In a watershed moment for India’s law on privacy and data protection, in August last year, nine judges of the Supreme Court unanimously held that the right to privacy was a fundamental right. The judgment came less than a month after the union government constituted a committee chaired by the former Supreme Court judge BN Srikrishna, to formulate a data-protection law for India. But the Srikrishna committee has since received criticism for its opaque functioning and its refusal to disclose the contents of the bill. Though the committee has not announced when it will release the draft bill, The Caravan has accessed the draft, titled “The Protection of Personal Data Bill, 2018.” The Caravan also accessed a draft of the Srikrishna committee’s report on the proposed legal framework for the protection of privacy and data in India.
In an earlier piece, I detailed the amendments that the bill proposes to the Right to Information Act of 2005 and the Aadhaar Act of 2016. The proposed amendments, if introduced, are likely to weaken the RTI act, and to strengthen the Unique Identification Authority of India’s monopoly over any legal action arising out of the Aadhaar act. While these are worrying consequences, other aspects of the draft bill may bring welcome change to status quo. For instance, it proposes exemptions from data-protection obligations for intelligence agencies that are significant. In this regard, the bill makes an unprecedented proposition—compliance with the proposed data-protection bill would require the parliament to enact a law that will oversee India’s intelligence agencies and intelligence gathering mechanisms. The draft report states that such a law “should provide for both parliamentary oversight as well as judicial pre-approval of all requests for non-consensual access to personal data and metadata.” It would take considerable political will, but if implemented well, the Srikrishna committee’s recommendations could fundamentally alter the functioning of intelligence agencies in India.
In order to understand the significance of these exemptions, it is necessary to first examine the obligations imposed on those entities that are not exempted and would be processing personal data. In the draft bill, the phrase “personal data” refers to any information that may be used to directly or indirectly identify an individual. It defines “processing” to incorporate a wide range of activities, including the collection, use and storage of personal data. With this broad ambit, the Srikrishna committee proposes several obligations to ensure the protection of personal data, and imposes a high standard for the nature of consent required for its processing.
These requirements, however, are not absolute—the committee proposes to grant a partial exemption for certain scenarios of data processing. But pertinently, the proposed exemptions are not absolute either—the bill mandates that all entities dealing with personal data ensure that it is processed in a fair and reasonable manner that respects the privacy of the concerned individual.
The legislative intent behind the regulations on data processing is to prevent any harm to the individual in question, identified as the “data principal.” According to the draft report, “the cornerstone of such regulation is the consent of the data principal.” In this regard, the bill mandates a framework for consent that is described in the report as “notice-and-choice”: the entity or individual seeking to process any personal data, or the “data fiduciary,” must inform the data principal about how their data would be used, and seek express affirmative consent to do so beforehand.