issue impacts, these debates must be encouraged, alternative suggestions must be evaluated, and an enduring law must be achieved.