Charting the way forward for India’s data protection and privacy law
The recent Facebook-Cambridge Analytica imbroglio has once again brought the importance of enacting and enforcing data protection and privacy laws into sharp focus. Although India does not have a sui generis data protection law in force, the importance of such a law has been recognised and concrete steps are being taken by the Government of India in this regard.
In the landmark decision of Justice K.S. Puttaswamy (Retd.) versus Union of India & Ors. 2017 (10) SCALE 1 pertaining to the right to privacy, the Supreme Court recognised informational privacy as a facet of the right to privacy. Further, the SC also observed that “The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state.”
The Government of India also took an initiative in this aspect and constituted a Committee of Experts on 31 July 2017 under the chairmanship of former Supreme Court Justice B N Srikrishna with the objective to identify and study the key issues relating to data protection in India, make specific suggestions on principles the issue and suggest a draft Data Protection Bill. The ‘White Paper of The Committee of Experts on A Data Protection Framework for India’ was released by the Ministry of Electronics and Information Technology on 27 November 2017. This white paper is the first step on the part of the Union Government to put in place a robust data protection regime to guard against the dangers posed to an individual’s privacy by state and non-state actors.
The white paper is divided into approximately 23 chapters. The Committee has provided provisional views and raised several questions on which it has invited comments and responses from all stakeholders across all fields. The aim of the Committee is to consolidate these responses to understand the shape and purpose which the sui generis data protection law of India must take. A copy of the White Paper is available here.
Of importance is the provisional conclusion of the Committee in chapter 1 of Part IV of the report, where it has been proposed to have a ‘co-regulation’ model/approach to data protection laws, which would be a hybrid between a ‘command and control’ and ‘self-regulation’ model.
The Committee of Experts is of the view that data protection laws must account for subjective as well as objective harms which arise from the unregulated collection and use of personal information. The Committee has taken a comparative approach, considering the data protection laws and practices in various jurisdictions like the US, EU, Japan, Singapore, Australia, and Canada. But the two main models of data protection which the Committee has considered are the EU and US models.
The Committee has based India’s data protection regime on seven principles:
1. Technology agnosticism: This refers to the flexibility to address changing technologies and standards of compliance. The white paper’s definition for ‘personal data’ is all-encompassing that relates to an individual. It suggests that ‘sensitive personal data’ may include “health information, genetic information, religious beliefs and affiliations, sexual orientation, racial and ethnic origin, caste information, financial information”. This closely reflects the current standard under the Information Technology Act, 2000. This also implies that the proposed law is not intended to cover data of companies (as opposed to individuals). The white paper suggests attributing a wide definition to the term ‘data processing’ to include all existing operations such as collection, use and disclosure of data, and at the same time leaves room to incorporate new operations by way of interpretation.
2. Holistic application: The white paper suggests that data protection laws must apply to both private sector entities as well as the government. However, in the case of data processing by the government, certain obligations or exceptions may be carved out for certain legitimate purposes.
3. Informed consent: Consent is a pivotal principle for all international data protection practices. The Committee has acknowledged this fact and stated that the consent of individuals must be one of the grounds for the collection and use of personal data. The white paper highlights methods to effectively ensure parental consent to protect young children from privacy harms, even suggesting carving out distinct provisions within the data protection law, which prohibit processing children’s personal data for potentially harmful purposes.
4. Data minimisation: The foremost objective of data protection laws is that individuals retain control over the way their personal data is collected, used and disclosed. The white paper suggests developing standards for data minimisation and provides guidance to the data controller in this regard. The basic aim is that data processing ought to be minimal and is to be used only where necessary, for the purposes for which such data is sought.
5. Controller accountability: To ensure accountability, the white paper introduces the concept of ‘data controller’ and ‘data processor’ which creates obligations for the parties involves. This applies not only to a single entity but to those with whom it may have shared data.
6. Structured enforcement: A statutory authority with sufficient capacity must enforce the data protection framework. The enforcement mechanisms are decentralised.
7. Deterrent penalties: The white paper suggests stringent penalties and a term of imprisonment that is higher in quantum than that provided in the Information Technology Act, 2000. The aim is to penalise wrongful processing of personal data to ensure deterrence.
The deadline to submit comments and responses to the white paper expired on 31 December 2017. While it is not clear as to what steps the Committee of Experts has taken since then, the current dispute with respect to the alleged data breach in the Facebook-Cambridge Analytica matter should serve as an impetus for the Committee of Experts to propose a comprehensive and robust data protection regime in India soon.
Anil Dutt is a partner at law firm Lakshmikumaran and Sridharan, which specialises in international trade, taxation, intellectual property and corporate laws