Data Protection and Beyond

Background 

With over 460 million internet users, projected to grow to 636 million by 2021, India is the second largest online market in the world; internet penetration has grown from 10% in 2011 to 26% in 2018. With the substantial rise in storage, aggregation and processing of data and amidst mounting concerns over the privacy of citizens, the country is moving towards digital governance in a big way. The challenge is to balance the protection of citizens' rights with responsibilities of the states without hampering trade and industry.

Analysis 

Indian internet users are dropping data everywhere; from phone numbers, email ids to biometrics and sensitive documents, internet companies have been scooping up all the data uploaded onto popular networking sites. 

The companies may be retaining most of the information or sell it to third party agencies who misuse an individual’s data 

Justice Srikrishna feels that Aadhar card is an interesting case. He refers to the  ‘Puttaswamy’ judgement, a 200-300 paragraph judgement from the Supreme Court which says that although it is not enumerated in the Fundamental Rights, the right to data privacy is fast becoming an inalienable Fundamental Rights for Indian citizens. The court still maintained that not all rights are absolute and are subject to certain reservations. 

When it was being debated, the SC asked the government’s lawyers certain uncomfortable questions. How is it being implemented without a legislative act of parliament?

 Justice SK was called by the Law and Justice Minister Ravi Shankar Prasad to lead a commission to explore the contours of the privacy laws regarding Aadhar. It was an illogical string of events, as the Justice believes that the law should have been passed first then Aadhar should have been implemented. 

According to Justice Srikrishna, the commonly used phrase “Data is the new oil” is a misconstrued equation. Oil is property, in the sense that it can been sold by the owner of an oil well. However, data cannot be quantified as property in the sense that a person cannot sell his ‘data’ (name, id, numbers, physical attributes) to anyone else. 

The committee produced a white paper on the summary of the discussion and considerations of the committee, including a large number of public interactions. The report and draft bill where the two outputs of the committee, with the draft bill still held by the government before it struck into election mode. 

Preventive detention has been a contentious debate for a long time, articles 21 and 22 to prevent the immediately striking down of unlawful preventive detentions. One option was is could we use the PD to deal with data related crimes? 

The Next question Justice Srikrishna answered was how to define jurisdiction? Jurisdiction is a basic tenant of law and is very important to establish the powers of a court. Can we apply section 4 of the IPC to data? Whichever entity is registered in india, will be subject to the laws of the country. Data localization makes it easier to identify jurisdiction. 

The committee advocates keeping a copy of all user-generated data in servers located in India, to facilitate the easy withdrawal of required information through the prescribed methods under Indian law. This is called “Data Localization” as courts can exercise jurisdiction over data-related crimes if the servers are physically located in the country. 

The biggest false criticism regarding India’s decision to boost data localization is India lacking technical capacities (data centers to host so much information). The committee has refuted any claims of Indian infrastructure being inferior, and key global financial players like Citi Bank, Standard Chartered have already started to localize the storage of essential financial data.

Justice Srikrishna felt the European General Data Privacy Regulation (GDPR) adequacy test is a viable model for India to adopt. He also stressed on the importance of Data portability; much like the recently implemented mobile number portability capabilities in the country, data portability between different agencies, institutions and even individuals is a commercially viable system, although it is subject to technical feasibility. 

Then, he continued to discuss complex concepts like the Right to be Forgotten. It is a good example, but Justice Srikrishna stressed on how far can it be taken? Can a descended of Aurangzeb demand the erasure of his ancestor’s presence in history books? The right to be forgotten cannot be exercised in the manner in which the public believes it can be used.

He added that Consent to use data is the bottom line but the bottom line isn’t the end of the concerns.  “Thus far and no further” should be the motto of the adequacy test put into practice by the regulators. Justice Srikrishna brushed off concerns that the implementation of the Data Protection Act will ensue volatility, saying that a minimum of six months will be giving to establish the data regulators. Further, it will take an average of 2-2.5 years for the general public to feel the bite of the new Data Protection Act.

He continued to highlight the concept of joint liability, which should be established between the data principal (the origin of the data) and the data fiduciary (the agency/company which record the data) is required.

His last area of clarification was regards to the compensation in the aftermath of data theft or a similar crime. He quotes the GDPR regulation, which says the compensation should be a percentage of the revenue, and that an ad-hoc percentage could also be established based on x, y, z factors. He reiterated that the Criminal process takes over only after the repeated violation of the data user, keeping data theft under civil law violations for the near future. 

Finally, he opined that the Data Protection Act is too complex to be put forward before the parliament immediately, and it may go on to a select committee of the parliament before being introduced in the house. 

Assessment 

Our assessment is that the Justice Srikrishna committee report has the potential to shape India’s data protection laws for the foreseeable future if it is adopted word for word. We believe that Justice Srikrishna has been the neutral voice in the committee, providing valuable insights from his illustrious career in order to prevent the misuse of all the data collected so far by the government and private companies. We also feel that the government should strongly consider the suggested amendments in the report which deal with the complexities of legal and ethical boundaries for law enforcement agencies when dealing with user data.