Data Localisation and the RTI Act: Why changes in the Srikrishna committee’s final draft are significant

While the bill submitted by the Srikrishna committee is largely identical to the draft bill accessed by The Caravan, the few changes introduced in the final draft are startling—they take a nearly opposite position to that of the earlier draft. PIB

On 27 July, almost a year after it was constituted, a committee of experts chaired by the former Supreme Court judge BN Srikrishna submitted its report and bill on the framework for India’s foremost law on data protection and privacy. Earlier this week, The Caravan accessed drafts of both the bill and the report. In one piece based on these drafts, I detailed how proposed amendments in the bill would strengthen the Unique Identification Authority of India—the parent agency of Aadhaar—and dilute the provisions of the Right to Information Act. Another piece revealed that the proposed data-protection bill would require the parliament to enact a law overseeing Indian intelligence agencies.

While the bill submitted by the Srikrishna committee is largely identical to the draft bill accessed by The Caravan, the few changes introduced in the final draft are startling—they take a nearly opposite position to that of the earlier draft. Some of these changes are positive. In the earlier draft of the bill, the first, second and third schedules appended to the bill, respectively, sought to amend the Information Technology Act of 2000, the Aadhaar Act of 2016, and the RTI act of 2005. As I wrote earlier, the amendments to the Aadhaar act sought to introduce a new offline verification system for Aadhaar without any prior public consultation, and conferred the UIDAI with a monopoly over legal proceedings arising out of the act. The final bill, however, omits the Aadhaar Act amendment altogether. It contains only two schedules—the amending acts to the IT act and the RTI act. While the amendment to the IT act proposes minor changes and has remained the same, the amendment to the RTI act has been altered significantly—also for the better. The final bill also modifies the provisions for non-consensual processing of data by the state.

But there are worrying changes as well: the final bill has modified the provisions concerning data localisation—essentially, that data-processing entities, termed data fiduciaries, would be required to store data or copies of it within the physical territory of India.

The draft bill proposed to amend Section 8(1)(j) of the RTI act, which accounted for the right to privacy by allowing public information officers to withhold “personal information ... which has no relation to any public activity or interest.” The proposed amendments would have put an exponentially higher burden on the request for such a disclosure of personal information, mandating that it fulfil a three-fold requirement. It proposed that information could be disclosed only if: it related to a function of a public authority and required the maintenance of transparency and accountability; the disclosure was “necessary to achieve the object of transparency”; and any potential harm to the concerned individual from the disclosure would be outweighed by the interest of transparency. The amendment in the final data protection bill, however, has largely remained the same as the provision in the 2005 RTI act, and adds a clause stating that the disclosure of information would be “notwithstanding anything in the Personal Data Protection Act, 2018”—effectively, that a disclosure under the RTI act would not be constrained by the proposed data protection law. The draft bill contained no such provision.

This change has come against the backdrop of an on-going public discussion on the possible dilution of the RTI act itself. Civil-society activists have raised concerns that the government’s suggested amendments to the RTI Act would be detrimental to its ultimate goals of transparency and accountability. The propositions of the earlier draft of the data protection bill would have further weakened the act, and their removal appears to recognise the need to balance privacy with public accountability.

In its chapter on the grounds for processing data, the draft bill also provided the possibility of non-consensual processing, including some alternatives to consent. As per the draft bill, the state would have been empowered to process sensitive personal data without obtaining the consent of the concerned individuals in certain scenarios. If the state was required to process any sensitive personal data for “the provision of any service or benefit,” the draft bill allowed it to do so without obtaining consent, if gaining explicit consent involved “disproportionate effort.” But for specified kinds of sensitive data, namely financial access data and caste or tribe data, the earlier draft said that the non-consensual processing of data for functions of the state is only permissible if it is “strictly necessary.” In the final bill, this provision has been modified to say that all non-consensual processing of personal data for functions of the state must be “strictly necessary.” However, it is no longer necessary for the state to demonstrate that seeking consent would have involved “disproportionate effort.”

Data-localisation was one of the most hotly debated subjects in lead up to the submission of the Srikrishna committee’s bill. According to the committee’s final report, “A policy of storage and processing of personal data within the territorial jurisdiction of a country is advocated to ensure effective enforcement and to secure the critical interests of the nation state.” It adds that these “critical interests” concern issues of economic growth by compelling companies storing data abroad to create local infrastructure, making law enforcement easier by facilitating access to data, and preventing foreign intelligence agencies from gaining access to local data. On the other hand, the principle of data localisation contradicts the ideal of a seamless worldwide internet, imposes additional costs and burdens on data fiduciaries to set up data centers in India, and creates potential barriers to trade, such as prohibitive costs. Evidently, the arguments in favour of localisation prevailed over those against.

According to the final bill, every data fiduciary is mandated to store at least one copy of all personal data being “processed”—a generic term used to describe the storage, use, or sharing of data—on a server located in India. (In the bill, the phrase “personal data” refers to any information that may be used to directly or indirectly to identify an individual.) The bill also grants the central government discretion to notify categories of data as “critical personal data,” which can only be processed in India. Additionally, the central government may also notify certain kinds of data to be exempt from the requirement for a copy to be kept in India. However, this exemption is not applicable to “sensitive personal data,” which includes information such as an individual’s sexual orientation, caste and religion, financial data, health data, genetic data, and biometric data.

Pertinently, the draft bill prescribed a significantly different standard for such cross-border transfer of data. It only mandated data fiduciaries to maintain a copy of sensitive personal data within the territory of India, unlike the final bill, which proposes such a requirement for all data. The draft bill had defined an inclusive list of critical personal data that was required to be stored in India—it comprised health data, official identifiers (such as Aadhaar), biometric data, genetic data, and any other data notified by the central government. This shift is significant—the final bill makes it necessary for fiduciaries to store a copy of all data, including personal data, within India. Moreover, the final bill provides no clarity on or illustrative examples of what the government may classify as “critical personal data.”

The Srikrishna committee’s recommended data-localisation obligations in the final bill invited criticism from among the committee members themselves—two members, Rama Vedashree and Rishikesha T Krishnan submitted dissenting notes that have been appended to the report. Vedashree, the chief executive officer of the Data Security Council of India—an industry body working on issues of cyberspace—wrote that the committee’s approach was “not only regressive but against the fundamental tenets of our liberal economy.” She adds that the committee “projects localisation as tool for domestic market development,” but that “this narrative seems fuelled by unfounded apprehensions and assumptions, rather than evidence and reasoning.” Krishnan, the director of the Indian Institute of Management at Indore, noted that the obligations under the bill are “against the basic philosophy of the Internet and imposes additional costs on data fiduciaries without a proportional benefit in advancing the cause of data protection.”

Among all these changes, it is worth noting that several promising aspects of the bill have remained unchanged. For instance, both drafts of the bill contain the same provisions regarding the strong data-protection obligations under the bill, the high requirements of consent, and the extensive classification of sensitive personal data. It is also promising to see that the proposed surveillance reform has not been diluted in the final bill—if implemented effectively, the recommendations could potentially alter the foundation of India’s intelligence establishment. Beyond surveillance as well, despite its shortcomings, the Srikrishna committee’s recommendations include several progressive suggestions—an effective consultation process coupled with the necessary political will could give India a robust data-protection framework.