The Srikrishna committee’s data-protection bill does not do enough to hold the government accountable for use of personal data

On 27 July, a committee of experts, chaired by the former Supreme Court judge BN Srikrishna, released a bill and report that forms the framework for India’s first comprehensive law on privacy and data protection. The Srikrishna committee’s recommendations have been released nearly a year after the constitution of the committee and the Supreme Court’s landmark judgment in KS Puttaswamy v Union of India, in which the court recognised privacy as a fundamental right guaranteed by the Constitution.

This year has witnessed troubling and important developments on issues of privacy and the disclosure of personal data. The relentless expansion of the Aadhaar programme has demonstrated the scale and coercive nature of data collection by the state, as well as the opacity of its security practices. Multiple news reports have revealed large-scale public disclosures of personal data and the fragile distinctions between public and privately-held data.

The Srikrishna committee bill will fundamentally reshape the relationships between users and the companies and government entities that they entrust with their data. It introduces obligations on all entities that process personal data and gives a broad definition to “data processing,” which encompasses the collection, use, sharing, and storage of personal data. All legal entities that process data, which may include the state, private companies, and individuals, are identified in the bill as “data fiduciaries,” and must generally demonstrate that they have obtained the consent of the concerned individual, identified as the “data principal.”

While this bill marks a significant step towards the protection of data privacy in India, certain aspects of it are unsettling. For instance, in specified scenarios, it creates an exemption for government authorities from obtaining the consent of concerned individuals for both personal and sensitive personal data. Moreover, the exemption also suffers from a lack of clarity about the different standards that are applicable to the processing of sensitive and non-sensitive data. For sensitive data, the bill requires the government to demonstrate that the processing is “strictly necessary,” but in the absence of a clear definition of what this means, it isn’t hard to see how this provision might be routinely abused in the course of service delivery.

The bill imposes a range of data protection obligations on data fiduciaries, in consonance with the widely celebrated General Data Protection Regulation of Europe. These include a “collection limitation,” which prevents the collection of data beyond the specific function being carried out, and a “purpose limitation,” which prevents the use of collected data for purposes that are not “clear, specific and lawful.” Additionally, the bill puts limitations on how long data can be stored, imposes obligations for ensuring the security of personal data, and directs data fiduciaries to undertake measures to ensure accountability. It further places an overarching obligation on all fiduciaries to process personal data in a “fair and reasonable manner that respects the privacy” of the individual concerned.

The bill makes distinctions between four types of data with varying levels of restrictions and requirements around consent. The first is non-personal data, which includes anonymised data or information that does not directly or indirectly identify an individual. The second is personal data, meaning information “relating to a natural person who is directly or indirectly identifiable,” including any traits, characteristics or attributes. The third category is sensitive personal data (SPD), which includes information that is “likely to cause greater harm, or harm of graver nature.” This includes information revealing an individual’s caste or tribe, religious or political belief, sex life, sexual orientation, transgender status, intersex status, financial data, health data, official identifiers—such as Aadhaar—genetic data, and biometric data. The last category, critical personal data, is not explicitly discussed aside from one mention in the bill stating that the government reserves the right to define this term in the future, and requires such data to be stored and processed only in India.

The SPD list is both comprehensive and progressive, and goes beyond the categories identified in the existing rules under the Information Technology Act of 2000, which does not include religious belief, political belief, or transgender/intersex status. The classification of SPD is a feature of several data protection regimes globally, and reflects information that is especially intimate and carries an elevated risk of harm.

Taking into consideration this potential for harm, the bill mandates a higher standard of “explicit consent” to process SPD. Consent is well-defined in this bill and must fulfill five distinct criteria—it must be free, informed, specific, clear, and capable of being withdrawn. The bill also provides that the “the ease of such withdrawal is comparable to the ease with which consent may be given.” For consent to be considered “explicit,” the “data principal is given the choice of separately consenting to the purposes of, operations in, and the use of different categories of sensitive personal data relevant to processing.” For example, an individual could be given an option to allow the processing of Aadhaar-linked demographic information, such as name and address, but not their transgender status.

The bill proposes parallel regulatory regimes to govern the processing of data. Chapters III and IV of the bill, respectively, provide different grounds on which personal data and SPD may be processed. As per Section 7 of the bill, data can only be processed for any one of the grounds listed in the two chapters. In both chapters, consent is a primary ground on which data may be processed, with the higher standard of “explicit consent” for the processing of SPD. Additional grounds for processing are provided for specific situations, such as “compliance with law,” “compliance with the law or any order of any court,” or “prompt action”—all of which do not require a data fiduciary to obtain the consent of the data principal.

It is among these additional grounds for processing that the bill, despite its otherwise robust framework of consent and data protection, falls short. The bill allows for the state to process both personal data and SPD without the consent of the data principal for “any function of Parliament or any State Legislature,” or for a state function “authorized by law for the provision of any service or benefit to the data principal.” For the processing of personal data, the government authorities are also exempt from seeking consent while issuing any licenses, certifications, or permits by the state.

