Data Localisation and the RTI Act: Why changes in the Srikrishna committee’s final draft are significant

On 27 July, almost a year after it was constituted, a committee of experts chaired by the former Supreme Court judge BN Srikrishna submitted its report and bill on the framework for India’s foremost law on data protection and privacy. Earlier this week, The Caravan accessed drafts of both the bill and the report. In one piece based on these drafts, I detailed how proposed amendments in the bill would strengthen the Unique Identification Authority of India—the parent agency of Aadhaar—and dilute the provisions of the Right to Information Act. Another piece revealed that the proposed data-protection bill would require the parliament to enact a law overseeing Indian intelligence agencies.

While the bill submitted by the Srikrishna committee is largely identical to the draft bill accessed by The Caravan, the few changes introduced in the final draft are startling—they take a nearly opposite position to that of the earlier draft. Some of these changes are positive. In the earlier draft of the bill, the first, second and third schedules appended to the bill, respectively, sought to amend the Information Technology Act of 2000, the Aadhaar Act of 2016, and the RTI act of 2005. As I wrote earlier, the amendments to the Aadhaar act sought to introduce a new offline verification system for Aadhaar without any prior public consultation, and conferred the UIDAI with a monopoly over legal proceedings arising out of the act. The final bill, however, omits the Aadhaar Act amendment altogether. It contains only two schedules—the amending acts to the IT act and the RTI act. While the amendment to the IT act proposes minor changes and has remained the same, the amendment to the RTI act has been altered significantly—also for the better. The final bill also modifies the provisions for non-consensual processing of data by the state.

But there are worrying changes as well: the final bill has modified the provisions concerning data localisation—essentially, that data-processing entities, termed data fiduciaries, would be required to store data or copies of it within the physical territory of India.