Data protection is the process of safeguarding important information from corruption, compromise or loss. Its importance increases as the amount of data created and stored continues to grow at unprecedented rates.
India is approaching a huge milestone with respect to having a statutory framework for privacy and data protection. A committee of experts headed by Justice B.N. Srikrishna has submitted its report along with a draft of the personal data protection bill. With emergence of data as a transactional entity in artificial intelligence (AI) applications, business decisions and personal lives, the committee delineates the rights of data principals—to whom personal data relates—and responsibilities of data fiduciaries who decide the purpose and means of processing this data.
Globally, too, there have been interesting developments. The framework on data protection recently implemented in the European Union (EU), that is, General Data Protection Regulation (GDPR), allows people to reduce the information tracks left behind while surfing the Internet and social media websites, reading news or shopping online. Individuals will now have the rights to confirmation, correction, portability and deletion of data that companies hold on to.
To meet GDPR’s requirements, many companies are deploying large teams to refurbish how they give users access to their own privacy settings and to redesign certain products that may have drawn up too much user data.
Japan has passed a data protection law and established an independent online privacy board. Japan and the EU are in the process of finalising a data transfer deal.
South Korea, too, is considering implementing new privacy rules, while Israel has revised requirements for disclosures of data breaches.
Vast amounts of personal data being collected by private companies and state agencies, its flow across national jurisdictions and absence of a data protection legal framework in India have caused deep concern for long. This has been even more so because, in many cases, individuals whose data have been used and processed are oblivious to the purpose for which they are being harnessed.
For example, it was reported that UK-based political consulting firm Cambridge Analytica harvested profiles of up to 50 million Facebook users without their approval during the last US elections. Facebook chief Mark Zuckerberg made the revelation that data of over 87 million users was shared with Cambridge Analytica and that 562,000 people in India were potentially affected by this global data leak crisis. This revelation raised widespread privacy concerns in India, since a similar breach could sway the upcoming state and general elections in the country.
In the wake of Facebook-Cambridge Analytica scandal, Reserve Bank of India (RBI) found that only a handful of payment system operators in India and their outsourcing partners were storing user data in the country, either partially or completely. The RBI held that the payment ecosystem in India had expanded considerably, making it necessary to ensure the safety and security of data through its localisation.
To correct the situation, the RBI mandated, in April 2018, that all payment companies must store their data within India. And they must comply with this norm within six months.
In June 2018, the finance ministry suggested that a possible solution could be to allow companies to store their data offshore as long as a copy was kept in India. In its draft bill, the committee recommended that critical personal data only be stored in servers located within the country, so that data localisation could help protect the rights of users and prevent foreign surveillance.
The Indian government has had reservations over WhatsApp’s data storage policies, too. It believes that WhatsApp is not following two-factor authentication, and that it is sharing data with its parent company, Facebook. The government is not granting clearance to WhatsApp to launch its payment service unless it sets up an office and recruits a team in the country. It is also prioritising on curbing fake news on its platform.
WhatsApp’s payments feature is built on Facebook’s payments infrastructure. A significant issue is RBI’s directive on data storage, which mandates that all user payment data be stored within the country.
Recently, Justice Srikrishna’s committee on data protection submitted a report and a draft bill to the government. The draft bill lays down the rights of data principals (Indian citizens), proposes the creation of a data authority to enforce the act and sets penalties for violations by data fiduciaries (public and private sector entities that collect, process and store data). This draft may be modified by the government before being sent for the Cabinet’s approval and introduced in the Parliament.
Proposed data protection authority of India
The draft bill lays down that, to enforce the law, the Central government, by way of a notification, must set up Data Protection Authority (DPA) of India with five-year terms. The authority will have the power to monitor and enforce the provisions of the data protection bill and fill some of the gaps between the bill’s vision and actual regulation. The chairperson would be appointed by the Central government on the recommendation of a panel headed by the Chief Justice of India.
The DPA will have immense regulatory power to regulate data protection across multiple sectors, such as telecom, banking, medical services and so on, with the authority to make binding rules, non-binding codes of practice for these sectors and to enforce these rules. Broadly, it will perform the functions of monitoring and enforcement, legal affairs, policy and standards setting, research, awareness and inquiry, and grievance handling and adjudication.
The DPA will also have the power to issue directions, call for information, launch inquiries, levy penalties, and even temporarily suspend or discontinue the business activity of a data fiduciary or data processor in case of gross violation of the provisions of the draft law. Penalties may be imposed on data fiduciaries, and compensations may be awarded for violations of the data protection law.
The draft bill calls for a separate appellate tribunal to be set up to hear appeals made against DPA orders. The head and members of this tribunal will be subject to rules of qualifications, term of office and renewal as framed by the Central government.
