On 27 July, a committee of experts, chaired by the former Supreme Court judge BN Srikrishna, released a bill and report that forms the framework for India’s first comprehensive law on privacy and data protection. The Srikrishna committee’s recommendations have been released nearly a year after the constitution of the committee and the Supreme Court’s landmark judgment in KS Puttaswamy v Union of India, in which the court recognised privacy as a fundamental right guaranteed by the Constitution.
This year has witnessed troubling and important developments on issues of privacy and the disclosure of personal data. The relentless expansion of the Aadhaar programme has demonstrated the scale and coercive nature of data collection by the state, as well as the opacity of its security practices. Multiple news reports have revealed large-scale public disclosures of personal data and the fragile distinctions between public and privately-held data.
The Srikrishna committee bill will fundamentally reshape the relationships between users and the companies and government entities that they entrust with their data. It introduces obligations on all entities that process personal data and gives a broad definition to “data processing,” which encompasses the collection, use, sharing, and storage of personal data. All legal entities that process data, which may include the state, private companies, and individuals, are identified in the bill as “data fiduciaries,” and must generally demonstrate that they have obtained the consent of the concerned individual, identified as the “data principal.”
While this bill marks a significant step towards the protection of data privacy in India, certain aspects of it are unsettling. For instance, in specified scenarios, it creates an exemption for government authorities from obtaining the consent of concerned individuals for both personal and sensitive personal data. Moreover, the exemption also suffers from a lack of clarity about the different standards that are applicable to the processing of sensitive and non-sensitive data. For sensitive data, the bill requires the government to demonstrate that the processing is “strictly necessary,” but in the absence of a clear definition of what this means, it isn’t hard to see how this provision might be routinely abused in the course of service delivery.
The bill imposes a range of data protection obligations on data fiduciaries, in consonance with the widely celebrated General Data Protection Regulation of Europe. These include a “collection limitation,” which prevents the collection of data beyond the specific function being carried out, and a “purpose limitation,” which prevents the use of collected data for purposes that are not “clear, specific and lawful.” Additionally, the bill puts limitations on how long data can be stored, imposes obligations for ensuring the security of personal data, and directs data fiduciaries to undertake measures to ensure accountability. It further places an overarching obligation on all fiduciaries to process personal data in a “fair and reasonable manner that respects the privacy” of the individual concerned.