NEW DELHI -- The BN Srikrishna Committee has proposed a data protection framework to consider the privacy and personal information of 1.2 billion Indian citizens in a report submitted to the government on Friday.
The much awaited report comes at a time when the Supreme Court is considering the constitutional validity of India's controversial Aadhaar programme that seeks to consolidate the biometrics and personal information of all Indians in a central repository. The report is expected to serve as the basis for a data protection law enacted by the Indian parliament in the near future.
The committee's report can be understood as a set of broad guiding principles to consider while framing a law. Its recommendations are not binding on the government, and its implementation shall largely be down to the laws, and then, the rules and regulations, framed through a process of hectic negotiation and lobbying.
Ravi Shankar Prasad, India's law minister who also handles electronics and information technology, said his government would invite wide consultations before introducing a data protection law in Parliament.
The voluminous report, which includes a draft protection law, defines citizens as "data principals" and any entity that collects their data as "data fiduciaries". It is the responsibility of "data fiduciaries" to handle data fairly and responsibly, failing which the report proposes penalties in line with the data breach.
In a press conference, Justice BN Srikrishna, the report's principal author, offered an apt, if earthy, metaphor to consider how individual personal data — once considered to be worth very little — had grown into a multi-billion industry.
Long ago watching elephants at circus with his father, the retired judge said he noticed that the elephant dung was carefully stored away. When he asked his father why, he learnt that the dung was actually sold for high prices.
"Friends, this is exactly what is happening, we leave our footprints everywhere, we leave our data everywhere," he said. "Somebody is making money out of it."
- Data Protection Authority: The committee calls for the creation of an independent data protection authority, to oversee and, if needed, enforce India's data protection regime. The DPA shall be appointed by a selection committee comprising of the Chief Justice of India, government nominees, and an independent expert.
- Consent: The committee recognises individual consent as "the bulwark on which data processing practices in the digital economy are founded", even as it notes that the consent framework is hopelessly broken as denial of consent entails a denial of service.
Hence the committee proposes that consent contracts — such as the terms and conditions that internet users routinely sign without reading — must themselves only collect data that is relevant to the services provided, and must not be shared in a manner not reasonably expected by an individual.
Limited Storage: The committee recommends that data should be stored for the time required to fulfill the purpose for which it was collected, and should subsequently be erased.
The Right To Be Forgotten: The report considers the possibility of allowing for the right for a person to ask for personal data, collected by any entity, to be erased after a process of adjudication by the Data Protection Authority.
- Cross-Border Movement of Data: The movement of data across national borders is likely to have the biggest impact on technology companies working in India. The report proposes a segregated approach that categorises data on the basis of its sensitivity — while highly sensitive data shall have to stay within India, in most cases, the report allows for companies to maintain at least one serving copy of the data in India.