Jurisdiction of the proposed law
According to the proposal, the law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India. However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on businesses in India or any other activities, for example, profiling that could cause privacy harms to data principals in India.
Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies under Indian law will be covered, irrespective of where it is actually processed. However, the data protection law can empower the government to exempt companies that only process personal data of foreign nationals not present in India.
The law will not have a retrospective application, and will come into force in a structured and phased manner. Without such an enabling law, exemptions provided in the bill will fall short of securing accountability from the state for activities such as dragnet surveillance.
Consent for collection and processing of personal data
The draft bill defines data in two different ways: personal data, which is data about or related to a natural person (an all-encompassing tag of sorts) and sensitive personal data, which includes health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political beliefs.
The DPA will have the residuary power to notify further categories in accordance with the criteria set by law.
Data fiduciaries will be required to obtain consent for collection and processing of personal data, which should be informed, specific, clear and capable of being withdrawn.
For sensitive personal data, consent standards would be higher and more detailed. For instance, data fiduciaries will have to make sure that the individual is given the choice of separately consenting to the use of different categories of sensitive personal data relevant to processing, and that the individual understands that processing of this data may have significant consequences for him or her.
For consent to be valid, it should be free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, consent will need to be explicit and be the lawful basis for processing of personal data.
However, the law will apply a product liability regime to consent, thereby making data fiduciaries liable for harms caused to data principals. Data principals below 18 years of age are to be considered as children. Data fiduciaries will have a general obligation to ensure that processing is undertaken keeping the best interests of the children in mind.
Further, data fiduciaries capable of causing significant harm to children are to be identified as guardian data fiduciaries. All data fiduciaries (including guardian data fiduciaries) are to adopt appropriate age verification mechanism and obtain parental consent.
Further, guardian data fiduciaries, specifically, shall be barred from certain practices. The ones exclusively offering counselling services or other similar services will not be required to take parental consent.
Individuals’ rights with regards to their data
The draft bill lists out a host of rights that individuals will have with regards to their data. These include the following:
- The right to confirmation: Is a company or government department using my data?
- The right to correction: Correction, completion or updating of inaccurate personal data.
- The right to portability: As an example, can I force MakeMyTrip to give me my order history data and before giving it to Cleartrip?
- The right to be forgotten: Can I ask Google to delete a search result about me?
However, the bill does not lay down the golden principle of allowing individuals to be the true owners of their own data. There is no right to erasure, only a limited right to be forgotten. The liability for withdrawal of consent is placed on the individuals in question.
Under data principal rights, the right to confirmation, accession and correction is to be included in the data protection law. The report has set out reasons that the law may not provide the right to data portability (subject to limited exceptions), right to object to processing, right to object to direct marketing, right to object to decisions based on solely automated processing and right to restrict processing.
Data localisation requirement
The Ministry of Telecom believes that data belonging to Indians should reside within the country, and its analysis should not happen overseas. This will help meet the need for personal data of citizens to be in safe hands and ensure data protection. It maintains that data is personal and there is a paramount need for privacy. It is essential that this data is available to Indians and Indian companies.
India needs to look carefully at who has access to people’s data, what they can do with it and what returns Indians will get from it. Understanding how other countries are working on their data protection policies will help in forming a blueprint for India.
The US has its own data and other peoples’ data as well. China has built its digital economy, its search engines and machines on the back of its own data. However, this requirement also creates hurdles for vendors.
The committee has articulated a set of principles to guide data collection and processing so that it is at par with global best practices. The government needs to look at weaving in the recommendations on data privacy by Telecom Regulatory Authority of India (TRAI) to safeguard the interests of the telecom sector.
The draft bill states that all data fiduciaries must ensure the storage of at least one serving copy of personal data, to which this act applies, on a server or data centre located in India. It implies that private companies, which deal with personal data of Indian citizens, will have to store a copy of that data in India. This will have significant consequences for MNCs who store data of their Indian users primarily in a foreign country.
Additionally, the bill lays out that the DPA must decide if data breaches are to be disclosed to affected users. Currently, Indian companies and government agencies are quite lax about security standards. Affected users must have a legal right to know if their data has been compromised, as is the practice followed in developed countries.
The draft bill lays down rules on how companies and the government should be treated if they are found to have committed offences under the act—two primary offences being obtaining/selling of data contrary to the act, and re-identification and processing of de-identified data.
While at present, government departments are being let off lightly for leaking personal data, the draft bill notes that if any offence is committed by a department of the Central or a state government, the head of the department or authority shall be deemed to be guilty. This will ensure that the blame is not passed off onto a lower-level government officer.
Protection provided to individuals
The bill provides individuals new protections to control what data about them is collected, stored and processed. Companies and the government can no longer collect, store and use personal data with impunity. One feature that will change is the way in which consent is obtained by websites visited. On these websites, the terms and conditions for rendering online services are quite convoluted and confusing. Even if the user chooses Agree, the company cannot argue that it is shielded from liability, just because it sought consent.
