All critical personal data on people in India should be processed within the country, Justice Srikrishna panel said on Friday.
The National Data Sharing and Accessibility Policy (NDSAP) was approved by the government in 2012.The policy is applicable to all shareable non-sensitive data available either in digital or analog forms but generated using public funds by various agencies of Government of India as well as of the states.
India presently does not have any express legislation governing data protection or privacy. However, the relevant laws in India dealing with data protection are the Information Technology Act, 2000 and the (Indian) Contract Act, 1872. A codified law on the subject of data protection is likely to be introduced in India in the near future. However, section 69 of the IT act empowers the government to intercept, monitor or decrypt any information including information of personal nature in any computer resource.
Recently,India’s telecom regulator, TRAI, recommended stricter rules for data protection to the Department of Telecom. TRAI Chairman R S Sharma said that the regulator will share its recommendations as inputs with the Justice BN Srikrishna Committee.
Facebook’s Cambridge Analytica scandal brought the issue of data privacy into the spotlight. Cambridge Analytica, a data mining organization and political consultancy, received the personal information of approximately 87 million Facebook users through a third-party app. Facebook is to be fined £500k by the UK’s ICO. India’s federal investigation agency is carrying out an investigation to determine whether personal data from Indian voters and Facebook users was compromised by the political consultant company Cambridge Analytica.
The panel, headed by former Supreme Court judge B.N. Srikrishna present a 213 page report that was released on Friday. The committee’s draft bill designed to enhance data protection will be presented in the parliament. The legislation is expected to affect how global companies store data in India.The recommendation comes at a crucial time when data breaches are becoming common globally and there is heightened scrutiny by governments on how companies handle user data.
According to the report,the panel said “personal data determined to be critical” will be subject to the requirement of being processed “only in India”. “The central government should determine categories of sensitive personal data which are critical to the nation,” the panel said, adding that there will be a prohibition against cross-border transfer of such data.
U.S. trade grounds and global technology firms showed a keen interest in the report by Justice Srikrishna panel. These companies fear that any stringent data localization directive by the government could alter their business models and raise costs.Moreover, companies such as Visa, Mastercard and American Express have been protesting against an Indian central bank directive which said in April that all payments data should be stored locally within six months.
When asked about how financial data should be stored, Justice Srikrishna said at a press briefing that the RBI had “jumped the gun”, adding that a new data protection law will “override” all other notifications and regulations on data storage.The report called for amendments to other laws, including the RTI. Though the bill does not explicitly mention it, the report does suggest changes to the Aadhar act.
The committee said it had combined the principles of individual ‘privacy’ with using data for ‘empowerment’. It recommended the constitution of a Data Protection Authority (DPA) of India with the mandate of protecting the interests of users who it described as “data principles”, and preventing the “misuse of personal data”. It called for financial penalties and jail terms in the case of violations.
TRAI, India’s telecom regulator recently submitted a report on “The Right to Choice, Notice, Consent, Data Portability, and Right to be Forgotten and how it should be conferred upon the telecommunication consumers”. This was proposed to the Department of Telecom and Justice Srikrishna Committee. The Indian government has carried out an investigation regarding the misuse of Facebook user data by Cambridge Analytica as they suspect that the firm may have been involved in illegally obtaining data of Indians.
Nandan Nilekani, the former chairperson of UIDAI, called it an ‘extraordinary effort’. “It reflects original thinking, and addresses both opportunities and challenges that are specific to India.” He added that the committee has recognised individual data had to be protected, while simultaneously recognising the need to use data to improve lives of people.
While the draft privacy bill is celebrated by some experts as a landmark effort, other argued that it vested too much power in the government and offered too many exceptions in cases of national security, police investigations and legal proceedings for the non-adherence of data privacy laws.
Our assessment is that, as stated earlier, TRAI’s bold recommendations are the precursor to a positive development in India’s data protection framework seen in Justice Srikrishna Committee report. We believe that the committee's recommendation of processing data locally is a step forward in protecting Indian users and their data. We feel that the proposed Data Protection Authority must be constituted as an independent body so that it enables in keeping checks and balances with the government and other private entities.