While the government authorities still have to demonstrate that the use of SPD is “strictly necessary” for the delivery of the service or benefit, this standard falls to “necessary” when they are processing personal data. However, the line between personal data and SPD can get blurry quickly. In a country where names and addresses more often than not reveal caste and religious identities, it is easy to see where these distinctions might crumble. Moreover, metadata—such as an individual’s location or even Aadhaar authentication history, which is not classified as SPD under the bill—can lead to comprehensive mapping of an individual’s personal life. This may include insights about sensitive information, such as visits to an HIV clinic or political party offices. As a result, a government agency may be held to a strict standard for processing information pertaining to the political party affiliation of an individual, but such information may be derived from personal data requiring minimal obligations for lawful processing.

This provision raises serious questions about the relationship between citizens and the state, and must be scrutinized in light of the Supreme Court’s right-to-privacy judgment. In Puttaswamy, the Supreme Court found that the right to privacy was embedded in the constitutional right to individual liberty. Is individual agency to consent, and withdraw such consent, not central to this notion of liberty? Indeed, these exemptions for the functions of the state are at odds with the rest of the bill, which is otherwise strong on consent. For example, the committee notes that consent, particularly of the “terms and conditions” variety, can be onerous on both the user and the entity seeking it. The solution is not to get rid of consent, the report notes, but rather to introduce simple, clear and accessible consent notices.  As the Srikrishna committee notes, the consent form should not be treated “as a means to an end, but rather as an end in itself.”

The committee’s justification for different standards for the state are manifold, with some reasons less defensible than others. The report notes that for “genuine consent” to be operationalised, “collective interests stand to suffer.” This argument requires interrogation—in an economy where government services increasingly compete in the same marketplace as private actors, such as schools, hospitals, payment systems and transportation, it is not clear why collective interest is necessarily harmed only when the state is the provider. The committee’s example for such harm refers to an individual refusing to consent to be part of an employment survey, and potentially “skewing the accuracy of the dataset.” This illustration does more harm than good to their case—would such surveys not already be covered by the exception carved out in the bill for research and statistics, and thus be anonymised? Even assuming it is not, if an individual hypothetically has a strong reservation to be counted in an employment survey—hypothetically, because they are the only sex worker in a particular sub-district—that is precisely the decisional autonomy that consent should facilitate.

But another justification noted in the committee’s report does raise a more valid concern about the operation of consent with the government. In several instances, the report notes that “the imbalance of power” between citizen and state would “affect the validity of the consent given.” This observation captures the essence of the debate around consent—for those that have few effective options, the option to withdraw consent may remain theoretical. As the committee notes, “the option available to a consumer in refusing an onerous contract and choosing another service provider is not available to a person seeking a welfare benefit from the state.” However, this argument only demonstrates that additional safeguards, beyond consent, are required—not that consent must be given up on altogether.

Given the disproportionate power of the state over those who are most dependent on it, the state should process the least amount of data necessary to provide the services and benefits authorised by law. In this regard, the collection limitation and the additional safeguard that processing needs to be “strictly necessary” are both important constraints on the government that must be respected. However, the standard for a non-consensual processing to be “strictly necessary” is not defined under the bill. Given the unique ability and incentive for the state to process more personal data than is necessary, a clear definition would place an important check on the state’s ability to put data at risk. For instance, a possible definition could be that it would be impossible for the state to provide the service without such processing such data.

Another noteworthy aspect of the bill is that it provides a separate ground for processing personal data “in compliance with a law.” If the processing of data by the government must be authorised by law, such processing would presumably be automatically permissible on this ground. It is not clear, then, why a separate ground for the functions of the state is necessary. According to the committee’s report, the exception for compliance with the law “restricts processing to mandatorily comply with the letter of the law,” whereas the provision permitting processing for the “functions of the state” grants a broader permission for processing in furtherance of the law where the state has been granted greater discretion. The committee’s report does not provide an adequate explanation for why this exercise of discretion warrants a separate ground for processing data without consent.

The Srikrishna committee does provide one critical check on the power of both the state and private companies: the Data Protection Authority of India. The DPAI is a proposed regulatory body that will oversee annual audits by “independent auditors” for all “significant data fiduciary.” The bill defines a “significant data fiduciary” according to a number of criteria, including the volume of data processed and potential for harm, and as a result, a large number of government agencies—including, notably, the Unique Identification Authority of India—will be subject to such requirements. The regulator is also empowered to impose penalties on the government and private companies, including, potential criminal liability for government servants and corporate executives in certain situations. It also creates an adjudicating wing that will be empowered to receive complaints, investigate offences, mete out penalties, and grant compensation.

Despite its shortcomings, the legal environment created by this bill is a very different one from the immunity with which the government accesses data today. There are significant new limits on the power of the state, but the lasting legacy of this bill should be to demonstrate that the state is not beyond seeking the consent of its citizens’ and that the overwhelming reliance on the Indian welfare state requires more, not less, protections against the infringement of rights.