Such legalese will be rendered as violating the bill’s requirement that consent be clear, specific and informed. Even when an individual consents, and irrespective of what he or she consents to, both companies and the government will not be free to do as they like with the individual’s data. They must have a specific purpose for processing it, and they will be allowed to collect only the data necessary for that purpose (this is a collection limitation).
They cannot use or share it for purposes beyond what is necessary for the service (purpose limitation) either. For example, Torchlight app cannot ask for an individual’s location data. Even the government is required to demonstrate that any processing of biometric data is strictly necessary. In general, they are required to delete the individual’s data when it is no longer necessary to satisfy the purpose for which it has been collected and processed.
Similarly, the government is required to ensure that data is up to date to provide people a service they are entitled to. Under the Data Protection Bill, entities are required to ensure quality of data, so that individuals are not disadvantaged by inaccurate records. While the Data Protection Bill gives to individuals new protections to control what data about them is collected, stored and processed by companies, in reality this control may be deceptive for the majority of the population that relies on government services.
The Data Protection Bill exempts the government from seeking individual consent anytime it is delivering a service or benefit, or providing a licence or certification. Even if it did, the Data Protection Bill is clear that all consequences of withdrawing consent fall on the user.
When an individual gives his or her personal data to a railway ticket booking website, he or she expects it to be used only to book the railway ticket and not to be used for any other purpose, irrespective of what the legalese-filled consent form might contain. This is because the relationship between the individual and the website is based on trust. The individual expects data provided to be used in a certain way and trusts that the entity will do so.
Today, individuals agree to long consent forms on smartphones while downloading apps without really knowing what they are agreeing to. As an example, an app that is meant to provide a taxi for hire can read messages or look at contacts.
The Data Protection Bill addresses this anomaly by introducing principles of collection and defining purpose limitations. Entities will only be allowed to collect information necessary for their service. Also, purposes for which such information is to be used needs to be clearly communicated.
Once a user’s username and password is known, whoever has these can engage in various harmful activities. Companies are employing unique and high-technology system defenders called user behaviour analytics (UBA) that enable detection of any suspicious activity by identifying deviant behaviour or by comparing behaviour within a peer group. In addition, UBA is used as a valuable tool for training employees for improved security practices.
The report and the draft legislation on data protection submitted by Justice Srikrishna’s committee of experts provide a sound foundation on which India’s legal framework can be built upon. It seeks to codify the relationship between individuals and firms/state institutions as one between data principals (whose information is collected) and data fiduciaries (those processing the data), so that privacy is safeguarded by design.
Justice Srikrishna has expressed that data privacy is a burning issue, and there are three parts to the triangle. The citizen’s rights have to be protected, responsibilities of the states have to be defined but data protection cannot be at the cost of trade and industry.
The draft legislation draws inspiration from GDPR, the framework on data protection implemented in the EU. The report envisages creation of a regulatory DPA of India to protect the interests of principals and to monitor the implementation of the provisions for enabling data protection legislation.
Taken together, the draft Data Protection Bill and the report mark a significant step forwards, but there are some grey areas. Exemptions to state institutions from acquiring informed consent from principals or processing personal data in many cases are too broad, such as those pertaining to the security of the state. These are hold-all phrases, and checks are vital. The report recommends a law to provide for parliamentary oversight and judicial approval of non-consensual access to personal data.
As per the draft bill, data fiduciaries should collect only required data from an individual, state the purpose of its use explicitly and store it only for as long as it is required. Citizens and Internet users will have the final say on how and for what purpose their personal data can be used. They will also have the right to withdraw consent. There will be the option of right to be forgotten, subject to certain conditions.
Some of the committee’s recommendations have raised concerns among interested parties. These include the move to restrict cross-border flow of personal data, mandating storing critical personal data within the country and criminal prosecution along with stiff penalties against those violating data privacy rules. Also, the draft grants the government the discretion to identify what critical personal data is.
The report suggests amendments to the Aadhaar Act from a data protection perspective to deal with enforcement action and individual remedies. The draft Data Protection Bill is to be tabled in the Parliament after holding consultations with different ministries, industry representatives and the public, and obtaining approval from the Cabinet.
Even as India sees impressive growth in smart Internet users and the e-commerce market, it is Big Data companies like Google, Amazon and Facebook that have more control over the country’s digital ecosystem. It would be desirable to hammer in the principle that, while business and technology are global, data is fundamentally local.
This is in contrast to the practice followed by Amazon in the US where, while disclosing user data to the government, the company also publishes a transparency report, which includes the number of government requests it has received, how many of these were answered fully or partially, along with queries it refused to answer legally.
Deepak Halan is associate professor at School of Management Sciences, Apeejay Stya University