On 27 July, a committee of experts, chaired by the former Supreme Court judge BN Srikrishna, released a bill and report that forms the framework for India’s first comprehensive law on privacy and data protection. The Srikrishna committee’s recommendations have been released nearly a year after the constitution of the committee and the Supreme Court’s landmark judgment in KS Puttaswamy v Union of India, in which the court recognised privacy as a fundamental right guaranteed by the Constitution.
This year has witnessed troubling and important developments on issues of privacy and the disclosure of personal data. The relentless expansion of the Aadhaar programme has demonstrated the scale and coercive nature of data collection by the state, as well as the opacity of its security practices. Multiple news reports have revealed large-scale public disclosures of personal data and the fragile distinctions between public and privately-held data.
The Srikrishna committee bill will fundamentally reshape the relationships between users and the companies and government entities that they entrust with their data. It introduces obligations on all entities that process personal data and gives a broad definition to “data processing,” which encompasses the collection, use, sharing, and storage of personal data. All legal entities that process data, which may include the state, private companies, and individuals, are identified in the bill as “data fiduciaries,” and must generally demonstrate that they have obtained the consent of the concerned individual, identified as the “data principal.”