Evaluate the Data Protection Bill on the basis of the Justice Srikrishna Report

Background: For a long time in India, both the private sector and the state have operated in
more of an unregulated space, without any sort of measures to protect the privacy interests of
the citizens.The Government of India constituted a committee headed by Justice Srikrishna,
which submitted its report on personal data protection to the parliament. Shortly after that, the
government introduced the Personal Data Protection Bill, 2019, in the Lok Sabha on December
11, 2019, incorporating a few of the principles of personal data protection recommended by
the Justice Srikrishna Committee.

The Justice Srikrishna Committee recommended setting up a Data Protection Authority to

“protect the interests of data principals “(persons whose personal data is being processed),
prevent misuse of personal data and their relation with corporations, governments or anyone
else processing personal data (known as “data fiduciaries”). The obligations on data fiduciaries
include conducting audits and ensuring they have a data protection officer and grievance
redressal mechanism – the Authority will need to publish Codes of Practice on all these points.
The Authority shall have the power to inquire into any violations of the data protection regime,
and can take action against any data fiduciaries.

The Committee recommended that any kind of processing of data which includes collection,
recording, analysis, disclosure, etc) of personal data should be done only for “​clear, specific and
lawful​” purposes. Only that data which is necessary for such processing is to be collected from
anyone. However, it also allows processing of Personal Data for “Functions of the State”. The
report mentions three kinds of scenarios where consent may not be required—where it is not
appropriate, necessary, or relevant for processing​. The report goes on to give an example of
inappropriateness. In cases where data is being gathered to provide welfare services, there is
an imbalance in power between the citizen and the state. Having made that observation, the
committee removes the need for consent altogether under Section 13. It is left up to the
government to decide what kind of personal data it may use, if it is considered necessary for
any function of Parliament or State Legislature. Examples such as provision of services/ issuing
of licenses. It also allows the government to use personal data for what it deems to be an act of
prevention of offence and ‘contravention of law’. However the report does imply that the
government has to adhere to the Supreme Court’s privacy judgement in 2017, which mandates
the government to declare a specific objective for collecting private data, the authorities
ordering this and what procedures it will follow.
The committee recommends giving “data principals” the ‘right to be forgotten’. This means
they will be able to restrict or prevent any display of their personal data once the purpose of
disclosing the data has ended, or when the data principal withdraws consent from disclosure of
their personal data. It also gives data principals the right of correction and confirmation of the
held data.

Another key aspect of the recommendation is Data Localisation. It states ​Critical personal data
will only be processed in India. Also, personal data will need to be stored on servers located
within India, and transfers outside the country will need to be subject to safeguards. It also
mentions that cross border transfer of data subject would require model contract clauses.

Another recommendation made by the committee states that processing of ​sensitive personal
data requires explicit Consent. This is the kind of data which includes passwords, financial data,
sexual orientation, biometric data, religion or caste. Disclosure of religion in a survey where you
were told it would be used to assess the numbers of people with the same religious identity in a
particular place cannot then be sent to an advertising agency to send you targeted ads, as this
is different from the purpose you had agreed on.

The Personal Data Protection Bill (PDPB), 2019

The bill as it is now in its current form has been revised many times. It proposes to create an
independent new Indian regulatory authority, the ​Data Protection Authority (DPA)​, whose job
will be to protect the personal data of Indian citizens. However it mentions that the selection
committee of the DPA will consist of the cabinet secretary, two secretaries to the government,
and others, which implies that it is not an independent body. The bill gives the DPA the power
to fine any business that does not comply with the bill or the regulations made by either the
DPA or the government. There are two tiers of penalties and compensations: 1. failure of the
data fiduciary to fulfil its obligations for data protection may be punishable with a penalty
which may extent to Rs.5 crores or 2% of its total worldwide turnover of the preceding financial
year, whichever is higher. Processing data in violation of the provisions of the PDPB is
punishable with a fine of Rs.15 crores or 4% of the annual turnover of the data fiduciary,
whichever is higher. Re-identification and processing of de-identified personal data without
consent is punishable with imprisonment of up to three years, or fine, or both.

The Bill proposes processing of data by fiduciaries only if consent is provided by the individual.
There are certain exceptions provided under which Personal Data can be processed without
consent such as: (i) if required by the State for providing benefits to the individual, (ii) legal
proceedings, (iii) to respond to a medical emergency, (iv) employment related, (v) necessary for
reasonable purposes such as prevention of fraud, mergers and acquisitions, recovery of debt
etc.

The bill also gives the Central government the powers to exempt any agency from its
provisions. It states that the Central government can decide in the interests of “sovereignty and
integrity of India, the security of the State, friendly relations with foreign States, public order”
or “for preventing incitement to the commission of any cognizable offence relating to certain
conditions, direct that all or any of the provisions” of the Personal Data Protection Bill ​would
not apply to “any agency of the Government”. It is stated “The central government has the
power to exempt any agency of the Government from applicability of the Act if it is necessary
for: 1. the interest of sovereignty and integrity of India, the security of the State, and friendly
relations with foreign states, 2. for preventing incitement to commission of any cognisable
offence relating to the above matters.

The Bill proposes to establish a three-tiered structure:

● Personal data: ​Under the Bill, no localization or data transfer restrictions apply to
personal data that is not considered “sensitive” or “critical.” This type of personal data
may be stored entirely outside of India and no transfer restrictions would apply.The
provision on data localisation has been diluted and restrictions are now imposed only on
“sensitive personal data” and any data notified as “critical personal data.”
● Sensitive personal data: Under the Bill, “sensitive personal data may be transferred
outside of India, but such sensitive personal data shall continue to be stored in India.” ,
Data fiduciaries must also obtain “explicit consent” ​in addition to making use of it.
Notably, passwords have been removed from the definition in this draft of the Bill.
● Critical personal data: The bill proposes that all “critical” information related to
individuals will be stored and processed only in India, while all “sensitive personal data”
has to be stored in the country but can be processed outside subject to certain
conditions. The Bill permits the government to define certain personal data as “critical
personal data,” without providing any limitation on the government’s power to make
such designation, which generally may not be transferred outside of India. However,
the Bill creates an exception to this strict localization requirement for transfers to
countries or organizations deemed to provide an adequate level of protection (and
where the state’s security or strategic interests will not be prejudiced), or in limited
circumstances to protect vital interests.

Lastly, non-personal data has found its way into the text of the revised bill. Under the bill, the
government can require any business to share valuable non personal data (such as aggregate
mobility data collected by apps like Google maps or Uber) with the government to frame any
policies that would benefit India's digital economy, so long as it did not concern personal data.
It goes on to state that, in consultation with the Data Protection Authority (DPA), it can direct
any data fiduciary to hand over anonymised personal data or other "non-personal data" for the
purpose of“evidence-based policy making” with no clarity on what evidence-based
policy-making might entail. One can see this as a conflict between protecting the privacy of the
citizens and using citizens’ data for economic gain or for other hitherto unknown reasons by the
government, and a failure to meaningfully resolve this conflict has perhaps led to a delay.